Page MenuHomePhabricator
Create Task
Maniphest T399102

Rate-limit EmailAuth emails for all types of password attempts
Open, In Progress, MediumPublic
Actions

Description

Similar to OATHAuth's usage of PingLimiter, we should rate-limit EmailAuth's emails for both good and bad password attempts, so as to avoid sending a significant number of emails in certain situations.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Rate-limit EmailAuth emailsmediawiki/extensions/EmailAuthmaster+63 -4
Customize query in gerrit

Event Timeline

sbassett created this task.Jul 9 2025, 4:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 9 2025, 4:07 PM
sbassett added projects: Security-Team, Trust and Safety Product Team.Jul 9 2025, 6:37 PM
Tgr claimed this task.Jul 9 2025, 9:37 PM

And more importantly to prevent brute-forcing the verification code.

sbassett added a comment.Jul 10 2025, 2:05 PM
In T399102#10990043, @Tgr wrote:

And more importantly to prevent brute-forcing the verification code.

I'd actually thrown together a basic patch a la the OATHAuth pattern yesterday, but I see you've claimed this. I'll push the patch to gerrit anyways. If it's the wrong approach or you have a different plan, I can just abandon it.

gerritbot added a comment.Jul 10 2025, 2:07 PM

Change #1167869 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/extensions/EmailAuth@master] Rate-limit EmailAuth emails

https://gerrit.wikimedia.org/r/1167869

gerritbot added a project: Patch-For-Review.Jul 10 2025, 2:07 PM
Tgr reassigned this task from Tgr to sbassett.Jul 10 2025, 9:40 PM

I also had a WIP patch, but it wasn't meaningfully different.

sbassett changed the task status from Open to In Progress.Jul 14 2025, 4:30 PM
sbassett triaged this task as Medium priority.
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett added a project: user-sbassett.
sbassett added a project: SecTeam-Processed.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
Dreamy_Jazz edited projects, added Product Safety and Integrity; removed Trust and Safety Product Team.Feb 24 2026, 2:49 PM
Dreamy_Jazz moved this task from Inbox to Triaged (backlog) on the Product Safety and Integrity board.Feb 24 2026, 4:49 PM
sbassett moved this task from In Progress to Backlog on the user-sbassett board.Apr 2 2026, 3:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits