element-hq
diff --git a/‎crates/config/src/sections/rate_limiting.rs‎
Lines changed: 78 additions & 1 deletion b/‎crates/config/src/sections/rate_limiting.rs‎
Lines changed: 78 additions & 1 deletion
diff --git a/‎crates/handlers/src/graphql/mutations/user_email.rs‎
Lines changed: 37 additions & 2 deletions b/‎crates/handlers/src/graphql/mutations/user_email.rs‎
Lines changed: 37 additions & 2 deletions
@@ -1,4 +1,4 @@
-// Copyright 2024 New Vector Ltd.
+// Copyright 2024, 2025 New Vector Ltd.
 // Copyright 2024 The Matrix.org Foundation C.I.C.
 //
 // SPDX-License-Identifier: AGPL-3.0-only
@@ -18,13 +18,19 @@ pub struct RateLimitingConfig {
     /// Account Recovery-specific rate limits
     #[serde(default)]
     pub account_recovery: AccountRecoveryRateLimitingConfig,
+
     /// Login-specific rate limits
     #[serde(default)]
     pub login: LoginRateLimitingConfig,
+
     /// Controls how many registrations attempts are permitted
     /// based on source address.
     #[serde(default = "default_registration")]
     pub registration: RateLimiterConfiguration,
+
+    /// Email authentication-specific rate limits
+    #[serde(default)]
+    pub email_authentication: EmailauthenticationRateLimitingConfig,
 }
 
 #[derive(Clone, Debug, Serialize, Deserialize, JsonSchema, PartialEq)]
@@ -37,6 +43,7 @@ pub struct LoginRateLimitingConfig {
     /// change their own password.
     #[serde(default = "default_login_per_ip")]
     pub per_ip: RateLimiterConfiguration,
+
     /// Controls how many login attempts are permitted
     /// based on the account that is being attempted to be logged into.
     /// This can protect against a distributed brute force attack
@@ -58,6 +65,7 @@ pub struct AccountRecoveryRateLimitingConfig {
     /// Note: this limit also applies to re-sends.
     #[serde(default = "default_account_recovery_per_ip")]
     pub per_ip: RateLimiterConfiguration,
+
     /// Controls how many account recovery attempts are permitted
     /// based on the e-mail address entered into the recovery form.
     /// This can protect against causing e-mail spam to one target.
@@ -67,6 +75,35 @@ pub struct AccountRecoveryRateLimitingConfig {
     pub per_address: RateLimiterConfiguration,
 }
 
+#[derive(Clone, Debug, Serialize, Deserialize, JsonSchema, PartialEq)]
+pub struct EmailauthenticationRateLimitingConfig {
+    /// Controls how many email authentication attempts are permitted
+    /// based on the source IP address.
+    /// This can protect against causing e-mail spam to many targets.
+    #[serde(default = "default_email_authentication_per_ip")]
+    pub per_ip: RateLimiterConfiguration,
+
+    /// Controls how many email authentication attempts are permitted
+    /// based on the e-mail address entered into the authentication form.
+    /// This can protect against causing e-mail spam to one target.
+    ///
+    /// Note: this limit also applies to re-sends.
+    #[serde(default = "default_email_authentication_per_address")]
+    pub per_address: RateLimiterConfiguration,
+
+    /// Controls how many authentication emails are permitted to be sent per
+    /// authentication session. This ensures not too many authentication codes
+    /// are created for the same authentication session.
+    #[serde(default = "default_email_authentication_emails_per_session")]
+    pub emails_per_session: RateLimiterConfiguration,
+
+    /// Controls how many code authentication attempts are permitted per
+    /// authentication session. This can protect against brute-forcing the
+    /// code.
+    #[serde(default = "default_email_authentication_attempt_per_session")]
+    pub attempt_per_session: RateLimiterConfiguration,
+}
+
 #[derive(Copy, Clone, Debug, Serialize, Deserialize, JsonSchema, PartialEq)]
 pub struct RateLimiterConfiguration {
     /// A one-off burst of actions that the user can perform
@@ -193,12 +230,41 @@ fn default_account_recovery_per_address() -> RateLimiterConfiguration {
     }
 }
 
