diff --git a/api/api.go b/api/api.go index aa2b3f8a..e0dc4888 100644 --- a/api/api.go +++ b/api/api.go @@ -133,15 +133,30 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati r.With(api.requireAdminCredentials).Post("/invite", api.Invite) - r.With(api.requireEmailProvider).Post("/signup", api.Signup) - r.With(api.requireEmailProvider).Post("/recover", api.Recover) r.With(api.requireEmailProvider).With(api.limitHandler( - // Allow requests at a rate of 30 per 5 minutes. + // Allow up to 10 signup requests per minute per client. + tollbooth.NewLimiter(10.0/60, &limiter.ExpirableOptions{ + DefaultExpirationTTL: time.Hour, + }).SetBurst(10), + )).Post("/signup", api.Signup) + r.With(api.requireEmailProvider).With(api.limitHandler( + // Allow up to 5 password recovery requests per minute per client. + tollbooth.NewLimiter(5.0/60, &limiter.ExpirableOptions{ + DefaultExpirationTTL: time.Hour, + }).SetBurst(5), + )).Post("/recover", api.Recover) + r.With(api.requireEmailProvider).With(api.limitHandler( + // Allow up to 30 token requests per 5 minutes per client. tollbooth.NewLimiter(30.0/(60*5), &limiter.ExpirableOptions{ DefaultExpirationTTL: time.Hour, }).SetBurst(30), )).Post("/token", api.Token) - r.Post("/verify", api.Verify) + r.With(api.limitHandler( + // Allow up to 30 verification attempts per minute per client. + tollbooth.NewLimiter(30.0/60, &limiter.ExpirableOptions{ + DefaultExpirationTTL: time.Hour, + }).SetBurst(30), + )).Post("/verify", api.Verify) r.With(api.requireAuthentication).Post("/logout", api.Logout)