From 25e2a3388ed8014f35abcb20adc34b42b2116bf0 Mon Sep 17 00:00:00 2001
From: Aevann <randomname42029@gmail.com>
Date: Tue, 9 Apr 2024 18:27:13 +0200
Subject: [PATCH] aggressive ratelimit for anything that sends mail to prevent
 email services flagging us as spam

---
 files/routes/login.py    | 2 +-
 files/routes/mail.py     | 4 ++--
 files/routes/settings.py | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/files/routes/login.py b/files/routes/login.py
index 849e99535..2d76db530 100644
--- a/files/routes/login.py
+++ b/files/routes/login.py
@@ -495,7 +495,7 @@ def lost_2fa(v):
 
 @app.post("/lost_2fa")
 @limiter.limit('1/second', scope=rpath)
-@limiter.limit("6/minute;200/hour;1000/day", deduct_when=lambda response: response.status_code < 400)
+@limiter.limit("3/day", deduct_when=lambda response: response.status_code < 400)
 def lost_2fa_post():
 	username = request.values.get("username")
 	user = get_user(username, graceful=True)
diff --git a/files/routes/mail.py b/files/routes/mail.py
index d685475d9..67d4faf3a 100644
--- a/files/routes/mail.py
+++ b/files/routes/mail.py
@@ -12,8 +12,8 @@ from files.__main__ import app, limiter
 @app.post("/verify_email")
 @limiter.limit('1/second', scope=rpath)
 @limiter.limit('1/second', scope=rpath, key_func=get_ID)
-@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
-@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
+@limiter.limit('3/day', deduct_when=lambda response: response.status_code < 400)
+@limiter.limit('3/day', deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
 @auth_required
 def verify_email(v):
 	if v.email_verified:
diff --git a/files/routes/settings.py b/files/routes/settings.py
index 3c2a8b70e..43e9e5182 100644
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@@ -492,8 +492,8 @@ def verifiedcolor(v):
 @app.post("/settings/security")
 @limiter.limit('1/second', scope=rpath)
 @limiter.limit('1/second', scope=rpath, key_func=get_ID)
-@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
-@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
+@limiter.limit('10/day', deduct_when=lambda response: response.status_code < 400)
+@limiter.limit('10/day', deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
 @auth_required
 def settings_security_post(v):
 	if request.values.get("new_password"):