core: add strict register rate limit (#663)

packages/hydrooj/src/handler/user.ts

@@ -243,6 +243,7 @@ export class UserRegisterHandler extends Handler {
             const mailDomain = mail.split('@')[1];
             if (await BlackListModel.get(`mail::${mailDomain}`)) throw new BlacklistedError(mailDomain);
             await Promise.all([
+                this.limitRate(`send_mail_${mail}`, 60, 3, false),
                 this.limitRate('send_mail', 3600, 30, false),
                 oplog.log(this, 'user.register', {}),
             ]);
@@ -265,7 +266,11 @@ export class UserRegisterHandler extends Handler {
             } else this.response.redirect = this.url('user_register_with_code', { code: t[0] });
         } else if (phoneNumber) {
             if (!global.Hydro.lib.sendSms) throw new SystemError('Cannot send sms');
-            await this.limitRate('send_sms', 60, 3);
+            await Promise.all([
+                this.limitRate(`send_sms_${phoneNumber}`, 60, 1, false),
+                this.limitRate('send_sms', 3600, 15, false),
+                oplog.log(this, 'user.register', {}),
+            ]);
             const id = String.random(6, '0123456789');
             await token.add(
                 token.TYPE_REGISTRATION,
@@ -334,7 +339,7 @@ class UserLostPassHandler extends Handler {
         if (!udoc) throw new UserNotFoundError(mail);
         await Promise.all([
             this.limitRate('send_mail', 3600, 30, false),
-            this.limitRate(`user_lostpass_${mail}`, 60, 5, false),
+            this.limitRate(`user_lostpass_${mail}`, 60, 3, false),
             oplog.log(this, 'user.lostpass', {}),
         ]);
         const [tid] = await token.add(