aggressive ratelimit for anything that sends mail to prevent email services flagging us as spam

2024-04-09 18:27:13 +02:00 · 2024-04-09 18:27:13 +02:00 · 25e2a3388e
parent 0ae54086dd
commit 25e2a3388e
3 changed files with 5 additions and 5 deletions
--- a/files/routes/login.py
+++ b/files/routes/login.py
@ -495,7 +495,7 @@ def lost_2fa(v):

@app.post("/lost_2fa")
@limiter.limit('1/second', scope=rpath)
-@limiter.limit("6/minute;200/hour;1000/day", deduct_when=lambda response: response.status_code < 400)
+@limiter.limit("3/day", deduct_when=lambda response: response.status_code < 400)
 def lost_2fa_post():
 	username = request.values.get("username")
 	user = get_user(username, graceful=True)
--- a/files/routes/mail.py
+++ b/files/routes/mail.py
@ -12,8 +12,8 @@ from files.__main__ import app, limiter
@app.post("/verify_email")
@limiter.limit('1/second', scope=rpath)
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
-@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
-@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
+@limiter.limit('3/day', deduct_when=lambda response: response.status_code < 400)
+@limiter.limit('3/day', deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@auth_required
 def verify_email(v):
 	if v.email_verified:
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@ -492,8 +492,8 @@ def verifiedcolor(v):
@app.post("/settings/security")
@limiter.limit('1/second', scope=rpath)
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
-@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
-@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
+@limiter.limit('10/day', deduct_when=lambda response: response.status_code < 400)
+@limiter.limit('10/day', deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@auth_required
 def settings_security_post(v):
 	if request.values.get("new_password"):