k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-21 14:21:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Restore the reset-password rate limit and fix copyTrip reservation links

Browse Source 
Two correctness/security gaps the NestJS migration introduced:

- POST /api/auth/reset-password lost its per-IP rate limiter. Restore it
  (5 attempts / 15 min on a dedicated bucket, same as the old resetLimiter)
  so reset tokens can't be brute-forced unthrottled. Covered by AUTH-019.
- copyTripById did not copy reservations.end_day_id (a day reference — now
  remapped through dayMap like day_id) or needs_review, so a duplicated trip
  lost multi-day transport end-day links and reset the review flag.
This commit is contained in:
Maurice
2026-05-31 13:38:02 +02:00
parent bfe52579df
commit 4c9631998f
3 changed files with 22 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/tests/integration/auth.test.ts
+12
View File
@@ -835,6 +835,18 @@ describe('Rate limiting', () => {
}
expect(lastStatus).toBe(429);
});
it('AUTH-019 — reset-password endpoint rate-limits after 5 attempts (parity with the legacy resetLimiter)', async () => {
let lastStatus = 0;
for (let i = 0; i <= 5; i++) {
const res = await request(app)
.post('/api/auth/reset-password')
.send({ token: 'badtoken', new_password: 'NewPassw0rd!' });
lastStatus = res.status;
if (lastStatus === 429) break;
}
expect(lastStatus).toBe(429);
});
});
// ─────────────────────────────────────────────────────────────────────────────