feat: Implement flask limiter on password-reset route

Author: shreyanshdwivedi

app/__init__.py

@@ -11,6 +11,7 @@
 from flask_script import Manager
 from flask_login import current_user
 from flask_jwt import JWT
+from flask_limiter import Limiter
 from datetime import timedelta
 from flask_cors import CORS
 from flask_rest_jsonapi.errors import jsonapi_errors
@@ -50,6 +51,7 @@
 static_dir = os.path.dirname(os.path.dirname(__file__)) + "/static"
 template_dir = os.path.dirname(__file__) + "/templates"
 app = Flask(__name__, static_folder=static_dir, template_folder=template_dir)
+limiter = Limiter(app)
 env.read_envfile()
 
 

app/api/auth.py

@@ -13,6 +13,7 @@
 from app.api.helpers.storage import generate_hash
 
 from app import get_settings
+from app import limiter
 from app.api.helpers.db import save_to_db, get_count
 from app.api.helpers.errors import ForbiddenError, UnprocessableEntityError, NotFoundError, BadRequestError
 from app.api.helpers.files import make_frontend_url
@@ -29,7 +30,6 @@
 from app.models.user import User
 from app.api.helpers.storage import UPLOAD_PATHS
 
-
 authorised_blueprint = Blueprint('authorised_blueprint', __name__, url_prefix='/')
 ticket_blueprint = Blueprint('ticket_blueprint', __name__, url_prefix='/v1')
 auth_routes = Blueprint('auth', __name__, url_prefix='/v1/auth')
@@ -207,6 +207,9 @@ def resend_verification_email():
 
 
 @auth_routes.route('/reset-password', methods=['POST'])
+@limiter.limit(
+    '3/hour', key_func=lambda: request.json['data']['email'], error_message='Limit for this action exceeded'
+)
 def reset_password_post():
     try:
         email = request.json['data']['email']

requirements/common.txt

@@ -1,5 +1,6 @@
 pycparser==2.14 # Only 2.14 works.
 Flask~=1.0.3
+Flask-Limiter~=1.0.1
 Flask-Script~=2.0.6
 Flask-SQLAlchemy~=2.1
 Flask-Migrate~=2.5