Skip to content

feat(auth): add email-scoped report-only rate limits for passwordless#20336

Merged
vbudhram merged 1 commit intomainfrom
fxa-13331
Apr 8, 2026
Merged

feat(auth): add email-scoped report-only rate limits for passwordless#20336
vbudhram merged 1 commit intomainfrom
fxa-13331

Conversation

@vbudhram
Copy link
Copy Markdown
Contributor

@vbudhram vbudhram commented Apr 8, 2026

Because

  • We want to have more rate limits for passwordless flow

This pull request

  • Adds passwordlessVerifyOtp email-scoped rule: 10 attempts per 10 minutes, 30 minute cooldown, report-only
  • Adds passwordlessVerifyOtpPerDay email-scoped rule: 20 attempts per 24 hours, 24 hour cooldown, report-only
  • Both rules in rate-limit-rules.txt sit alongside the existing ip_email block rules and ip ban rules

Issue that this pull request solves

Closes: https://mozilla-hub.atlassian.net/browse/FXA-13331

Checklist

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).
  • I have manually reviewed all AI generated code.

@vbudhram
feat(auth): add email-scoped report-only rate limits for passwordless…
131c762 
… OTP verify

Because:
* 6-digit OTP codes are vulnerable to distributed brute-force without
  email-scoped limits
* We need production data on per-email verification volume before
  switching from report to block mode

This commit:
* Add passwordlessVerifyOtp email-scoped rule (10 per 10min, report)
* Add passwordlessVerifyOtpPerDay email-scoped rule (20 per 24h, report)

Closes #FXA-13331
@vbudhram vbudhram requested a review from a team as a code owner April 8, 2026 17:30
Copilot AI review requested due to automatic review settings April 8, 2026 17:30
@vbudhram vbudhram self-assigned this Apr 8, 2026
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR expands the FxA auth-server’s Customs v2 rate-limit configuration to add email-scoped, report-only monitoring for passwordless OTP verification attempts, enabling better visibility into abuse patterns without changing enforcement behavior.

Changes:

  • Add a report-only email rule for passwordlessVerifyOtp (10 attempts / 10 minutes, 30 minute cooldown).
  • Add a report-only email rule for passwordlessVerifyOtpPerDay (20 attempts / 24 hours, 24 hour cooldown).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@vbudhram vbudhram merged commit f66ae67 into main Apr 8, 2026
25 checks passed
@vbudhram vbudhram deleted the fxa-13331 branch April 8, 2026 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@StaberindeZA StaberindeZA StaberindeZA approved these changes

Assignees

@vbudhram vbudhram

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vbudhram @StaberindeZA