Skip to content

security: add rate limiting and hash share link passwords#3011

Open
Fengsh0923 wants to merge 2122 commits intoteableio:mainfrom
Fengsh0923:security/rate-limiting-and-share-password
Open

security: add rate limiting and hash share link passwords#3011
Fengsh0923 wants to merge 2122 commits intoteableio:mainfrom
Fengsh0923:security/rate-limiting-and-share-password

Conversation

@Fengsh0923
Copy link
Copy Markdown

@Fengsh0923 Fengsh0923 commented Apr 17, 2026

Summary

Two security improvements found during source code audit:

1. Rate Limiting (#3009)

  • Add @nestjs/throttler with global default (100 req/60s)
  • Stricter on auth: signin 10/min, signup 5/min, reset-password 3/min
  • Configurable via THROTTLE_TTL / THROTTLE_LIMIT env vars

2. Share Password Hashing (#3006)

  • bcrypt.compare() instead of plaintext ===
  • JWT no longer contains plaintext password, uses {shareId, nonce}
  • Backward compatible with legacy plaintext JWTs
  • Both base-share and view-share flows updated

Test Plan

  • Rate limiting triggers 429 after threshold
  • Share auth works with existing passwords
  • New JWT uses nonce (no password in payload)
  • Legacy JWT cookies still work

nichenqin and others added 30 commits December 18, 2025 17:48
@nichenqin
Merge pull request teableio#2296 from teableio/T1326
fa16152 
fix: t1326
@younocode
fix: base node status T1328 (teableio#2297)
df8e605 
* feat: enhance BaseNodeTree with ItemStatus component for app and workflow visibility

* refactor: update BaseNodeTree and QuickAction components for improved styling and layout consistency

* feat: add table update permission handling to BaseNodeTree component
@tea-artist
feat: script integration onboarding ui T1330 (teableio#2298)
67710df
@boris-w @caoxing9
feat: template preview (T1306,T1316) (teableio#2291)
703d65a 
* feat: template preview

* feat: add preview in template detail

* fix: remove debug code

* fix: unit test

* fix: permission.service unit test

* fix: share link view in template preview pages

* feat: more complete template preview ui

* fix: missing app actions in template

* fix: locales file conflict

* feat: template support app T1316

* feat: support jump to active node when create template

* chore: update i18n

* chore: update i18n

* perf: optimise user publish to community validation process

* fix: base export e2e fail unexpect

* fix: losing duplicate audit-log

* fix: publish dialog select active node error

* feat: unlock template recommended select

* feat: app in template preview

* fix: featured null and false filter fail

* fix: template detail scroll

* chore: constant template spaceId

* perf: create template should close schedule trigger workflow and authority

* fix: publish base ui error

* feat: template preview e2e

* perf: delete template old snapshot app when create new

* fix: import table date with computed data error

* fix: import base e2e

* fix: duplicate base do not turn on workflow and authority

---------

Co-authored-by: caoxing <caoxing9@gmail.com>
@younocode
fix: page router T1331 (teableio#2299)
3170c34 
* fix: page router

* fix: update SQL migration to remove schema prefix from setting table

* feat: add app-related translations for multiple languages

* refactor: simplify e2e tests

* refactor: update e2e tests to use cached settings for improved performance
@nichenqin
fix(t1349): conditional lookup date sort (teableio#2300)
dbadb6e 
T1349
@boris-w
fix: test ability in space ai config (teableio#2303)
1a5f92c
@younocode
fix: record default view selection T713 (teableio#2304)
039bb95 
* fix:  improve query handling in TablePage component T713

* refactor: enhance BaseNodeTree component with improved rendering logic and styling adjustments

* refactor: improve view selection logic in TablePage component
@caoxing9
perf: template UI (teableio#2302)
d09f36d 
* perf: template display ui

* perf: update migration for template

* perf: generate share url T1351
@caoxing9
feat: template visit count (teableio#2306)
142cd9e 
* feat: add template visit count T1352

* fix: add base id for base export

* fix: template ui relative
@hammond-lj
feat: automation steps new icons T1353 (teableio#2311)
431f319
@caoxing9
feat: add base share entry in base main page issueId:T1370 (teableio#…
d7b6bf3 
…2314)
@hammond-lj
feat:action icon allow to hide bg color T1366 (teableio#2312)
15ff75e
@hammond-lj
fix:automation icon bg color issue T1371 (teableio#2316)
c6be083
@tea-artist
feat: fix template cover upload logic T1372 (teableio#2317)
f6bf18a
@tea-artist
fix: missing external template apply request (teableio#2319)
b5f4bd9
@caoxing9
perf: template admin panel display relative with T1374 (teableio#2320)
2338117 
* perf: template admin panel display relative with T1374

* fix: lint error

* fix: sharedialog open without default select nodes
@caoxing9
fix: template preview default node is not match relative issue:T1377 (t…
f4ce5af 
…eableio#2321)
@caoxing9
fix: default node app is error when set template relative issue: T1381 (
3455bb8 
teableio#2322)
@boris-w
feat: add template related in detail (teableio#2323)
1b990f9
@boris-w
fix: correct paste misalignment when using shuffled projection (T1329) (
bfc4202 
teableio#2325)

