Merge branch 'main' of https://github.com/HeyPuter/puter into main

shox92 · Apr 27, 2024 · 219cc94 · 219cc94
2 parents bfa6419 + d7d6ff0
commit 219cc94
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 1 deletion.
diff --git a/packages/backend/src/routers/change_email.js b/packages/backend/src/routers/change_email.js
@@ -79,6 +79,11 @@ const CHANGE_EMAIL_START = eggspress('/change_email/start', {
         confirm_url: `${config.origin}/change_email/confirm?token=${jwt_token}`,
         username: user.username,
     });
+    const old_email = user.email;
+    // TODO: NotificationService
+    await svc_email.send_email({ email: old_email }, 'email_change_notification', {
+        new_email: new_email,
+    });
 
     // update user
     await db.write(

diff --git a/packages/backend/src/routers/change_username.js b/packages/backend/src/routers/change_username.js
@@ -54,6 +54,11 @@ module.exports = eggspress('/change_username', {
     if(await username_exists(req.body.new_username))
         throw APIError.create('username_already_in_use', null, { username: req.body.new_username });
 
+    const svc_edgeRateLimit = req.services.get('edge-rate-limit');
+    if ( ! svc_edgeRateLimit.check('change-email-start') ) {
+        return res.status(429).send('Too many requests.');
+    }
+
     const db = Context.get('services').get('database').get(DB_WRITE, 'auth');
 
     // Has the user already changed their username twice this month?

diff --git a/packages/backend/src/services/EmailService.js b/packages/backend/src/services/EmailService.js
@@ -63,6 +63,17 @@ We received a request to link this email to the user "{{username}}" on Puter. If
 
 <p>
 <a href="{{confirm_url}}">Confirm email change</a>
+</p>
+                `,
+            },
+            'email_change_notification': {
+                subject: '\u{1f4dd} Notification of email change',
+                html: `
+<p>Hi there,</p>
+<p>
+We're sending an email to let you know about a change to your account.
+We have sent a confirmation to "{{new_email}}" to confirm an email change request.
+If this was not you, please contact [email protected] immediately.
 </p>
                 `,
             },

diff --git a/packages/backend/src/services/abuse-prevention/EdgeRateLimitService.js b/packages/backend/src/services/abuse-prevention/EdgeRateLimitService.js
@@ -8,7 +8,7 @@ class EdgeRateLimitService extends BaseService {
     _construct () {
         this.scopes = {
             ['login']: {
-                limit: 3,
+                limit: 10,
                 window: 15 * MINUTE,
             },
             ['signup']: {