Ecstabis
Ecstabis2d ago

Rate limit password forgot feature

During a security audit an issue with Zitadel came up. The password forgot feature is not rate limited. The argumentation of the auditor was that they can use it the email bomb a victim. Is it possible to rate limit this feature or is there a back-off mechanism implemented?
2 Replies
Ask Inkeep
Ask Inkeep2d ago
Hi @Ecstabis, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer ZITADEL does implement rate limiting for its services (1) . For ZITADEL Cloud, rate limits are implemented with the following rules : - /ui/* (Global Login, Register and Reset Limit) : 10 requests per second over a minute, with one minute banning at 15 requests per second over 3 minutes - All other paths (All gRPC-, REST and OAuth APIs) : 50 requests per second over a minute, with one minute banning at 50 requests per second over 3 minutes The rate limiting is built around an IP-oriented model . ZITADEL also utilizes a service for DDoS mitigation, so changing IP addresses and repeating requests may result in blocking . When blocked, you receive an HTTP status 429 . For self-hosted environments, you can implement usage control features including blocking instances (2) . You can block an instance using the system API, and most requests to a blocked instance are rejected with HTTP status 429 Too Many Requests or gRPC status 8 Resource Exhausted . The password reset functionality is available through the /v2/users/:userId/password_reset endpoint (3) , which would fall under the general API rate limiting rules mentioned above (1) . If you need higher limits for specific scenarios (like corporate proxies or NAT) , ZITADEL recommends contacting them to discuss requirements . ​ To learn more, see the sources I considered: [1] Rate Limit Policy [2] Usage Control [3] Request a code to reset a password ​ Feel free to tag @Ask Inkeep with additional questions. Got it. Tagging @Rajat for additional help.
Ecstabis
EcstabisOP2d ago
- I don't want to update (lower) the general rate limit - 50 password resets per minute per email is still an issue

Did you find this page helpful?