Skip to content

feat(authentication): rate limit magic links and OTP generation #2765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
miguelpeixe merged 11 commits into from
Nov 21, 2023
Merged

feat(authentication): rate limit magic links and OTP generation #2765

miguelpeixe merged 11 commits into from
Nov 21, 2023

Conversation

@miguelpeixe
Copy link
Member

@miguelpeixe miguelpeixe commented Nov 20, 2023
edited
Loading

All Submissions:

Changes proposed in this Pull Request:

Implement a 60-second interval for rate-limiting the generation of magic links and OTPs.

image

87144f4 changes the validation check so that it can return invalid_hash and invalid_otp early. The tests started to fail because it is now cleaning all tokens per test, meaning there are no tokens when testing OTP expiration. This change allows the expected invalid_hash to return.

How to test the changes in this Pull Request:

  1. Check out this branch and make sure you have RAS enabled
  2. On a fresh session, click the "Sign In" button on the header
  3. Enter an existing reader account's email
  4. Click "Try a different email" and proceed to send to the same email
  5. Confirm you get the following error: "You must wait before you can issue another authorization code."

Other information:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes, as applicable?
  • Have you successfully ran tests with your changes locally?

@miguelpeixe miguelpeixe requested a review from a team as a code owner November 20, 2023 19:50
@miguelpeixe miguelpeixe self-assigned this Nov 20, 2023
@miguelpeixe miguelpeixe added the [Status] Needs Review The issue or pull request needs to be reviewed label Nov 20, 2023
dkoo
dkoo approved these changes Nov 20, 2023
View reviewed changes
Copy link
Contributor

@dkoo dkoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works as described! I made a non-blocking suggestion for the error message itself.

@github-actions github-actions bot added [Status] Approved The pull request has been reviewed and is ready to merge and removed [Status] Needs Review The issue or pull request needs to be reviewed labels Nov 20, 2023
@miguelpeixe @dkoo
Update includes/class-magic-link.php
39a488e 
Co-authored-by: Derrick Koo <dkoo@users.noreply.github.com>
@miguelpeixe miguelpeixe merged commit 1252515 into master Nov 21, 2023
@miguelpeixe miguelpeixe deleted the feat/magic-link-otp-rate-limit branch November 21, 2023 13:15
matticbot pushed a commit that referenced this pull request Nov 30, 2023
@semantic-release-bot
chore(release): 2.12.0-alpha.1 [skip ci]
e39b1f5 
# [2.12.0-alpha.1](v2.11.3...v2.12.0-alpha.1) (2023-11-30)

### Bug Fixes

* **checkout:** move stripe's cover fee placement ([#2767](#2767)) ([5f8b539](5f8b539))
* **data-events:** no longer use ActionScheduler for dispatches ([#2755](#2755)) ([975ab96](975ab96))
* **metering:** restrict comments on gated content ([#2751](#2751)) ([1bfc6f0](1bfc6f0))
* **recaptcha:** refresh token on checkout error ([#2769](#2769)) ([f22e8bd](f22e8bd))

### Features

* add filters for assets enqueueing ([#2768](#2768)) ([fcad059](fcad059))
* **authentication:** rate limit magic links and OTP generation ([#2765](#2765)) ([1252515](1252515))
* **campaigns:** mark duplicate segments ([cb5b527](cb5b527))
* **data-events:** track content gate interactions ([#2740](#2740)) ([298fd7c](298fd7c))
* **donations:** disable coupons for donation checkout ([#2770](#2770)) ([6051429](6051429))
@matticbot
Copy link
Contributor

matticbot commented Nov 30, 2023

🎉 This PR is included in version 2.12.0-alpha.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

matticbot pushed a commit that referenced this pull request Dec 11, 2023
@semantic-release-bot
chore(release): 2.12.0 [skip ci]
bcc9940 
# [2.12.0](v2.11.6...v2.12.0) (2023-12-11)

### Bug Fixes

* **checkout:** move stripe's cover fee placement ([#2767](#2767)) ([5f8b539](5f8b539))
* **data-events:** no longer use ActionScheduler for dispatches ([#2755](#2755)) ([975ab96](975ab96))
* **metering:** restrict comments on gated content ([#2751](#2751)) ([1bfc6f0](1bfc6f0))
* **recaptcha:** refresh token on checkout error ([#2769](#2769)) ([f22e8bd](f22e8bd))

### Features

* add filters for assets enqueueing ([#2768](#2768)) ([fcad059](fcad059))
* **authentication:** rate limit magic links and OTP generation ([#2765](#2765)) ([1252515](1252515))
* **campaigns:** mark duplicate segments ([cb5b527](cb5b527))
* **data-events:** track content gate interactions ([#2740](#2740)) ([298fd7c](298fd7c))
* **donations:** disable coupons for donation checkout ([#2770](#2770)) ([6051429](6051429))
@matticbot
Copy link
Contributor

matticbot commented Dec 11, 2023

🎉 This PR is included in version 2.12.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dkoo dkoo dkoo approved these changes

Assignees

@miguelpeixe miguelpeixe

Labels

released on @alpha released [Status] Approved The pull request has been reviewed and is ready to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@miguelpeixe @matticbot @dkoo