summaryrefslogtreecommitdiff
path: root/packages/backend/src/server/api/endpoints/i/delete-account.ts
diff options
context:
space:
mode:
authordakkar <dakkar@thenautilus.net>2024-07-12 11:15:58 +0100
committerdakkar <dakkar@thenautilus.net>2024-07-12 11:15:58 +0100
commitcced87da7f36ce6d2e57eef06f1126ef8ef72e0a (patch)
tree9b064ed30fa703cb5e5fadd46b7e9c7489bb4261 /packages/backend/src/server/api/endpoints/i/delete-account.ts
parentremove fedidb link (diff)
downloadsharkey-cced87da7f36ce6d2e57eef06f1126ef8ef72e0a.tar.gz
sharkey-cced87da7f36ce6d2e57eef06f1126ef8ef72e0a.tar.bz2
sharkey-cced87da7f36ce6d2e57eef06f1126ef8ef72e0a.zip
rate limit all password checks - fixes #540
all of these endpoints require the caller to already be logged in, so it's not really much of a security problem, but it's still safer to limit any endpoints that can be used to guess the current password
Diffstat (limited to 'packages/backend/src/server/api/endpoints/i/delete-account.ts')
-rw-r--r--packages/backend/src/server/api/endpoints/i/delete-account.ts7
1 files changed, 7 insertions, 0 deletions
diff --git a/packages/backend/src/server/api/endpoints/i/delete-account.ts b/packages/backend/src/server/api/endpoints/i/delete-account.ts
index af4d601ad6..565eaaafc0 100644
--- a/packages/backend/src/server/api/endpoints/i/delete-account.ts
+++ b/packages/backend/src/server/api/endpoints/i/delete-account.ts
@@ -11,10 +11,17 @@ import { Endpoint } from '@/server/api/endpoint-base.js';
import { DeleteAccountService } from '@/core/DeleteAccountService.js';
import { DI } from '@/di-symbols.js';
import { UserAuthService } from '@/core/UserAuthService.js';
+import ms from 'ms';
export const meta = {
requireCredential: true,
+ limit: {
+ duration: ms('1hour'),
+ max: 10,
+ minInterval: ms('1sec'),
+ },
+
secure: true,
} as const;
generated by cgit v1.2.3-freya (git 2.53.0.84.g453e7b744a) at 2026-03-03 14:02:28 +0000