Skip to content

[WEB-7946] fix: add rate limiting to email/password sign-in and sign-up endpoints#9335

Open
mguptahub wants to merge 1 commit into
previewfrom
web-7946/password-auth-rate-limiting
Open

[WEB-7946] fix: add rate limiting to email/password sign-in and sign-up endpoints#9335
mguptahub wants to merge 1 commit into
previewfrom
web-7946/password-auth-rate-limiting

Conversation

@mguptahub

@mguptahub mguptahub commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fixes GHSA-349j-pjw5-67q4 — email/password sign-in and sign-up endpoints had no rate limiting, allowing unlimited credential guesses (brute-force / credential stuffing).

  • All four password auth views extend django.views.View, so DRF's global AnonRateThrottle never applied to them
  • Unlike the magic-code views (MagicSignInEndpoint, MagicGenerateEndpoint), none of the password views called authentication_throttle_allows()
  • This allowed unlimited password guesses at full server speed with no friction

Fix: Add authentication_throttle_allows(request) at the very top of all four post() methods — before any DB access — using the same AuthenticationThrottle that already guards the magic-code endpoints.

Files changed

  • apps/api/plane/authentication/views/app/email.pySignInAuthEndpoint, SignUpAuthEndpoint
  • apps/api/plane/authentication/views/space/email.pySignInAuthSpaceEndpoint, SignUpAuthSpaceEndpoint

Behaviour

  • On rate-limit: redirects to the auth error page with RATE_LIMIT_EXCEEDED — consistent with all other throttled auth endpoints
  • Default limit: 10 requests/minute per IP (same as magic-code; configurable via AUTHENTICATION_RATE_LIMIT env var)
  • The throttle check runs before the instance DB query, so load is minimised during a brute-force attack

Test plan

  • Normal sign-in succeeds on the first attempt
  • After >10 rapid POSTs in a minute, subsequent attempts receive an RATE_LIMIT_EXCEEDED redirect
  • Same applies to sign-up, spaces/sign-in, spaces/sign-up
  • After the window resets, sign-in succeeds again

Co-authored-by: Plane AI noreply@plane.so

Summary by CodeRabbit

  • Bug Fixes
    • Added request rate limiting to email sign-in and sign-up flows.
    • Users who exceed the limit are now redirected safely with a clear authentication error, instead of continuing through the login or registration process.
    • Rate-limit checks now happen earlier in the flow, helping prevent unnecessary processing when requests are blocked.

All four password authentication views (app sign-in, app sign-up, space
sign-in, space sign-up) extended django.views.View, so DRF's global
AnonRateThrottle never ran and the endpoints accepted unlimited credential
guesses with no friction (brute-force / credential stuffing, GHSA-349j).

Add authentication_throttle_allows(request) at the top of each post()
method — before any DB access — using the same AuthenticationThrottle
already guarding the magic-code views. On rejection the view redirects with
RATE_LIMIT_EXCEEDED, consistent with all other throttled auth endpoints.
Default limit remains 10/minute, overridable via AUTHENTICATION_RATE_LIMIT.

Co-authored-by: Plane AI <noreply@plane.so>
Copilot AI review requested due to automatic review settings June 30, 2026 06:36

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@makeplane

makeplane Bot commented Jun 30, 2026

Copy link
Copy Markdown

Linked to Plane Work Item(s)

This comment was auto-generated by Plane

@mguptahub mguptahub self-assigned this Jun 30, 2026
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 65365a93-c6d1-42b4-84f0-377c944fedaf

📥 Commits

Reviewing files that changed from the base of the PR and between 90ae845 and 8d51f70.

📒 Files selected for processing (2)
  • apps/api/plane/authentication/views/app/email.py
  • apps/api/plane/authentication/views/space/email.py

📝 Walkthrough

Walkthrough

Rate limiting is added to email/password authentication endpoints in both the app and space views. Each post() handler now calls authentication_throttle_allows before any instance configuration or database access; if throttled, it constructs a RATE_LIMIT_EXCEEDED AuthenticationException and returns an HttpResponseRedirect to a safe URL.

Changes

Email Auth Rate Limiting

Layer / File(s) Summary
App email sign-in and sign-up rate-limit guards
apps/api/plane/authentication/views/app/email.py
Imports authentication_throttle_allows and inserts early throttle checks in SignInAuthEndpoint.post() and SignUpAuthEndpoint.post(), redirecting with RATE_LIMIT_EXCEEDED before any instance or DB access.
Space email sign-in and sign-up rate-limit guards
apps/api/plane/authentication/views/space/email.py
Applies the same throttle check/redirect pattern to SignInAuthSpaceEndpoint.post() and SignUpAuthSpaceEndpoint.post().

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

  • makeplane/plane#9130: Adds the same authentication_throttle_allows redirect-based rate-limit guard pattern to magic link auth endpoints, directly parallel to this PR's email endpoint changes.

Suggested reviewers

  • pablohashescobar
  • dheeru0198

🐇 Four endpoints now check the rate,
Before DB or instance, they wait!
If throttled, redirect,
RATE_LIMIT_EXCEEDED is set,
Safe URLs guard every auth gate! ✉️

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the main change: adding rate limiting to email/password sign-in and sign-up endpoints.
Description check ✅ Passed The description is detailed and covers the change summary, files, behavior, and test plan, though the Type of Change section is not filled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch web-7946/password-auth-rate-limiting

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@mguptahub mguptahub removed their assignment Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants