Merge pull request rails#54442 from excid3/rate-limit-password-reset

Rate limit password resets in auth generator

Author: byroot

railties/CHANGELOG.md

@@ -1,3 +1,9 @@
+*   Rate limit password resets in authentication generator
+
+    This helps mitigate abuse from attackers spamming the password reset form.
+
+    *Chris Oliver*
+
 *   Update `rails new --minimal` option
 
     Extend the `--minimal` flag to exlcude recently added features:

railties/lib/rails/generators/rails/authentication/templates/app/controllers/passwords_controller.rb.tt

@@ -1,6 +1,7 @@
 class PasswordsController < ApplicationController
   allow_unauthenticated_access
   before_action :set_user_by_token, only: %i[ edit update ]
+  rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_password_path, alert: "Try again later." }
 
   def new
   end