From cced87da7f36ce6d2e57eef06f1126ef8ef72e0a Mon Sep 17 00:00:00 2001
From: dakkar <dakkar@thenautilus.net>
Date: Fri, 12 Jul 2024 11:15:58 +0100
Subject: rate limit all password checks - fixes #540

all of these endpoints require the caller to already be logged in, so
it's not really much of a security problem, but it's still safer to
limit any endpoints that can be used to guess the current password
---
 packages/backend/src/server/api/endpoints/i/delete-account.ts | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'packages/backend/src/server/api/endpoints/i/delete-account.ts')

diff --git a/packages/backend/src/server/api/endpoints/i/delete-account.ts b/packages/backend/src/server/api/endpoints/i/delete-account.ts
index af4d601ad6..565eaaafc0 100644
--- a/packages/backend/src/server/api/endpoints/i/delete-account.ts
+++ b/packages/backend/src/server/api/endpoints/i/delete-account.ts
@@ -11,10 +11,17 @@ import { Endpoint } from '@/server/api/endpoint-base.js';
 import { DeleteAccountService } from '@/core/DeleteAccountService.js';
 import { DI } from '@/di-symbols.js';
 import { UserAuthService } from '@/core/UserAuthService.js';
+import ms from 'ms';
 
 export const meta = {
 	requireCredential: true,
 
+	limit: {
+		duration: ms('1hour'),
+		max: 10,
+		minInterval: ms('1sec'),
+	},
+
 	secure: true,
 } as const;
 
-- 
cgit v1.2.3-freya