From a8050bea74db6564eaeb7f73a0332fea2a64ef7b Mon Sep 17 00:00:00 2001 From: gumi Date: Sun, 26 May 2019 13:16:17 -0400 Subject: prevent from doing many resets at the same time --- src/routers/tmwa/middlewares/account.js | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/src/routers/tmwa/middlewares/account.js b/src/routers/tmwa/middlewares/account.js index 1f5ed42..0ba1010 100644 --- a/src/routers/tmwa/middlewares/account.js +++ b/src/routers/tmwa/middlewares/account.js @@ -182,6 +182,22 @@ const reset_password = async (req, res, next) => { return; } + for (const [u, op] of pending_operations) { + if (op.type !== "reset") + continue; + for (const account of op.accounts) { + if (account.email === req.body.email) { + res.status(429).json({ + status: "error", + error: "operation already pending" + }); + req.app.locals.rate_limiting.add(req.ip); + setTimeout(() => req.app.locals.rate_limiting.delete(req.ip), 5000); + return; + } + } + } + const uuid = uuidv4(); transporter.sendMail({ from: req.app.locals.mailer.from, @@ -258,7 +274,7 @@ const reset_password = async (req, res, next) => { return; } - for (account of pending_operations.get(req.body.code).accounts) { + for (const account of pending_operations.get(req.body.code).accounts) { if (account.name === req.body.username) { pending_operations.delete(req.body.code); const child = execFile(`${req.app.locals.tmwa.home}/.local/bin/tmwa-admin`, [], { @@ -281,7 +297,7 @@ const reset_password = async (req, res, next) => { return; } - res.status(201).json({ + res.status(200).json({ status: "success" }); req.app.locals.logger.info(`TMWA.account: password has been reset: ${req.body.username} [${req.ip}]`); -- cgit v1.2.3-60-g2f50