[WEB-7946] fix: add rate limiting to email/password sign-in and sign-up endpoints#9335
[WEB-7946] fix: add rate limiting to email/password sign-in and sign-up endpoints#9335mguptahub wants to merge 1 commit into
Conversation
All four password authentication views (app sign-in, app sign-up, space sign-in, space sign-up) extended django.views.View, so DRF's global AnonRateThrottle never ran and the endpoints accepted unlimited credential guesses with no friction (brute-force / credential stuffing, GHSA-349j). Add authentication_throttle_allows(request) at the top of each post() method — before any DB access — using the same AuthenticationThrottle already guarding the magic-code views. On rejection the view redirects with RATE_LIMIT_EXCEEDED, consistent with all other throttled auth endpoints. Default limit remains 10/minute, overridable via AUTHENTICATION_RATE_LIMIT. Co-authored-by: Plane AI <noreply@plane.so>
|
Linked to Plane Work Item(s) This comment was auto-generated by Plane |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughRate limiting is added to email/password authentication endpoints in both the app and space views. Each ChangesEmail Auth Rate Limiting
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
Fixes GHSA-349j-pjw5-67q4 — email/password sign-in and sign-up endpoints had no rate limiting, allowing unlimited credential guesses (brute-force / credential stuffing).
django.views.View, so DRF's globalAnonRateThrottlenever applied to themMagicSignInEndpoint,MagicGenerateEndpoint), none of the password views calledauthentication_throttle_allows()Fix: Add
authentication_throttle_allows(request)at the very top of all fourpost()methods — before any DB access — using the sameAuthenticationThrottlethat already guards the magic-code endpoints.Files changed
apps/api/plane/authentication/views/app/email.py—SignInAuthEndpoint,SignUpAuthEndpointapps/api/plane/authentication/views/space/email.py—SignInAuthSpaceEndpoint,SignUpAuthSpaceEndpointBehaviour
RATE_LIMIT_EXCEEDED— consistent with all other throttled auth endpointsAUTHENTICATION_RATE_LIMITenv var)Test plan
RATE_LIMIT_EXCEEDEDredirectCo-authored-by: Plane AI noreply@plane.so
Summary by CodeRabbit