+fn default_email_authentication_per_ip() -> RateLimiterConfiguration {
+    RateLimiterConfiguration {
+        burst: NonZeroU32::new(5).unwrap(),
+        per_second: 1.0 / 60.0,
+    }
+}
+
+fn default_email_authentication_per_address() -> RateLimiterConfiguration {
+    RateLimiterConfiguration {
+        burst: NonZeroU32::new(3).unwrap(),
+        per_second: 1.0 / 3600.0,
+    }
+}
+
+fn default_email_authentication_emails_per_session() -> RateLimiterConfiguration {
+    RateLimiterConfiguration {
+        burst: NonZeroU32::new(2).unwrap(),
+        per_second: 1.0 / 300.0,
+    }
+}
+
+fn default_email_authentication_attempt_per_session() -> RateLimiterConfiguration {
+    RateLimiterConfiguration {
+        burst: NonZeroU32::new(10).unwrap(),
+        per_second: 1.0 / 60.0,
+    }
+}
+
 impl Default for RateLimitingConfig {
     fn default() -> Self {
         RateLimitingConfig {
             login: LoginRateLimitingConfig::default(),
             registration: default_registration(),
             account_recovery: AccountRecoveryRateLimitingConfig::default(),
+            email_authentication: EmailauthenticationRateLimitingConfig::default(),
         }
     }
 }
@@ -220,3 +286,14 @@ impl Default for AccountRecoveryRateLimitingConfig {
         }
     }
 }
+
+impl Default for EmailauthenticationRateLimitingConfig {
+    fn default() -> Self {
+        EmailauthenticationRateLimitingConfig {
+            per_ip: default_email_authentication_per_ip(),
+            per_address: default_email_authentication_per_address(),
+            emails_per_session: default_email_authentication_emails_per_session(),
+            attempt_per_session: default_email_authentication_attempt_per_session(),
+        }
+    }
+}
@@ -238,6 +238,8 @@ enum StartEmailAuthenticationStatus {
     Started,
     /// The email address is invalid
     InvalidEmailAddress,
+    /// Too many attempts to start an email authentication
+    RateLimited,
     /// The email address isn't allowed by the policy
     Denied,
     /// The email address is already in use
@@ -249,6 +251,7 @@ enum StartEmailAuthenticationStatus {
 enum StartEmailAuthenticationPayload {
     Started(UserEmailAuthentication),
     InvalidEmailAddress,
+    RateLimited,
     Denied {
         violations: Vec<mas_policy::Violation>,
     },
@@ -262,6 +265,7 @@ impl StartEmailAuthenticationPayload {
         match self {
             Self::Started(_) => StartEmailAuthenticationStatus::Started,
             Self::InvalidEmailAddress => StartEmailAuthenticationStatus::InvalidEmailAddress,
+            Self::RateLimited => StartEmailAuthenticationStatus::RateLimited,
             Self::Denied { .. } => StartEmailAuthenticationStatus::Denied,
             Self::InUse => StartEmailAuthenticationStatus::InUse,
         }
@@ -271,7 +275,9 @@ impl StartEmailAuthenticationPayload {
     async fn authentication(&self) -> Option<&UserEmailAuthentication> {
         match self {
             Self::Started(authentication) => Some(authentication),
-            Self::InvalidEmailAddress | Self::Denied { .. } | Self::InUse => None,
+            Self::InvalidEmailAddress | Self::RateLimited | Self::Denied { .. } | Self::InUse => {
+                None
+            }
         }
     }
 
@@ -302,6 +308,7 @@ enum CompleteEmailAuthenticationPayload {
     Completed,
     InvalidCode,
     CodeExpired,
+    RateLimited,
 }
 
 /// The status of the `completeEmailAuthentication` mutation
@@ -313,6 +320,8 @@ enum CompleteEmailAuthenticationStatus {
     InvalidCode,
     /// The authentication code has expired
     CodeExpired,
+    /// Too many attempts to complete an email authentication
+    RateLimited,
 }
 
