Files
DMehaffy 5e0d243cba fix: dynamically update rate limit prefix key based on route (#24818)
* fix: start implementing route checking within rate limit middleware

* fix(users-permissions): finalize route-aware rate-limit prefix key

Builds on the WIP from b5db1e69f9 to close the rate-limit bypass
described in GHSA-7mqx-wwh4-f9fw, where adding an arbitrary `email`
field to the request body produced a fresh rate-limit key per
request on routes that do not use email as their identifier.

- Populates the no-identifier route list (/auth/local,
  /auth/reset-password, /auth/change-password) and treats OAuth
  callback paths (/connect/*) the same way.
- Uses Array.prototype.some + endsWith so the path check is stable
  regardless of router mount prefix.
- Skips computing userIdentifier when the route does not use one.
- Drops the debug console.log and the unused-array `in` check from
  the WIP.
- Exports buildPrefixKey and ROUTES_WITHOUT_IDENTIFIER for tests.

Adds a unit test suite covering each route class and confirming
that varying body.email cannot change the rate-limit key on the
identifier-less routes.

* fix(users-permissions): harden rate-limit prefix keys and throttle send-email-confirmation

---------

Co-authored-by: Ben Irvin <ben@innerdvations.com>
2026-05-05 09:28:53 -07:00
..
2025-01-23 16:28:23 +01:00