PostHog · benjackwhite · Mar 19, 2024 · Mar 19, 2024 · Mar 19, 2024 · Mar 19, 2024
diff --git a/posthog/api/authentication.py b/posthog/api/authentication.py
@@ -22,7 +22,6 @@
 from rest_framework.exceptions import APIException
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.throttling import UserRateThrottle
 from sentry_sdk import capture_exception
 from social_django.views import auth
 from two_factor.utils import default_device
@@ -33,15 +32,16 @@
 )
 
 from posthog.api.email_verification import EmailVerifier
+from posthog.api.services.unauthenticated_rate_limiter import UserOrEmailRateThrottle
 from posthog.email import is_email_available
 from posthog.event_usage import report_user_logged_in, report_user_password_reset
 from posthog.models import OrganizationDomain, User
 from posthog.tasks.email import send_password_reset
 from posthog.utils import get_instance_available_sso_providers
 
 
-class UserPasswordResetThrottle(UserRateThrottle):
-    rate = "6/day"
+class UserPasswordResetThrottle(UserOrEmailRateThrottle):
+    rate = "6/hour"
 
 
 @csrf_protect
@@ -190,6 +190,7 @@ class LoginViewSet(NonCreatingViewSetMixin, viewsets.GenericViewSet):
     queryset = User.objects.none()
     serializer_class = LoginSerializer
     permission_classes = (permissions.AllowAny,)
+    # NOTE: Throttling is handled by the `axes` package
 
 
 class TwoFactorSerializer(serializers.Serializer):

diff --git a/posthog/api/services/unauthenticated_rate_limiter.py b/posthog/api/services/unauthenticated_rate_limiter.py
@@ -0,0 +1,22 @@
+import hashlib
+from rest_framework.throttling import SimpleRateThrottle
+
+
+class UserOrEmailRateThrottle(SimpleRateThrottle):
+    """
+    Typically throttling is on the user or the IP address.
+    For unauthenticated signup/login requests we want to throttle on the email address.
+    """
+
+    scope = "user"
+
+    def get_cache_key(self, request, view):
+        if request.user and request.user.is_authenticated:
+            ident = request.user.pk
+        else:
+            # For unauthenticated requests, we want to throttle on something unique to the user they are trying to work with
+            # This could be email for example when logging in or uuid when verifying email
+            ident = request.data.get("email") or request.data.get("uuid") or self.get_ident(request)
+            ident = hashlib.sha256(ident.encode()).hexdigest()
+
+        return self.cache_format % {"scope": self.scope, "ident": ident}
diff --git a/posthog/api/test/test_authentication.py b/posthog/api/test/test_authentication.py
@@ -434,6 +434,23 @@ def test_cant_reset_more_than_six_times(self):
         # Three emails should be sent, fourth should not
         self.assertEqual(len(mail.outbox), 6)
 
+    def test_is_rate_limited_on_email_not_ip(self):
+        set_instance_setting("EMAIL_HOST", "localhost")
+
+        for email in ["[email protected]", "[email protected]"]:
+            for i in range(7):
+                with self.settings(CELERY_TASK_ALWAYS_EAGER=True, SITE_URL="https://my.posthog.net"):
+                    response = self.client.post("/api/reset/", {"email": email})
+                if i < 6:
+                    self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
+                else:
+                    # Fourth request should fail
+                    self.assertEqual(response.status_code, status.HTTP_429_TOO_MANY_REQUESTS)
+                    self.assertDictContainsSubset(
+                        {"attr": None, "code": "throttled", "type": "throttled_error"},
+                        response.json(),
+                    )
+
     # Token validation
 
     def test_can_validate_token(self):

diff --git a/posthog/api/user.py b/posthog/api/user.py
@@ -23,7 +23,7 @@
 from rest_framework.exceptions import NotFound
 from rest_framework.permissions import IsAuthenticated, AllowAny
 from rest_framework.response import Response
-from rest_framework.throttling import UserRateThrottle
+
 from two_factor.forms import TOTPDeviceForm
 from two_factor.utils import default_device
 
@@ -33,6 +33,7 @@
 from posthog.api.decide import hostname_in_allowed_url_list
 from posthog.api.email_verification import EmailVerifier
 from posthog.api.organization import OrganizationSerializer
+from posthog.api.services.unauthenticated_rate_limiter import UserOrEmailRateThrottle
 from posthog.api.shared import OrganizationBasicSerializer, TeamBasicSerializer
 from posthog.api.utils import raise_if_user_provided_url_unsafe
 from posthog.auth import PersonalAPIKeyAuthentication, SessionAuthentication, authenticate_secondarily
@@ -53,7 +54,7 @@
 from posthog.constants import PERMITTED_FORUM_DOMAINS
 
 
-class UserAuthenticationThrottle(UserRateThrottle):
+class UserAuthenticationThrottle(UserOrEmailRateThrottle):
     rate = "5/minute"
 
     def allow_request(self, request, view):
@@ -63,7 +64,7 @@ def allow_request(self, request, view):
         return super().allow_request(request, view)
 
 
-class UserEmailVerificationThrottle(UserRateThrottle):
+class UserEmailVerificationThrottle(UserOrEmailRateThrottle):
     rate = "6/day"