Implement throttling for communication end points like OTP tokens, reset and verify account sequences #75
Description
Is your feature request related to a problem? Please describe.
At the moment the API could be repeatedly hit to send OTP tokens, kick off the verify and reset account sequences which also sends emails.
While we can use web application firewalls to mitigate risk, we should have logic in the application that assist in preventing the abuse of these endpoints.
Describe the solution you'd like
The first and foremost will be never to originate sequences if they are inappropriate e.g:
- Ignore the verification sequence if the account is verified
- Abort execution of a handler as soon as possible, e.g user not found
If the request is legitimate specially for something like reset password or OTP tokens, implement a shifting time window that prevents the caller from repeatedly calling the endpoints.
E.g: allow 2 subsequent calls within a short period of time, upon that start moving the time window to every 30 seconds and eventually make it reject the request for a very long period of time.
The above will be different per operation, so we need to make recommendations that are secure without hampering the user experience of the application.
Describe alternatives you've considered
NA
Additional context
NA