feat(account): throttle confirm-code sends per recipient
Add an in-memory SendLimiter enforcing a one-per-minute cooldown and a five-per-rolling-hour cap per recipient address, checked before provisioning or sending in RequestCode, RequestLoginCode and RequestLinkCode. It guards against email bombing and protects the relay quota. The limiter is injected in main (nil in tests, so the domain suite is unaffected); ErrTooManyRequests maps to HTTP 429.
This commit is contained in:
@@ -55,6 +55,9 @@ var (
|
||||
ErrTooManyAttempts = errors.New("account: too many confirmation attempts")
|
||||
// ErrCodeMismatch is returned when the submitted code does not match.
|
||||
ErrCodeMismatch = errors.New("account: confirmation code does not match")
|
||||
// ErrTooManyRequests is returned when confirm-code sends to an address are being
|
||||
// requested too frequently (the resend cooldown or the rolling-hour cap).
|
||||
ErrTooManyRequests = errors.New("account: too many code requests")
|
||||
)
|
||||
|
||||
// EmailService runs the email confirm-code flow: it issues a 6-digit code over a
|
||||
@@ -67,6 +70,7 @@ type EmailService struct {
|
||||
store *Store
|
||||
mailer Mailer
|
||||
baseURL string
|
||||
limiter *SendLimiter
|
||||
now func() time.Time
|
||||
}
|
||||
|
||||
@@ -78,6 +82,16 @@ func NewEmailService(store *Store, mailer Mailer, baseURL string) *EmailService
|
||||
return &EmailService{store: store, mailer: mailer, baseURL: baseURL, now: func() time.Time { return time.Now().UTC() }}
|
||||
}
|
||||
|
||||
// SetSendLimiter installs a per-recipient send throttle. When unset (nil), sends are
|
||||
// not throttled — production wires a limiter; tests leave it off.
|
||||
func (s *EmailService) SetSendLimiter(l *SendLimiter) { s.limiter = l }
|
||||
|
||||
// allowSend reports whether a confirm-code send to email is permitted now, recording
|
||||
// it when so. A nil limiter permits every send.
|
||||
func (s *EmailService) allowSend(email string) bool {
|
||||
return s.limiter == nil || s.limiter.Allow(email)
|
||||
}
|
||||
|
||||
// issueCode generates a fresh confirm-code for (accountID, email), replaces any prior
|
||||
// pending confirmation, and mails the branded code in locale; purpose selects the
|
||||
// email wording. Only the SHA-256 hash of the code is stored.
|
||||
@@ -115,6 +129,9 @@ func (s *EmailService) RequestCode(ctx context.Context, accountID uuid.UUID, ema
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !s.allowSend(addr) {
|
||||
return ErrTooManyRequests
|
||||
}
|
||||
owner, ok, err := s.store.confirmedEmailAccount(ctx, addr)
|
||||
if err != nil {
|
||||
return err
|
||||
@@ -172,6 +189,9 @@ func (s *EmailService) RequestLoginCode(ctx context.Context, email, browserTZ, l
|
||||
if err != nil {
|
||||
return uuid.UUID{}, err
|
||||
}
|
||||
if !s.allowSend(addr) {
|
||||
return uuid.UUID{}, ErrTooManyRequests
|
||||
}
|
||||
acc, err := s.store.ProvisionEmail(ctx, addr, browserTZ, language)
|
||||
if err != nil {
|
||||
return uuid.UUID{}, err
|
||||
|
||||
Reference in New Issue
Block a user