Skip to content

fix: rate limit signup, recover, and verify endpoints#450

Merged
VaibhavAcharya merged 5 commits into
masterfrom
vaibhavacharya/ex-1858-identity-no-rate-limiting-on-signup-recovery-or-verify
May 28, 2026
Merged

fix: rate limit signup, recover, and verify endpoints#450
VaibhavAcharya merged 5 commits into
masterfrom
vaibhavacharya/ex-1858-identity-no-rate-limiting-on-signup-recovery-or-verify

Conversation

@VaibhavAcharya

Copy link
Copy Markdown
Contributor

- Summary

Only /token was rate-limited, leaving /signup open to email flooding, /recover open to account enumeration and mass recovery emails, and /verify open to confirmation-token brute force. This adds independent tollbooth limiters per endpoint: 10/min on /signup, 5/min on /recover, 30/min on /verify, each with its own bucket so a flood on one endpoint doesn't lock out the others.

- Test plan

- Description for the changelog

Rate limit /signup, /recover, and /verify per client.

- A picture of a cute animal (not mandatory but encouraged)

@coderabbitai

coderabbitai Bot commented May 26, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8b293d39-f905-48b8-8a56-14a70826a2ae

📥 Commits

Reviewing files that changed from the base of the PR and between 25681de and c5ad977.

📒 Files selected for processing (1)
  • api/api.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • api/api.go

📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Signup endpoint now rate-limited to 10 requests per minute to reduce abusive signups.
    • Password recovery endpoint now rate-limited to 5 requests per minute to protect recovery flow.
    • Verification attempts now limited to 30 attempts per minute to curb automated verification abuse.
    • Token issuance rate updated to 30 requests per 5 minutes to stabilize token operations.

Walkthrough

This change updates route registration in api/api.go to apply consistent rate limiting to email-provider endpoints. The /signup, /recover, /token, and /verify handlers are now wrapped with api.limitHandler using tollbooth-based per-client rate limiting. Signup is limited to 10 requests per minute, recover to 5 requests per minute, token to 30 requests per 5 minutes, and verify to 30 attempts per minute, each with corresponding burst values.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly describes the main change: adding rate limiting to the signup, recover, and verify endpoints.
Description check ✅ Passed The description is directly related to the changeset, explaining the security vulnerabilities being addressed and the rate limiting strategy implemented.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch vaibhavacharya/ex-1858-identity-no-rate-limiting-on-signup-recovery-or-verify

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions


Comment @coderabbitai help to get the list of available commands and usage tips.

@VaibhavAcharya VaibhavAcharya marked this pull request as ready for review May 26, 2026 11:27
@VaibhavAcharya VaibhavAcharya requested a review from a team as a code owner May 26, 2026 11:27

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
api/api.go (1)

132-155: ⚡ Quick win

Add regression tests for the new limiter wiring and endpoint-bucket isolation.

This security-sensitive change adds three new rate-limited routes but the provided coverage evidence only shows /token behavior (api/token_test.go:136-165). Please add tests for /signup, /recover, and /verify that assert 429 at the configured thresholds and confirm one endpoint’s bucket does not throttle the others for the same client key.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/api.go` around lines 132 - 155, Add regression tests covering the three
new rate-limited routes (handlers api.Signup, api.Recover, api.Verify) and an
isolation test proving one endpoint’s bucket does not throttle others; for each
route create tests that send requests with the same client key/header and assert
HTTP 429 once the configured limit is exceeded (Signup: >10 requests/min,
Recover: >5 requests/min, Verify: >30 requests/min; Token already covered), and
add a test that floods one endpoint (e.g., signup) to 429 then immediately calls
another endpoint (e.g., recover or token) with the same client key and asserts
it is not throttled; ensure tests use the same request helpers/middleware as the
server (limitHandler, requireEmailProvider) and reset/clear any in-memory
limiter state between subtests.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@api/api.go`:
- Around line 132-155: Add regression tests covering the three new rate-limited
routes (handlers api.Signup, api.Recover, api.Verify) and an isolation test
proving one endpoint’s bucket does not throttle others; for each route create
tests that send requests with the same client key/header and assert HTTP 429
once the configured limit is exceeded (Signup: >10 requests/min, Recover: >5
requests/min, Verify: >30 requests/min; Token already covered), and add a test
that floods one endpoint (e.g., signup) to 429 then immediately calls another
endpoint (e.g., recover or token) with the same client key and asserts it is not
throttled; ensure tests use the same request helpers/middleware as the server
(limitHandler, requireEmailProvider) and reset/clear any in-memory limiter state
between subtests.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 717dc623-a60c-40d5-bf43-579300cdf1e3

📥 Commits

Reviewing files that changed from the base of the PR and between a04c6d7 and 25681de.

📒 Files selected for processing (1)
  • api/api.go

@VaibhavAcharya VaibhavAcharya merged commit b6b08b2 into master May 28, 2026
7 checks passed
@VaibhavAcharya VaibhavAcharya deleted the vaibhavacharya/ex-1858-identity-no-rate-limiting-on-signup-recovery-or-verify branch May 28, 2026 07:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants