Possible Security Issue: Lack of Rate-Limit in reset_password endpoint can lead to DOS

[Ashrith-Shetty]

Thank you for the great application.

While testing the reset_password endpoint, I found due to lack of rate limiting it can be misused to DOS an email bomb a genuine User.

Anyway, we can mitigate this?

Thanks

[s7m4b4]

I was thinking about this too. A potential workaround is to override the reset_password action and leverage DRF's throttling library (https://www.django-rest-framework.org/api-guide/throttling/) e.g.

users/views.py

from djoser.views import UserViewSet as DjoserUserViewSet
from rest_framework.decorators import action
from rest_framework.throttling import ScopedRateThrottle


class UserViewSet(DjoserUserViewSet):
    # required as there's no way to set a throttle scope for actions
    def get_throttles(self):
        if self.action in ["reset_password"]:
            self.throttle_scope = "reset_password"
        return super().get_throttles()

    @action(
        ["post"],
        detail=False,
        throttle_classes=[ScopedRateThrottle],
    )
    def reset_password(self, request, *args, **kwargs):
        return super().reset_password(request, *args, **kwargs)

settings.py

REST_FRAMEWORK = {
   ...
    "DEFAULT_THROTTLE_RATES": {"reset_password": "1/hour"},
   ...
}

It would be great if we could just set a throttle limit per endpoint through Djoser's settings though.