introduce strict rate limitso on auth router endpoints

2026-02-15 09:26:40 +00:00 · 2025-07-14 18:00:41 -07:00
parent d6fdb38c22
commit b7df0b122d
6 changed files with 236 additions and 99 deletions
--- a/server/routers/auth/verifyTotp.ts
+++ b/server/routers/auth/verifyTotp.ts
@@ -75,6 +75,14 @@ export async function verifyTotp(
                    )
                );
            user = res;
+
+            const validPassword = await verifyPassword(
+                password,
+                user.passwordHash!
+            );
+            if (!validPassword) {
+                return next(unauthorized());
+            }
        }

        if (!user) {
@@ -91,14 +99,6 @@ export async function verifyTotp(
            );
        }

-        const validPassword = await verifyPassword(
-            password,
-            user.passwordHash!
-        );
-        if (!validPassword) {
-            return next(unauthorized());
-        }
-
        if (user.type !== UserType.Internal) {
            return next(
                createHttpError(