CodeMirror/appwrite
1
0
Fork 0
mirror of synced 2024-09-28 15:31:43 +12:00
Code Issues Projects Releases Wiki Activity

fix: update abuse-key for mfa challenge endpoints

Browse source 
Because the key was not specific enough, when one user triggered the
rate limit, all users were affected.
This commit is contained in:
Steven Nguyen 2024-09-09 14:10:58 +00:00 committed by GitHub
parent 923252ea05
commit 9febb06052
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/controllers/api/account.php
View file

@ -4018,7 +4018,7 @@ App::post('/v1/account/mfa/challenge')
->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.type', Response::CONTENT_TYPE_JSON)
->label('sdk.response.model', Response::MODEL_MFA_CHALLENGE) ->label('sdk.response.model', Response::MODEL_MFA_CHALLENGE)
->label('abuse-limit', 10) ->label('abuse-limit', 10)
->label('abuse-key', 'url:{url},token:{param-token}') ->label('abuse-key', 'url:{url},userId:{userId}')
->param('factor', '', new WhiteList([Type::EMAIL, Type::PHONE, Type::TOTP, Type::RECOVERY_CODE]), 'Factor used for verification. Must be one of following: `' . Type::EMAIL . '`, `' . Type::PHONE . '`, `' . Type::TOTP . '`, `' . Type::RECOVERY_CODE . '`.') ->param('factor', '', new WhiteList([Type::EMAIL, Type::PHONE, Type::TOTP, Type::RECOVERY_CODE]), 'Factor used for verification. Must be one of following: `' . Type::EMAIL . '`, `' . Type::PHONE . '`, `' . Type::TOTP . '`, `' . Type::RECOVERY_CODE . '`.')
->inject('response') ->inject('response')
->inject('dbForProject') ->inject('dbForProject')
@ -4205,7 +4205,7 @@ App::put('/v1/account/mfa/challenge')
->label('sdk.response.code', Response::STATUS_CODE_NOCONTENT) ->label('sdk.response.code', Response::STATUS_CODE_NOCONTENT)
->label('sdk.response.model', Response::MODEL_SESSION) ->label('sdk.response.model', Response::MODEL_SESSION)
->label('abuse-limit', 10) ->label('abuse-limit', 10)
->label('abuse-key', 'userId:{param-userId}') ->label('abuse-key', 'url:{url},challengeId:{param-challengeId}')
->param('challengeId', '', new Text(256), 'ID of the challenge.') ->param('challengeId', '', new Text(256), 'ID of the challenge.')
->param('otp', '', new Text(256), 'Valid verification token.') ->param('otp', '', new Text(256), 'Valid verification token.')
->inject('project') ->inject('project')