fix: add rate limiting to prevent brute force on password reset (#13292)

2025-02-08 10:28:31 +08:00
parent c8dcde6cd0
commit 982bca5d40
4 changed files with 51 additions and 1 deletions
--- a/api/configs/feature/init.py
+++ b/api/configs/feature/init.py
@@ -498,6 +498,11 @@ class AuthConfig(BaseSettings):
        default=86400,
    )

+    FORGOT_PASSWORD_LOCKOUT_DURATION: PositiveInt = Field(
+        description="Time (in seconds) a user must wait before retrying password reset after exceeding the rate limit.",
+        default=86400,
+    )
+

 class ModerationConfig(BaseSettings):
    """