search

coderoyalty / pseudonym-app

An anonymous messaging application
https://pseudonym-app.vercel.app
MIT License
2 stars 0 forks source link

bug: cool-down rules not enforced #35

Open coderoyalty opened 7 months ago

coderoyalty commented 7 months ago

PR #34 introduced a few endpoints, created regarding requesting for email verification code and verifying an email address.

However, one of the rules of the email service (responsible for sending out emails) was to avoid resending an email until two minutes after the cool-down period. This was to ensure its intent was not misused.

https://github.com/coderoyalty/pseudonym-app/blob/7b0a233ddc6efd0aeffb472dda5b4805a595ab8c/backend/services/email.service.ts#L99-L109

The above LOC makes that intention futile. It bypassed the checks if the verification model lifetime exceeded 2mins.

Solution:

  const date = new Date(verificationModel.createdAt);
  // use: date.getTime() > Date.now() - 1000 * 60 * 2
coderoyalty commented 7 months ago

We should depend on the rate limiter. We can tweak the rate limiter to accept only 1 request in the space of 2 minutes for that user.

This saves the trouble of unnecessary DB queries.