[SMS API] "Rate Limit" and "max_attempts" is not working once captcha is submitted.

[abhisheksahnii]

• https://self-service-password.readthedocs.io/en/latest/config_sms.html#token
• https://self-service-password.readthedocs.io/en/latest/config_rate_limit.html

I am using SMS service to reset the passwords using SMS API and able to receive the reset tokens successfully.

ISSUE:
I tried to limit the number of tries a user can use the SMS option to reset their password following above-mentioned links, the User is still able to get an unlimited number of tokens by just refreshing the SMS Token submit page.

ltb_configuration.txt

This may be a bug

[coudot]

Maybe linked to #736

[coudot]

We will see that with @armfem

[coudot]

We indeed still reproduce the bug

A solution would be to create a form token in the first screen, in a hidden field, then invalidate this token before sending the SMS. In this case a refresh would not resend the SMS as the form token won't be accepted again.

We need to implement this and be sure it does not cause regression.

Targeting for a further release

[davidcoutadeur]

When working on this issue, don't forget to pull the captcha refactoring work done in #894 (pushed on master)