From 9febb06052b388ca99672b0ee75c2ff3ae62f11a Mon Sep 17 00:00:00 2001
From: Steven Nguyen <1477010+stnguyen90@users.noreply.github.com>
Date: Mon, 9 Sep 2024 14:10:58 +0000
Subject: [PATCH] fix: update abuse-key for mfa challenge endpoints

Because the key was not specific enough, when one user triggered the
rate limit, all users were affected.
---
 app/controllers/api/account.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php
index 17f3af4364..737bd3e09d 100644
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@@ -4018,7 +4018,7 @@ App::post('/v1/account/mfa/challenge')
     ->label('sdk.response.type', Response::CONTENT_TYPE_JSON)
     ->label('sdk.response.model', Response::MODEL_MFA_CHALLENGE)
     ->label('abuse-limit', 10)
-    ->label('abuse-key', 'url:{url},token:{param-token}')
+    ->label('abuse-key', 'url:{url},userId:{userId}')
     ->param('factor', '', new WhiteList([Type::EMAIL, Type::PHONE, Type::TOTP, Type::RECOVERY_CODE]), 'Factor used for verification. Must be one of following: `' . Type::EMAIL . '`, `' . Type::PHONE . '`, `' . Type::TOTP . '`, `' . Type::RECOVERY_CODE . '`.')
     ->inject('response')
     ->inject('dbForProject')
@@ -4205,7 +4205,7 @@ App::put('/v1/account/mfa/challenge')
     ->label('sdk.response.code', Response::STATUS_CODE_NOCONTENT)
     ->label('sdk.response.model', Response::MODEL_SESSION)
     ->label('abuse-limit', 10)
-    ->label('abuse-key', 'userId:{param-userId}')
+    ->label('abuse-key', 'url:{url},challengeId:{param-challengeId}')
     ->param('challengeId', '', new Text(256), 'ID of the challenge.')
     ->param('otp', '', new Text(256), 'Valid verification token.')
     ->inject('project')