Skip to content

v0.28.0

Choose a tag to compare

@github-actions github-actions released this 12 Jul 13:01
989f978

Added

  • Rate limiting on the last unprotected auth surfaces. The web
    password-reset request (reset_password/start), password signup, and the
    email/phone code-confirmation endpoints now carry Rails-native
    rate_limits, closing email-flooding, account-enumeration,
    account-creation-spam, and distributed code-guessing gaps. New config keys:
    rate_limits.password_reset_start_per_ip (10/hr),
    rate_limits.password_reset_start_per_target (3/15min), and
    rate_limits.signup_per_ip (10/hr); the confirm endpoints reuse
    otp_verify_per_ip. All use the existing RateLimitStore + centralized 429
    handler.
  • The passwordless.retry_delay OTP-resend cooldown is now enforced.
    Previously the setting existed but did nothing. A resend for the same target
    within the window (default 30s) is rejected with an InvalidRequestError;
    the already-issued code stays valid. Set retry_delay = 0 to disable.