* fix: correct paste misalignment when using shuffled projection

* fix: form share collaborators user fields
@nichenqin
fix: scope lookup CTE references
ed79eab
@nichenqin
Merge pull request teableio#2326 from teableio/fix/cte-ready-lookup-s…
c1ac65c 
…cope

fix: scope lookup CTE references T1361
@caoxing9
fix: export base table with dbtablename (teableio#2324)
f59c5a3 
* fix: export base table with dbtablename

relative issueid: T1388

* fix: template sql query has no permission
@boris-w
feat(ui-lib): add zoom and rotate capabilities to image preview (T640) (
58e22c1 
teableio#2327)

* feat(ui-lib): add zoom and rotate capabilities to image preview

* feat: touch device drag

* perf(ui-lib): optimize image preview performance with ResizeObserver and dimension caching
@nichenqin
fix: cast substitute operands to text
0b05ab5
@nichenqin
Merge pull request teableio#2330 from teableio/fix/pg-substitute-cast
2a8b2bb 
fix: cast substitute operands to text T1361
@caoxing9
feat: optimise template relative (teableio#2331)
7149cc8 
* perf: shrink template card

relative issueid: T1380

* feat: support template reorder

relative issueid: T1379
@nichenqin
fix(record): handle not-null link columns on create
68a2f22
@nichenqin
Merge pull request teableio#2332 from teableio/fix/link-not-null-create
f843928 
fix/link not null create T1361
tea-artist and others added 28 commits March 23, 2026 14:03
@tea-artist @nichenqin
[sync] T1879: keep hidden grid views stable for new fields (teableio#…
1c3ffcb 
…1490) (teableio#2802)

Synced from teableio/teable-ee@6f23ef2

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @nichenqin
[sync] T2158 fix lookup date paste into date field (teableio#1489) (t…
8e27643 
…eableio#2803)

Synced from teableio/teable-ee@d0521f6

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @nichenqin
[sync] [T2442] add schema repair commands and system schema rules (te…
1cda195 
…ableio#1486) (teableio#2804)

Synced from teableio/teable-ee@61ec47a

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @caoxing9
[sync] perf: unify longtext and markdown expand (teableio#1497) (teab…
3e49dad 
…leio#2805)

Synced from teableio/teable-ee@738547a

Co-authored-by: Aries X <caoxing9@gmail.com>
@tea-artist @caoxing9
[sync] fix: longtext losing max height when editing (teableio#1498) (t…
6c7bbeb 
…eableio#2806)

Synced from teableio/teable-ee@0cfde14

Co-authored-by: Aries X <caoxing9@gmail.com>
@tea-artist @caoxing9
[sync] fix: unify form view share button interactive (teableio#1499) (t…
97d4b5d 
…eableio#2807)

Synced from teableio/teable-ee@b1325f8

Co-authored-by: Aries X <caoxing9@gmail.com>
@tea-artist @nichenqin
[sync] [T2327] fix duplicate symmetric link field names after copy (t…
4d409df 
…eableio#1500) (teableio#2808)

Synced from teableio/teable-ee@fab1ebb

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @nichenqin
[sync] fix: sort conditional lookup numbers numerically (teableio#1503)…
2072515 
… (teableio#2809)

Synced from teableio/teable-ee@1f2008c

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @nichenqin
[sync] fix: surface create-record field errors to ai (T2179) (teablei…
3c40521 
…o#1502) (teableio#2810)

Synced from teableio/teable-ee@adbf727

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @nichenqin
[sync] T2445: support v2 table duplication (teableio#1491) (teableio#…
8171ffb 
…2811)

Synced from teableio/teable-ee@1c2e2c9

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist
[sync] feat: sandbox agent T2405 (teableio#1431) (teableio#2812)
5a5ce73 
Synced from teableio/teable-ee@ea48a27
@tea-artist @nichenqin
[sync] fix: flatten multi-select array_unique rollups (teableio#1504) (
cf35408 
…teableio#2813)

Synced from teableio/teable-ee@5105c9b

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @nichenqin
[sync] [T2449] support native v2 bulk record updates (teableio#1494) (t…
ecc2d25 
…eableio#2814)

Synced from teableio/teable-ee@3605235

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @nichenqin
[sync] T2447 fix select conversion metadata and empty record titles (t…
6716cc9 
…eableio#1493) (teableio#2815)

Synced from teableio/teable-ee@40db531

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @nichenqin
[sync] fix(backend): skip broken link storage in field plan (teableio…
df0b2c1 
…#1505) (teableio#2816)

Synced from teableio/teable-ee@f7689c3

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @nichenqin
[sync] fix: initialize api dialog with current view (teableio#1506) (t…
56f14cb 
…eableio#2817)

