3pp-mirror/rallly
1
0
Fork 0
mirror of https://github.com/lukevella/rallly.git synced 2025-07-27 05:07:50 +02:00
Code Issues Projects Releases Packages Wiki Activity

🔒️ Rate limit OTP attempts (#1713)

Browse source
This commit is contained in:
Luke Vella 2025-05-14 14:37:27 +01:00 committed by GitHub
parent 2300ce65e5
commit 6d571b37c5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 48 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apps/web/public/locales/en/app.json
View file

@ -338,5 +338,7 @@
"helpUsImproveDesc": "Take a few minutes to share your feedback and help us shape the future of Rallly.", "helpUsImproveDesc": "Take a few minutes to share your feedback and help us shape the future of Rallly.",
"giveFeedback": "Give feedback", "giveFeedback": "Give feedback",
"homeActionsTitle": "Actions", "homeActionsTitle": "Actions",
"dismissFeedback": "Don't show again" "dismissFeedback": "Don't show again",
"tooManyAttempts": "Too many attempts, please try again later.",
"unknownError": "Something went wrong"
} }

36
apps/web/src/app/[locale]/(auth)/login/verify/components/otp-form.tsx
View file

@ -41,16 +41,36 @@ export function OTPForm({ email }: { email: string }) {
}/api/auth/callback/email?email=${encodeURIComponent(email.toLowerCase())}&token=${data.otp}`; }/api/auth/callback/email?email=${encodeURIComponent(email.toLowerCase())}&token=${data.otp}`;
const res = await fetch(url); const res = await fetch(url);
const resUrl = new URL(res.url);
const hasError = !!resUrl.searchParams.get("error"); if (!res.ok) {
switch (res.status) {
if (hasError) { case 429:
form.setError("otp", { form.setError("otp", {
message: t("wrongVerificationCode"), message: t("tooManyAttempts", {
}); defaultValue: "Too many attempts, please try again later.",
}),
});
break;
default:
form.setError("otp", {
message: t("unknownError", {
defaultValue: "Something went wrong",
}),
});
break;
}
} else { } else {
window.location.href = searchParams?.get("redirectTo") ?? "/"; const resUrl = new URL(res.url);
const hasError = !!resUrl.searchParams.get("error");
if (hasError) {
form.setError("otp", {
message: t("wrongVerificationCode", {
defaultValue: "The code you entered is incorrect",
}),
});
} else {
window.location.href = searchParams?.get("redirectTo") ?? "/";
}
} }
}); });

17
apps/web/src/app/api/auth/[...nextauth]/route.ts
View file

@ -1,5 +1,20 @@
import { rateLimit } from "@/features/rate-limit";
import { handlers } from "@/next-auth"; import { handlers } from "@/next-auth";
import { withPosthog } from "@/utils/posthog"; import { withPosthog } from "@/utils/posthog";
import type { NextRequest } from "next/server";
export const GET = withPosthog(async (req: NextRequest) => {
if (req.nextUrl.pathname.includes("callback/email")) {
const { success } = await rateLimit("login_otp_attempt", 20, "15m");
if (!success) {
return new Response("Too many requests", {
status: 429,
});
}
}
return handlers.GET(req);
});
export const GET = withPosthog(handlers.GET);
export const POST = withPosthog(handlers.POST); export const POST = withPosthog(handlers.POST);

1
apps/web/src/auth/providers/email.ts
View file

@ -9,6 +9,7 @@ export const EmailProvider = NodemailerProvider({
server: "none", // This value is required even though we don't need it server: "none", // This value is required even though we don't need it
from: process.env.NOREPLY_EMAIL, from: process.env.NOREPLY_EMAIL,
id: "email", id: "email",
maxAge: 15 * 60,
generateVerificationToken() { generateVerificationToken() {
return generateOtp(); return generateOtp();
}, },