feat: implement threshold for resetting password

[shreyanshdwivedi]

Fixes #6033

Checklist

• I have read the Contribution & Best practices Guide and my PR follows them.
• My branch is up-to-date with the Upstream development branch.
• The unit tests pass locally with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

• All the functions created/modified in this PR contain relevant docstrings.

Changes proposed in this pull request:

A threshold for an account reset email should be 3 times per hour. After that, the user receives a message: "You have reached the threshold for this action. Please try again in one hour."

[shreyanshdwivedi]

@uds5501 @mrsaicharan1 @kushthedude I'm not getting the time in the same format as it is getting stored in the db. For example, the time getting stored in db is - 2019-06-12 13:36:29.233271+05:30 and one I'm getting is 2019-06-12 13:36:29.227708+00:00. Please note the +5:30 and 00:00 as difference. I'm not able to get correct timezone, I guess. Can you guys help me out to find what am I missing here?

[kushthedude]

@shreyanshdwivedi We are not using pytz for time now , As recent change made by @prateekj117 we are now using SQLalchemy inbuilt time stamp function, Check there if you find a way to retireve time from db

[codecov]

Codecov Report

Merging #6035 into development will increase coverage by 0.01%.
The diff coverage is 100%.

@@               Coverage Diff               @@
##           development    #6035      +/-   ##
===============================================
+ Coverage        66.12%   66.13%   +0.01%     
===============================================
  Files              285      285              
  Lines            14089    14095       +6     
===============================================
+ Hits              9316     9322       +6     
  Misses            4773     4773

Impacted Files	Coverage Δ
app/api/auth.py	22.64% <100%> (+1.34%)	⬆️
app/__init__.py	86.93% <100%> (+0.15%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d78839b...64f0593. Read the comment docs.

[niranjan94]

Related comment: #6033 (comment)

Explore using https://flask-limiter.readthedocs.io/en/stable/ for this. That way we can extend it to other endpoints too.

[shreyanshdwivedi]

@niranjan94 so should I use flask_limiter here rather than this approach for password-reset?

[niranjan94]

so should I use flask_limiter here rather than this approach for password-reset?

Yep. Correct. And the frontend can show an appropriate message to the user if it gets a 429 response code.

[shreyanshdwivedi]

@niranjan94 ok cool. But one thing, the issue mentioned -

A threshhold for an account reset email should be 3 times per hour. After that the user should receive a message: "You have reached the threshhold for this action. Please try again in one hour."

But I don't think this type of message for a particular user can be achieved by flask_limiter.

[niranjan94]

But I don't think this type of message can be achieved by flask_limiter.

@shreyanshdwivedi

#6035 (comment)

[shreyanshdwivedi]

@iamareebjamal @niranjan94 I've updated the key_func and finalized the PR. I've checked it on local and it works for me. The error message produced -

429 Too Many Requests
Too Many Requests
Limit for this action exceeded

Please review

[iamareebjamal]

jamal.areeb@gmail.com
jamalareeb@gmail.com
ja.mal.are.eb@gmail.com

Are all same email addresses and will be allowed by this method

[shreyanshdwivedi]

@iamareebjamal I just tested the above three email addresses.
Each one is distinguished perfectly and failed when the email if entered fourth time. I jumbled the order and tested, the reset request for one email is not affecting other in any way

[iamareebjamal]

I jumbled the order and tested, the reset request for one email is not affecting other in any way

It should

[iamareebjamal]

The point is that I can keep adding dots and sending emails at a rate of more than 3/hour

I can loop through a list of emails and send password reset request on them. Essentially brute forcing

[shreyanshdwivedi]

But there is a check which raises error if user is not registered and so no mail is sent out. If a user loops by adding dots, it doesn't mean the email is registered and so error will be raised. I hope it makes sense to you.

[iamareebjamal]

A hacker doesn't care if the error is raised. He'll just continue looping through emails, and our resources will get exhausted. And users will still get spammed.

Also, raising error if user is not registered is a pretty big security issue, it should be fixed ASAP - #6069

[shreyanshdwivedi]

@iamareebjamal from what I understood, I should create a function which treats similar emails as same email. Right?
Also can you please guide me which pattern should I consider ?

[iamareebjamal]

Instead, you should add one more limiter which prevents same IP to access the unprotected resource at a lower rate, like '1/minute'

[shreyanshdwivedi]

@iamareebjamal I've updated the PR. Please review

[uds5501]

This looks good!