Synced from teableio/teable-ee@f5f6b95

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @caoxing9
[sync] perf: markdown optimise (2463) (teableio#1508) (teableio#2818)
89e6168 
Synced from teableio/teable-ee@24a5db3

Co-authored-by: Aries X <caoxing9@gmail.com>
@tea-artist @nichenqin
[sync] test(backend): add t2459 link id payload title regression (tea…
968b440 
…bleio#1510) (teableio#2819)

Synced from teableio/teable-ee@0bbdb9e

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @nichenqin
[sync] fix(backend): bootstrap ai primary fields before duplicate lin…
09e8cc4 
…ks (teableio#1511) (teableio#2820)

Synced from teableio/teable-ee@8b62fee

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @nichenqin
[sync] fix(backend): refresh base-node cache for v2 table creation (t…
a72f9bb 
…eableio#1513) (teableio#2821)

Synced from teableio/teable-ee@626773d

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @nichenqin
[sync] fix(sdk): restore filter dropdown wheel scrolling T2325 (teabl…
83e4fa0 
…eio#1515) (teableio#2822)

Synced from teableio/teable-ee@44552eb

Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @caoxing9
[sync] fix: minio export files error (T2469) (teableio#1514) (teablei…
9b63a02 
…o#2823)

Synced from teableio/teable-ee@e0daffe

Co-authored-by: Aries X <caoxing9@gmail.com>
@tea-artist @younocode
[sync] fix: refactor email processing and attachment handling (teable…
0f57409 
…io#1507) (teableio#2824)

Synced from teableio/teable-ee@6177977

Co-authored-by: Uno <uno@teable.ai>
@tea-artist @github-actions
@caoxing9 @boris-w @hammond-lj @nichenqin
[sync] fix(computed): add failure diagnostics for outbox workers (tea…
778111d 
…bleio#2836)

Synced from teableio/teable-ee@3d8d8f8

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Aries X <caoxing9@gmail.com>
Co-authored-by: Boris <boris2code@outlook.com>
Co-authored-by: Jun Lu <hammond@teable.io>
Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @github-actions
@caoxing9 @younocode @nichenqin
[sync] perf(computed): skip individual seed storage for large dirty t…
4617d16 
…ables (teableio#2845)

Synced from teableio/teable-ee@8aa82c0

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Aries X <caoxing9@gmail.com>
Co-authored-by: Uno <uno@teable.ai>
Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @github-actions
@caoxing9 @boris-w @garyli27 @hammond-lj @younocode @nichenqin
[sync] feat(t2630): transfer sandbox context via presigned URLs inste…
bd18412 
…ad of Node memory (teableio#2891)

Synced from teableio/teable-ee@a256ef4

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Aries X <caoxing9@gmail.com>
Co-authored-by: Boris <boris2code@outlook.com>
Co-authored-by: Gary Guangyu Li <gary@teable.ai>
Co-authored-by: Jun Lu <hammond@teable.io>
Co-authored-by: Uno <uno@teable.ai>
Co-authored-by: nichenqin <nichenqin@hotmail.com>
@tea-artist @github-actions
@caoxing9 @boris-w @garyli27 @Jocky-Teable @hammond-lj @Sky-FE @younocode @nichenqin
[sync] feat: add user info popover and Bot badge in grid user cell (T…
ca571d9 
…2782) (teableio#2975)

Synced from teableio/teable-ee@6486d30

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Aries X <caoxing9@gmail.com>
Co-authored-by: Boris <boris2code@outlook.com>
Co-authored-by: Gary Guangyu Li <gary@teable.ai>
Co-authored-by: Jocky-Teable <jocky@teable.ai>
Co-authored-by: Jun Lu <hammond@teable.io>
Co-authored-by: SkyHuang <sky.huang.fe@gmail.com>
Co-authored-by: Uno <uno@teable.ai>
Co-authored-by: nichenqin <nichenqin@hotmail.com>
@claude
security: add rate limiting and hash share link passwords
6984724 
Two security improvements:

1. **Rate Limiting** (addresses teableio#3009):
   - Add @nestjs/throttler with global default (100 req/60s)
   - Stricter limits on auth endpoints: signin (10/min), signup (5/min),
     password reset (3/min)
   - Configurable via THROTTLE_TTL and THROTTLE_LIMIT env vars

2. **Share Link Password Hashing** (addresses teableio#3006):
   - Share passwords now validated via bcrypt.compare() instead of
     plaintext comparison
   - JWT tokens no longer contain plaintext passwords; use random nonce
   - Backward compatible: legacy plaintext JWTs still accepted during
     transition period
   - Both base-share and view-share auth flows updated

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 17, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ tea-artist
❌ 沈锋

沈锋 seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@claude
security: extend password hashing to view-share module + hash on write
e3a8b05 
- Apply same bcrypt pattern to share/share-auth.service.ts (view-share)
- Hash passwords with bcrypt.genSalt(10) on write in base-share.service.ts
- Remove plaintext password from request object in share-auth-local.guard
- Add legacy token re-validation in view-share JWT strategy

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.