Rate limit password forgot feature
During a security audit an issue with Zitadel came up. The password forgot feature is not rate limited.
The argumentation of the auditor was that they can use it the email bomb a victim.
Is it possible to rate limit this feature or is there a back-off mechanism implemented?
7 Replies
Hi @Ecstabis, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
ZITADEL does implement rate limiting for its services (1) . For ZITADEL Cloud, rate limits are implemented with the following rules :
-
/ui/* (Global Login, Register and Reset Limit) : 10 requests per second over a minute, with one minute banning at 15 requests per second over 3 minutes
- All other paths (All gRPC-, REST and OAuth APIs) : 50 requests per second over a minute, with one minute banning at 50 requests per second over 3 minutes
The rate limiting is built around an IP-oriented model . ZITADEL also utilizes a service for DDoS mitigation, so changing IP addresses and repeating requests may result in blocking . When blocked, you receive an HTTP status 429 .
For self-hosted environments, you can implement usage control features including blocking instances (2) . You can block an instance using the system API, and most requests to a blocked instance are rejected with HTTP status 429 Too Many Requests or gRPC status 8 Resource Exhausted .
The password reset functionality is available through the /v2/users/:userId/password_reset endpoint (3) , which would fall under the general API rate limiting rules mentioned above (1) .
If you need higher limits for specific scenarios (like corporate proxies or NAT) , ZITADEL recommends contacting them to discuss requirements .
To learn more, see the sources I considered:
[1] Rate Limit Policy
[2] Usage Control
[3] Request a code to reset a password
Feel free to tag @Ask Inkeep with additional questions.
Got it. Tagging @Rajat for additional help.- I don't want to update (lower) the general rate limit
- 50 password resets per minute per email is still an issue
hello @Ecstabis thanks for reaching out, I've just forwarded this to our Engineering team to take a look. We'll get back to you shortly, thanks!
Thanks!
hello @Ecstabis thanks for your patience, currently there is no mechanism to prevent this from the product itself, there are different alternatives we are looking into to address this in future releases, but we do not have an ETA yet. The alternative I can think of is a reverse proxy to implement a rate limiting rule for this endpoint. Let me know if there is anything else I can help you with.
We set up a reverse proxy to ratelimit it. This has a few negative aspects tho. We had to ratelimit all the /ui endpoints.
I look out for a future release in which we can limit this!
hello @Ecstabis appreciate your feedback, this is definitely under the radar, thank you!