identity: make otp rate limiting more strict

This commit is contained in:
Abdullah Atta
2025-08-25 10:46:04 +05:00
parent e68b8f7e7c
commit 201a235357
3 changed files with 11 additions and 1 deletions
@@ -91,7 +91,7 @@ namespace Streetwriters.Identity.Controllers
[HttpPost("send")]
[Authorize("mfa")]
[Authorize(LocalApi.PolicyName)]
[EnableRateLimiting("strict")]
[EnableRateLimiting("super_strict")]
public async Task<IActionResult> RequestCode([FromForm] string type)
{
var client = Clients.FindClientById(User.FindFirstValue("client_id"));
@@ -24,6 +24,7 @@ using System.Text;
using System.Text.Encodings.Web;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Identity;
using Streetwriters.Common;
using Streetwriters.Common.Enums;
using Streetwriters.Common.Interfaces;
using Streetwriters.Common.Models;
@@ -185,6 +186,7 @@ namespace Streetwriters.Identity.Services
case "sms":
await UserManager.SetPhoneNumberAsync(user, form.PhoneNumber);
var id = await SMSSender.SendOTPAsync(form.PhoneNumber, client);
await Slogger<MFAService>.Info("SendOTPAsync", user.Id.ToString(), id);
await this.ReplaceClaimAsync(user, MFAService.SMS_ID_CLAIM, id);
break;
+8
View File
@@ -145,6 +145,14 @@ namespace Streetwriters.Identity
options.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
options.QueueLimit = 0;
});
options.AddSlidingWindowLimiter("super_strict", options =>
{
options.PermitLimit = 1;
options.Window = TimeSpan.FromMinutes(1);
options.SegmentsPerWindow = 1;
options.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
options.QueueLimit = 2;
});
});
services.AddAuthorization(options =>