self-service-password icon indicating copy to clipboard operation
self-service-password copied to clipboard

Published 20 hours ago verified publisher icon ltb-project

[SMS API] "Rate Limit" and "max_attempts" is not working once captcha is submitted.

Open abhisheksahnii opened this issue 2 years ago • 4 comments

  • https://self-service-password.readthedocs.io/en/latest/config_sms.html#token
  • https://self-service-password.readthedocs.io/en/latest/config_rate_limit.html

I am using SMS service to reset the passwords using SMS API and able to receive the reset tokens successfully.

ISSUE: I tried to limit the number of tries a user can use the SMS option to reset their password following above-mentioned links, the User is still able to get an unlimited number of tokens by just refreshing the SMS Token submit page.

ltb_configuration.txt

Screenshot 2023-03-15 151501

This may be a bug

abhisheksahnii avatar Mar 15 '23 10:03 abhisheksahnii

Maybe linked to #736

coudot avatar Mar 15 '23 10:03 coudot

We will see that with @armfem

coudot avatar Mar 07 '24 14:03 coudot

We indeed still reproduce the bug

A solution would be to create a form token in the first screen, in a hidden field, then invalidate this token before sending the SMS. In this case a refresh would not resend the SMS as the form token won't be accepted again.

We need to implement this and be sure it does not cause regression.

Targeting for a further release

coudot avatar Apr 26 '24 15:04 coudot

When working on this issue, don't forget to pull the captcha refactoring work done in #894 (pushed on master)

davidcoutadeur avatar Jul 03 '24 16:07 davidcoutadeur