From f905c10acca614f3340f1a1787062f021d83be16 Mon Sep 17 00:00:00 2001 From: Chirag Aggarwal Date: Tue, 6 May 2025 07:18:23 +0000 Subject: [PATCH] chore: add harden create email token endpoint --- app/controllers/api/account.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index 1ffae4b25a..3169870d9c 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -2100,7 +2100,7 @@ App::post('/v1/account/tokens/email') contentType: ContentType::JSON, )) ->label('abuse-limit', 10) - ->label('abuse-key', 'url:{url},email:{param-email}') + ->label('abuse-key', ['url:{url},email:{param-email}', 'url:{url},ip:{ip}']) ->param('userId', '', new CustomId(), 'User ID. Choose a custom ID or generate a random ID with `ID.unique()`. Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can\'t start with a special char. Max length is 36 chars.') ->param('email', '', new Email(), 'User email.') ->param('phrase', false, new Boolean(), 'Toggle for security phrase. If enabled, email will be send with a randomly generated phrase and the phrase will also be included in the response. Confirming phrases match increases the security of your authentication flow.', true)