rate limits reset

Author: pcrespov

services/web/server/src/simcore_service_webserver/login/handlers_confirmation.py

@@ -30,7 +30,7 @@
 from ..products.models import Product
 from ..security.api import encrypt_password
 from ..session.access_policies import session_access_required
-from ..utils import MINUTE
+from ..utils import HOUR, MINUTE
 from ..utils_aiohttp import create_redirect_to_page_response
 from ..utils_rate_limiting import global_rate_limit_route
 from ._2fa_api import delete_2fa_code, get_2fa_code
@@ -274,6 +274,7 @@ class ResetPasswordConfirmation(InputSchema):
 
 
 @routes.post("/v0/auth/reset-password/{code}", name="complete_reset_password")
+@global_rate_limit_route(number_of_requests=10, interval_seconds=HOUR)
 async def complete_reset_password(request: web.Request):
     """Last of the "Two-Step Action Confirmation pattern": initiate_reset_password + complete_reset_password(code)
 
@@ -296,8 +297,8 @@ async def complete_reset_password(request: web.Request):
         assert user  # nosec
 
         await db.update_user(
-            dict(user),
-            {
+            user={"id": user["id"]},
+            updates={
                 "password_hash": encrypt_password(
                     request_body.password.get_secret_value()
                 )