You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
/auth/password/forgot is easy to abuse for reset-link invalidation and email flooding. request_password_reset() always overwrites the existing reset token and sends a new email for any active user, with no per-user/per-email throttle (lifecycle_service.py). That is notably weaker than verification resend, which has explicit Redis-backed per-subject throttling (lifecycle_service.py). The only guard here is the coarse per-IP middleware bucket (rate_limit.py), (rate_limit.py), so distributed callers can keep invalidating legitimate reset links via (lifecycle.py).
Implement email and password validations (eg, password includes 1 caps, 1number)
Implement a 1-minute timeout before resending otp
/auth/password/forgotis easy to abuse for reset-link invalidation and email flooding.request_password_reset()always overwrites the existing reset token and sends a new email for any active user, with no per-user/per-email throttle(lifecycle_service.py). That is notably weaker than verification resend, which has explicit Redis-backed per-subject throttling(lifecycle_service.py). The only guard here is the coarse per-IP middleware bucket(rate_limit.py),(rate_limit.py), so distributed callers can keep invalidating legitimate reset links via(lifecycle.py).