From 659bd9f4aa3696159b200bd8486339526820e152 Mon Sep 17 00:00:00 2001
From: panda <panda_dtdyy@outlook.com>
Date: Fri, 29 Sep 2023 19:39:07 +0800
Subject: [PATCH] core: add strict register rate limit (#663)

---
 packages/hydrooj/src/handler/user.ts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/packages/hydrooj/src/handler/user.ts b/packages/hydrooj/src/handler/user.ts
index 2cd18f6a..9603141f 100644
--- a/packages/hydrooj/src/handler/user.ts
+++ b/packages/hydrooj/src/handler/user.ts
@@ -243,6 +243,7 @@ export class UserRegisterHandler extends Handler {
             const mailDomain = mail.split('@')[1];
             if (await BlackListModel.get(`mail::${mailDomain}`)) throw new BlacklistedError(mailDomain);
             await Promise.all([
+                this.limitRate(`send_mail_${mail}`, 60, 3, false),
                 this.limitRate('send_mail', 3600, 30, false),
                 oplog.log(this, 'user.register', {}),
             ]);
@@ -265,7 +266,11 @@ export class UserRegisterHandler extends Handler {
             } else this.response.redirect = this.url('user_register_with_code', { code: t[0] });
         } else if (phoneNumber) {
             if (!global.Hydro.lib.sendSms) throw new SystemError('Cannot send sms');
-            await this.limitRate('send_sms', 60, 3);
+            await Promise.all([
+                this.limitRate(`send_sms_${phoneNumber}`, 60, 1, false),
+                this.limitRate('send_sms', 3600, 15, false),
+                oplog.log(this, 'user.register', {}),
+            ]);
             const id = String.random(6, '0123456789');
             await token.add(
                 token.TYPE_REGISTRATION,
@@ -334,7 +339,7 @@ class UserLostPassHandler extends Handler {
         if (!udoc) throw new UserNotFoundError(mail);
         await Promise.all([
             this.limitRate('send_mail', 3600, 30, false),
-            this.limitRate(`user_lostpass_${mail}`, 60, 5, false),
+            this.limitRate(`user_lostpass_${mail}`, 60, 3, false),
             oplog.log(this, 'user.lostpass', {}),
         ]);
         const [tid] = await token.add(