Add trotelling to Recovery controller
pral2a opened this issue · 0 comments
pral2a commented
Describe the bug
Looks like recovery password controller doesn't limit the number of requests, allowing someone to programatically use it to generate email spam or overload the SMTP service
To Reproduce
Steps to reproduce the behaviour:
- Go to https://www.fablabs.io/recoveries/new
- Type your email and click Reset password
- Repeat multiple times in a short period
- Check your inbox
Expected behaviour
Rate limit password resets by email to X amount per hour. Other limitation (ip) can also be used.
Additional context
The issue was reported by an unknown user at webmasters (at) fablabs.io. This is not a high priority issue.
