From 4c637301f7f470357f604bd9a0a10e0445d2d10f Mon Sep 17 00:00:00 2001
From: Shane Kilkelly <shane@kilkelly.me>
Date: Fri, 21 Jul 2017 11:07:05 +0100
Subject: [PATCH] Add rate-limit to change-password action

---
 services/web/app/coffee/router.coffee | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/services/web/app/coffee/router.coffee b/services/web/app/coffee/router.coffee
index fc9820dacf..2ebde53748 100644
--- a/services/web/app/coffee/router.coffee
+++ b/services/web/app/coffee/router.coffee
@@ -94,7 +94,14 @@ module.exports = class Router
 			SudoModeMiddlewear.protectPage,
 			UserPagesController.settingsPage
 		webRouter.post '/user/settings', AuthenticationController.requireLogin(), UserController.updateUserSettings
-		webRouter.post '/user/password/update', AuthenticationController.requireLogin(), UserController.changePassword
+		webRouter.post '/user/password/update',
+			AuthenticationController.requireLogin(),
+			RateLimiterMiddlewear.rateLimit({
+				endpointName: "change-password"
+				maxRequests: 10
+				timeInterval: 60
+			}),
+			UserController.changePassword
 
 		webRouter.get  '/user/sessions',
 			AuthenticationController.requireLogin(),