 #[Object(use_type_description)]
@@ -323,6 +332,7 @@ impl CompleteEmailAuthenticationPayload {
             Self::Completed => CompleteEmailAuthenticationStatus::Completed,
             Self::InvalidCode => CompleteEmailAuthenticationStatus::InvalidCode,
             Self::CodeExpired => CompleteEmailAuthenticationStatus::CodeExpired,
+            Self::RateLimited => CompleteEmailAuthenticationStatus::RateLimited,
         }
     }
 }
@@ -345,6 +355,8 @@ enum ResendEmailAuthenticationCodePayload {
     Resent,
     /// The email authentication session is already completed
     Completed,
+    /// Too many attempts to resend an email authentication code
+    RateLimited,
 }
 
 /// The status of the `resendEmailAuthenticationCode` mutation
@@ -354,6 +366,8 @@ enum ResendEmailAuthenticationCodeStatus {
     Resent,
     /// The email authentication session is already completed
     Completed,
+    /// Too many attempts to resend an email authentication code
+    RateLimited,
 }
 
 #[Object(use_type_description)]
@@ -363,6 +377,7 @@ impl ResendEmailAuthenticationCodePayload {
         match self {
             Self::Resent => ResendEmailAuthenticationCodeStatus::Resent,
             Self::Completed => ResendEmailAuthenticationCodeStatus::Completed,
+            Self::RateLimited => ResendEmailAuthenticationCodeStatus::RateLimited,
         }
     }
 }
@@ -536,6 +551,7 @@ impl UserEmailMutations {
         let mut rng = state.rng();
         let clock = state.clock();
         let requester = ctx.requester();
+        let limiter = state.limiter();
 
         // Only allow calling this if the requester is a browser session
         let Some(browser_session) = requester.browser_session() else {
@@ -563,7 +579,12 @@ impl UserEmailMutations {
             return Ok(StartEmailAuthenticationPayload::InvalidEmailAddress);
         }
 
-        // TODO: check rate limting
+        if let Err(e) =
+            limiter.check_email_authentication_email(ctx.requester_fingerprint(), &input.email)
+        {
+            tracing::warn!(error = &e as &dyn std::error::Error);
+            return Ok(StartEmailAuthenticationPayload::RateLimited);
+        }
 
         let mut repo = state.repository().await?;
 
@@ -615,6 +636,7 @@ impl UserEmailMutations {
         let state = ctx.state();
         let mut rng = state.rng();
         let clock = state.clock();
+        let limiter = state.limiter();
 
         let id = NodeType::UserEmailAuthentication.extract_ulid(&input.id)?;
         let Some(browser_session) = ctx.requester().browser_session() else {
@@ -647,6 +669,13 @@ impl UserEmailMutations {
             return Ok(ResendEmailAuthenticationCodePayload::Completed);
         }
 
+        if let Err(e) = limiter
+            .check_email_authentication_send_code(ctx.requester_fingerprint(), &authentication)
+        {
+            tracing::warn!(error = &e as &dyn std::error::Error);
+            return Ok(ResendEmailAuthenticationCodePayload::RateLimited);
+        }
+
         repo.queue_job()
             .schedule_job(
                 &mut rng,
@@ -669,6 +698,7 @@ impl UserEmailMutations {
         let state = ctx.state();
         let mut rng = state.rng();
         let clock = state.clock();
+        let limiter = state.limiter();
 
         let id = NodeType::UserEmailAuthentication.extract_ulid(&input.id)?;
 
@@ -695,6 +725,11 @@ impl UserEmailMutations {
             return Ok(CompleteEmailAuthenticationPayload::InvalidCode);
         }
 
+        if let Err(e) = limiter.check_email_authentication_attempt(&authentication) {
+            tracing::warn!(error = &e as &dyn std::error::Error);
+            return Ok(CompleteEmailAuthenticationPayload::RateLimited);
+        }
+
         let Some(code) = repo
             .user_email()
             .find_authentication_code(&authentication, &input.code)