You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Added
Rate limiting on the last unprotected auth surfaces. The web
password-reset request (reset_password/start), password signup, and the
email/phone code-confirmation endpoints now carry Rails-native rate_limits, closing email-flooding, account-enumeration,
account-creation-spam, and distributed code-guessing gaps. New config keys: rate_limits.password_reset_start_per_ip (10/hr), rate_limits.password_reset_start_per_target (3/15min), and rate_limits.signup_per_ip (10/hr); the confirm endpoints reuse otp_verify_per_ip. All use the existing RateLimitStore + centralized 429
handler.
The passwordless.retry_delay OTP-resend cooldown is now enforced.
Previously the setting existed but did nothing. A resend for the same target
within the window (default 30s) is rejected with an InvalidRequestError;
the already-issued code stays valid. Set retry_delay = 0 to disable.