hedyorg · TiBiBa · Feb 8, 2024 · Feb 8, 2024 · Jun 27, 2024 · Jun 27, 2024
diff --git a/app.py b/app.py
@@ -27,6 +27,9 @@
 from flask_compress import Compress
 from urllib.parse import quote_plus
 
+from flask_limiter import Limiter
+from flask_limiter.util import get_remote_address
+
 import hedy
 import hedy_content
 import hedy_translation
@@ -70,6 +73,14 @@
 app.url_map.strict_slashes = False  # Ignore trailing slashes in URLs
 app.json = JinjaCompatibleJsonProvider(app)
 
+# Implement the rate limiter
+limiter = Limiter(
+    get_remote_address,
+    app=app,
+    storage_uri="memory://",
+)
+
+
 # Most files should be loaded through the CDN which has its own caching period and invalidation.
 # Use 5 minutes as a reasonable default for all files we load elsewise.
 app.config['SEND_FILE_MAX_AGE_DEFAULT'] = datetime.timedelta(minutes=5)

diff --git a/requirements.txt b/requirements.txt
@@ -28,10 +28,11 @@ turtlethread>=0.0.6
 pygame==2.1.2
 pre-commit==2.20.0
 babel==2.14.0
-jinja-partials==0.1.1
+jinja-partials==0.1.1clea
 hypothesis>=6.75.3
 tqdm==4.65.0
 pytest-xdist==3.3.1
 email-validator==2.1.0.post1
 doit==0.36.0
 doit_watch>=0.1.0
+flask-limiter==3.5.0
diff --git a/website/auth_pages.py b/website/auth_pages.py
@@ -3,6 +3,7 @@
 from flask import jsonify, make_response, redirect, request, session
 from flask_babel import gettext
 
+from app import limiter
 from config import config
 from safe_format import safe_format
 from hedy_content import ALL_LANGUAGES, COUNTRIES
@@ -367,6 +368,7 @@ def recover(self):
             return jsonify({"message": gettext("sent_password_recovery")}), 200
 
     @ route("/reset", methods=["POST"])
+    @limiter.limit("100/day;10/hour;1/minute")
     def reset(self):
         body = request.json
         # Validations