From 59fa600f2bcd0ef6470e2c7cb9ad2c9ad84a05cc Mon Sep 17 00:00:00 2001
From: KernelDeimos <eric.alex.dube@gmail.com>
Date: Sat, 16 Nov 2024 20:04:10 -0500
Subject: [PATCH] dev: edge rate limit for email share

---
 src/backend/src/services/ShareService.js                     | 5 +++++
 .../src/services/abuse-prevention/EdgeRateLimitService.js    | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/src/backend/src/services/ShareService.js b/src/backend/src/services/ShareService.js
index 8c25108d..e3754648 100644
--- a/src/backend/src/services/ShareService.js
+++ b/src/backend/src/services/ShareService.js
@@ -266,6 +266,11 @@ class ShareService extends BaseService {
                 // featureflag({ feature: 'share' }),
             ],
             handler: async (req, res) => {
+                const svc_edgeRateLimit = req.services.get('edge-rate-limit');
+                if ( ! svc_edgeRateLimit.check('verify-pass-recovery-token') ) {
+                    return res.status(429).send('Too many requests.');
+                }
+
                 const actor = Actor.adapt(req.user);
                 if ( ! (actor.type instanceof UserActorType) ) {
                     throw APIError.create('forbidden');
diff --git a/src/backend/src/services/abuse-prevention/EdgeRateLimitService.js b/src/backend/src/services/abuse-prevention/EdgeRateLimitService.js
index 3d996397..2cbcde0c 100644
--- a/src/backend/src/services/abuse-prevention/EdgeRateLimitService.js
+++ b/src/backend/src/services/abuse-prevention/EdgeRateLimitService.js
@@ -44,6 +44,10 @@ class EdgeRateLimitService extends BaseService {
                 limit: 10,
                 window: 15 * MINUTE,
             },
+            ['share']: {
+                limit: 30,
+                window: 1 * MINUTE,
+            },
             ['send-confirm-email']: {
                 limit: 10,
                 window: HOUR,