overleaf/services/web/app
Antoine Clausse 5f2718cf29 [web] Make rate-limit on login consistent, prevent "trim/case bypass" (#19555)
* Replace `LoginRateLimiter.processLoginRequest` call by use of `RateLimiterMiddleware`

* Lowercase the email to avoid rate-limit bypass

* Remove unit test "when the users rate limit"

* Use `EmailHelper.parseEmail` to normalize email in `processLoginRequest`

This should address the `trim()` bypass

* Use `.trim().toLowerCase()` instead of `EmailHelper.parseEmail`

We can't use `EmailHelper.parseEmail`, else it breaks the test (and feature): "with username that does not look like an email"

* Add acceptance test for rate limit

* Add comment on rate limits

* Rename `rateLimiter` to `rateLimiterLoginEmail` for clarity

* Make the login rate limits configurable from the settings

GitOrigin-RevId: cf1c3a416745f2b007c85014a5084570d4a049a7
2024-07-30 08:04:26 +00:00
..
src [web] Make rate-limit on login consistent, prevent "trim/case bypass" (#19555) 2024-07-30 08:04:26 +00:00
templates [web] Use localized number formatting for currencies (#17622) 2024-04-19 08:03:54 +00:00
views Merge pull request #19594 from overleaf/jel-light-touch-table-checkmark 2024-07-26 08:05:02 +00:00