Skip to content

security: rate limit password recovery requests#75

Draft
enlorik wants to merge 1 commit into
mainfrom
security/rate-limit-account-recovery
Draft

security: rate limit password recovery requests#75
enlorik wants to merge 1 commit into
mainfrom
security/rate-limit-account-recovery

Conversation

@enlorik

@enlorik enlorik commented Jul 18, 2026

Copy link
Copy Markdown
Owner

Noticed POST /forgot-password wasn't covered by the rate limit filter, so anyone could hammer it for email spam or account probing (POST /reset-password is also uncovered, but that's token consumption and deserves its own PR). Wired it into the existing bucket4j setup with its own bucket (5 submissions per 15 minutes per IP, included in the scheduled cleanup) and made the filter matching method-aware so only the POST is limited — the GET form page stays free, and login/register/verify-email behave exactly as before. Added config and filter tests for the new bucket, the 429 + Retry-After on the sixth request, and the GET bypass — mvn test went from 185 to 191 tests, all passing (0 failures, 0 errors).

@enlorik

enlorik commented Jul 18, 2026

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Swish!

Reviewed commit: b61894f769

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant