mirror of
https://github.com/strapi/strapi.git
synced 2026-06-02 16:27:47 +00:00
5e0d243cba
* fix: start implementing route checking within rate limit middleware
* fix(users-permissions): finalize route-aware rate-limit prefix key
Builds on the WIP from b5db1e69f9 to close the rate-limit bypass
described in GHSA-7mqx-wwh4-f9fw, where adding an arbitrary `email`
field to the request body produced a fresh rate-limit key per
request on routes that do not use email as their identifier.
- Populates the no-identifier route list (/auth/local,
/auth/reset-password, /auth/change-password) and treats OAuth
callback paths (/connect/*) the same way.
- Uses Array.prototype.some + endsWith so the path check is stable
regardless of router mount prefix.
- Skips computing userIdentifier when the route does not use one.
- Drops the debug console.log and the unused-array `in` check from
the WIP.
- Exports buildPrefixKey and ROUTES_WITHOUT_IDENTIFIER for tests.
Adds a unit test suite covering each route class and confirming
that varying body.email cannot change the rate-limit key on the
identifier-less routes.
* fix(users-permissions): harden rate-limit prefix keys and throttle send-email-confirmation
---------
Co-authored-by: Ben Irvin <ben@innerdvations.com>