overleaf/services
Antoine Clausse 5f2718cf29 [web] Make rate-limit on login consistent, prevent "trim/case bypass" (#19555)
* Replace `LoginRateLimiter.processLoginRequest` call by use of `RateLimiterMiddleware`

* Lowercase the email to avoid rate-limit bypass

* Remove unit test "when the users rate limit"

* Use `EmailHelper.parseEmail` to normalize email in `processLoginRequest`

This should address the `trim()` bypass

* Use `.trim().toLowerCase()` instead of `EmailHelper.parseEmail`

We can't use `EmailHelper.parseEmail`, else it breaks the test (and feature): "with username that does not look like an email"

* Add acceptance test for rate limit

* Add comment on rate limits

* Rename `rateLimiter` to `rateLimiterLoginEmail` for clarity

* Make the login rate limits configurable from the settings

GitOrigin-RevId: cf1c3a416745f2b007c85014a5084570d4a049a7
2024-07-30 08:04:26 +00:00
..
chat Merge pull request #17362 from overleaf/bg-chai-object-id-tests 2024-07-16 08:04:46 +00:00
clsi Merge pull request #19540 from overleaf:bg-fix-nginx-clsi-config-in-dev-env 2024-07-23 08:04:40 +00:00
contacts Merge pull request #17362 from overleaf/bg-chai-object-id-tests 2024-07-16 08:04:46 +00:00
docstore Merge pull request #17362 from overleaf/bg-chai-object-id-tests 2024-07-16 08:04:46 +00:00
document-updater Merge pull request #19480 from overleaf/jpa-fast-path-fetch-for-transform 2024-07-24 08:05:14 +00:00
filestore Merge pull request #17362 from overleaf/bg-chai-object-id-tests 2024-07-16 08:04:46 +00:00
git-bridge Merge pull request #19428 from overleaf/msm-git-bridge-linux-utils 2024-07-17 08:04:29 +00:00
history-v1 Merge pull request #17362 from overleaf/bg-chai-object-id-tests 2024-07-16 08:04:46 +00:00
notifications Merge pull request #17362 from overleaf/bg-chai-object-id-tests 2024-07-16 08:04:46 +00:00
project-history Hide history-resync updates from "All history" (#19435) 2024-07-19 08:04:21 +00:00
real-time Merge pull request #19455 from overleaf/jpa-metrics 2024-07-19 08:04:34 +00:00
spelling Merge pull request #19282 from overleaf/jpa-filestore-sharding 2024-07-15 09:05:11 +00:00
web [web] Make rate-limit on login consistent, prevent "trim/case bypass" (#19555) 2024-07-30 08:04:26 +00:00