Add a limit to the number of active 2fa codes that we create. At the moment that is set to 10.

2026-02-03 18:01:08 -05:00 · 2017-02-15 16:18:05 +00:00
parent 9de88c50ba
commit 52342afe3f
5 changed files with 44 additions and 3 deletions
--- a/app/user/rest.py
+++ b/app/user/rest.py
@@ -12,7 +12,8 @@ from app.dao.users_dao import (
    get_user_by_email,
    create_secret_code,
    save_user_attribute,
-    update_user_password
+    update_user_password,
+    count_user_verify_codes
 )
 from app.dao.permissions_dao import permission_dao
 from app.dao.services_dao import dao_fetch_service_by_id
@@ -137,6 +138,10 @@ def send_user_sms_code(user_id):
    user_to_send_to = get_user_by_id(user_id=user_id)
    verify_code, errors = request_verify_code_schema.load(request.get_json())

+    if count_user_verify_codes(user_to_send_to) >= current_app.config.get('MAX_VERIFY_CODE_COUNT'):
+        # Prevent more than `MAX_VERIFY_CODE_COUNT` active verify codes at a time
+        return jsonify({}), 204
+
    secret_code = create_secret_code()
    create_user_code(user_to_send_to, secret_code, SMS_TYPE)