From efb6018246b7c063ca12e80e9ceb2a6a1eba80e1 Mon Sep 17 00:00:00 2001 From: Shane Kilkelly Date: Tue, 11 Sep 2018 10:31:27 +0100 Subject: [PATCH] Add a rate-limit to the email-confirm endpoint --- services/web/app/coffee/router.coffee | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/services/web/app/coffee/router.coffee b/services/web/app/coffee/router.coffee index 2f5bff9ab0..5bfc6b9e32 100644 --- a/services/web/app/coffee/router.coffee +++ b/services/web/app/coffee/router.coffee @@ -69,7 +69,6 @@ module.exports = class Router webRouter.get '/logout', UserController.logout webRouter.get '/restricted', AuthorizationMiddlewear.restricted - webRouter.get '/account-merge/email/confirm', AccountMergeEmailController.confirmMergeFromEmail if Features.hasFeature('registration') webRouter.get '/register', UserPagesController.registerPage @@ -345,6 +344,15 @@ module.exports = class Router webRouter.post '/admin/messages', AuthorizationMiddlewear.ensureUserIsSiteAdmin, AdminController.createMessage webRouter.post '/admin/messages/clear', AuthorizationMiddlewear.ensureUserIsSiteAdmin, AdminController.clearMessages + webRouter.get '/account-merge/email/confirm', + RateLimiterMiddlewear.rateLimit({ + endpointName: "account-merge-email-confirm", + ipOnly: true, + maxRequests: 10 + timeInterval: 60 + }), + AccountMergeEmailController.confirmMergeFromEmail + privateApiRouter.get '/perfTest', (req,res)-> res.send("hello")