Email Verification Rate Limiting and Anti-Abuse Protection

[cdmx-in]

Summary Implements comprehensive rate limiting for email verification stage to prevent abuse and improve UX.

Key Changes

🔒 Rate Limiting Progressive cooldown: 60s → 5min after 5+ attempts Session persistence: Survives page refreshes This pull request introduces enhancements to the EmailStage component in web/src/flow/stages/email/EmailStage.ts, focusing on user experience improvements and rate-limiting functionality for email submissions. The key changes include the implementation of cooldown timers and attempt tracking to prevent excessive email requests, along with UI updates to reflect these changes.

Rate-limiting and cooldown functionality:

• Added @state properties (isLoading, cooldownTimer, attempts) and constants (COOLDOWN_DURATION, MAX_ATTEMPTS, EXTENDED_COOLDOWN) to manage cooldowns and limit excessive email submission attempts.
• Implemented methods (restoreCooldownState, startCooldownTimer, trackAttempt) to persist cooldown states using sessionStorage and dynamically calculate cooldown durations based on the number of attempts.
• Modified the submitForm method to enforce cooldown restrictions and reset attempts on successful submission.

UI updates for cooldown feedback:

• Updated the button rendering logic (getButtonText, getButtonDisabled) to display cooldown timers and disable the button during cooldown periods.
• Added the renderWarningMessage method to show alert messages for excessive attempts or suggest checking the spam folder.
• Updated the form rendering to include the warning message and dynamic button states.

Minor adjustments:

• Added an email icon to enhance the visual design of the form.
• Updated imports to include the state decorator from lit/decorators.js.[Copilot is generating a summary...] Automatic reset: Clears on successful flow completion

🎨 Enhanced UI Dynamic button states: "Sending..." → "Wait 2m 15s" → "Send Email again" Visual feedback: Email icon (📧) and contextual alerts Accessibility: Added aria-label support

⚠️ Critical Security Fix Email Bombing Vulnerability: Original code allowed unlimited rapid email sending, enabling:

// Rate limiting constants
private readonly COOLDOWN_DURATION = 60;      // 1 minute
private readonly MAX_ATTEMPTS = 5;            // Before extended cooldown  
private readonly EXTENDED_COOLDOWN = 300;     // 5 minutes

User inbox flooding SMTP server abuse Resource exhaustion Potential service blacklisting Technical Details Uses sessionStorage for attempt tracking Progressive alerts at 3+ and 5+ attempts Proper cleanup on component disconnect No breaking changes to existing API Implementation This change transforms a significant abuse vector into a secure, user-friendly experience while maintaining all legitimate functionality.

[jayair]

Yeah this is a good feature.

Is there a specific pane you are referring to for the logs? Or is it on all of them?

[erikmunson]

👍 for me personally the panes for any process started by an sst.x.DevCommand resource would be sufficient since that's how i run things right now, though i assume folks who are using the dev option/config on other resources would want the same feature. i don't have a need for it in the main SST process or the Functions tab.

[handlebauer]

could use this feature as well, +1

[Mosquid]

This is the only thing I dislike about SST:

• No way to clear the terminal tab
• No way to copy debug output if it doesn't fit on one screen (you can zoom out, but it's not always enough)

I would much rather have the option to open two terminal tabs