🔒 Add rate limiter on email signin endpoint

apps/builder/package.json

@@ -49,6 +49,8 @@
     "@uiw/codemirror-theme-github": "^4.20.2",
     "@uiw/codemirror-theme-tokyo-night": "^4.20.2",
     "@uiw/react-codemirror": "^4.20.2",
+    "@upstash/ratelimit": "^0.4.3",
+    "@upstash/redis": "^1.21.0",
     "@use-gesture/react": "^10.2.27",
     "aws-sdk": "2.1384.0",
     "browser-image-compression": "2.0.2",

apps/builder/src/features/auth/components/SignInForm.tsx

@@ -72,17 +72,24 @@ export const SignInForm = ({
     e.preventDefault()
     if (isMagicLinkSent) return
     setAuthLoading(true)
-    const response = await signIn('email', {
-      email: emailValue,
-      redirect: false,
-    })
-    if (response?.error) {
+    try {
+      const response = await signIn('email', {
+        email: emailValue,
+        redirect: false,
+      })
+      if (response?.error) {
+        showToast({
+          title: scopedT('signinErrorToast.title'),
+          description: scopedT('signinErrorToast.description'),
+        })
+      } else {
+        setIsMagicLinkSent(true)
+      }
+    } catch {
       showToast({
-        title: scopedT('signinErrorToast.title'),
-        description: scopedT('signinErrorToast.description'),
+        status: 'info',
+        description: scopedT('signinErrorToast.tooManyRequests'),
       })
-    } else {
-      setIsMagicLinkSent(true)
     }
     setAuthLoading(false)
   }

apps/builder/src/locales/de.ts

@@ -85,6 +85,8 @@ export default {
   'auth.error.unknown': 'Ein Fehler ist aufgetreten. Bitte versuche es erneut.',
   'auth.signinErrorToast.title': 'Nicht autorisiert',
   'auth.signinErrorToast.description': 'Anmeldungen sind deaktiviert.',
+  'auth.signinErrorToast.tooManyRequests':
+    'Zu viele Anfragen. Versuche es später erneut.',
   'auth.noProvider.preLink': 'Du musst',
   'auth.noProvider.link':
     'mindestens einen Authentifizierungsanbieter konfigurieren (E-Mail, Google, GitHub, Facebook oder Azure AD).',
@@ -111,12 +113,10 @@ export default {
   'billing.upgradeLimitLabel':
     'Um {type} hinzuzufügen, musst du deinen Tarif aktualisieren',
   'billing.currentSubscription.heading': 'Abonnement',
-  'billing.currentSubscription.subheading':
-    'Aktuelles Workspace-Abonnement:',
+  'billing.currentSubscription.subheading': 'Aktuelles Workspace-Abonnement:',
   'billing.currentSubscription.cancelLink': 'Mein Abonnement kündigen',
   'billing.invoices.heading': 'Rechnungen',
-  'billing.invoices.empty':
-    'Keine Rechnungen für diesen Workspace gefunden.',
+  'billing.invoices.empty': 'Keine Rechnungen für diesen Workspace gefunden.',
   'billing.invoices.paidAt': 'Bezahlt am',
   'billing.invoices.subtotal': 'Zwischensumme',
   'billing.preCheckoutModal.companyInput.label': 'Firmenname:',

apps/builder/src/locales/en.ts

@@ -82,6 +82,8 @@ export default {
   'auth.error.unknown': 'An error occurred. Please try again.',
   'auth.signinErrorToast.title': 'Unauthorized',
   'auth.signinErrorToast.description': 'Sign ups are disabled.',
+  'auth.signinErrorToast.tooManyRequests':
+    'Too many requests. Try again later.',
   'auth.noProvider.preLink': 'You need to',
   'auth.noProvider.link':
     'configure at least one auth provider (Email, Google, GitHub, Facebook or Azure AD).',

apps/builder/src/locales/fr.ts

@@ -83,6 +83,7 @@ export default {
   'auth.error.unknown': 'Une erreur est survenue. Essaye à nouveau.',
   'auth.signinErrorToast.title': 'Non autorisé',
   'auth.signinErrorToast.description': 'Les inscriptions sont désactivées.',
+  'auth.signinErrorToast.tooManyRequests': 'Trop de tentatives de connexion.',
   'auth.noProvider.preLink': 'Tu as besoin de',
   'auth.noProvider.link':
     "configurer au moins un fournisseur d'authentification (E-mail, Google, GitHub, Facebook ou Azure AD).",

apps/builder/src/locales/pt.ts

@@ -84,6 +84,8 @@ export default {
   'auth.error.unknown': 'Ocorreu um erro. Tente novamente.',
   'auth.signinErrorToast.title': 'Não autorizado',
   'auth.signinErrorToast.description': 'As inscrições estão desativadas.',
+  'auth.signinErrorToast.tooManyRequests':
+    'Muitas tentativas. Tente novamente mais tarde.',
   'auth.noProvider.preLink': 'Você precisa',
   'auth.noProvider.link':
     'configurar pelo menos um provedor de autenticação (E-mail, Google, GitHub, Facebook ou Azure AD).',

apps/builder/src/pages/api/auth/[...nextauth].ts

@@ -14,9 +14,23 @@ import { env, getAtPath, isDefined, isNotEmpty } from '@typebot.io/lib'
 import { mockedUser } from '@/features/auth/mockedUser'
 import { getNewUserInvitations } from '@/features/auth/helpers/getNewUserInvitations'
 import { sendVerificationRequest } from '@/features/auth/helpers/sendVerificationRequest'
+import { Ratelimit } from '@upstash/ratelimit'
+import { Redis } from '@upstash/redis/nodejs'
 
 const providers: Provider[] = []
 
+let rateLimit: Ratelimit | undefined
+
+if (
+  process.env.UPSTASH_REDIS_REST_URL &&
+  process.env.UPSTASH_REDIS_REST_TOKEN
+) {
+  rateLimit = new Ratelimit({
+    redis: Redis.fromEnv(),
+    limiter: Ratelimit.slidingWindow(1, '60 s'),
+  })
+}
+
 if (
   isNotEmpty(process.env.GITHUB_CLIENT_ID) &&
   isNotEmpty(process.env.GITHUB_CLIENT_SECRET)
@@ -174,6 +188,24 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
   if (isMockingSession) return res.send({ user: mockedUser })
   const requestIsFromCompanyFirewall = req.method === 'HEAD'
   if (requestIsFromCompanyFirewall) return res.status(200).end()
+
+  if (
+    rateLimit &&
+    req.url === '/api/auth/signin/email' &&
+    req.method === 'POST'
+  ) {
+    let ip = req.headers['x-real-ip'] as string | undefined
+    if (!ip) {
+      const forwardedFor = req.headers['x-forwarded-for']
+      if (Array.isArray(forwardedFor)) {
+        ip = forwardedFor.at(0)
+      } else {
+        ip = forwardedFor?.split(',').at(0) ?? 'Unknown'
+      }
+    }
+    const { success } = await rateLimit.limit(ip as string)
+    if (!success) return res.status(429).json({ error: 'Too many requests' })
+  }
   return await NextAuth(req, res, authOptions)
 }