add rate limits to email routes

packages/pds/src/api/com/atproto/server/requestAccountDelete.ts

@@ -1,9 +1,21 @@
 import { InvalidRequestError } from '@atproto/xrpc-server'
+import { DAY, HOUR } from '@atproto/common'
 import { Server } from '../../../../lexicon'
 import AppContext from '../../../../context'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.requestAccountDelete({
+    rateLimit: [
+      {
+        durationMs: DAY,
+        points: 10,
+        calcKey: ({ auth }) => auth.credentials.did,
+      },
+      {
+        durationMs: HOUR,
+        points: 10,
+      },
+    ],
     auth: ctx.authVerifier.accessCheckTakedown,
     handler: async ({ auth }) => {
       const did = auth.credentials.did

packages/pds/src/api/com/atproto/server/requestEmailConfirmation.ts

@@ -1,9 +1,21 @@
 import { InvalidRequestError } from '@atproto/xrpc-server'
+import { DAY, HOUR } from '@atproto/common'
 import { Server } from '../../../../lexicon'
 import AppContext from '../../../../context'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.requestEmailConfirmation({
+    rateLimit: [
+      {
+        durationMs: DAY,
+        points: 10,
+        calcKey: ({ auth }) => auth.credentials.did,
+      },
+      {
+        durationMs: HOUR,
+        points: 10,
+      },
+    ],
     auth: ctx.authVerifier.accessCheckTakedown,
     handler: async ({ auth }) => {
       const did = auth.credentials.did

packages/pds/src/api/com/atproto/server/requestEmailUpdate.ts

@@ -1,9 +1,21 @@
 import { InvalidRequestError } from '@atproto/xrpc-server'
+import { DAY, HOUR } from '@atproto/common'
 import { Server } from '../../../../lexicon'
 import AppContext from '../../../../context'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.requestEmailUpdate({
+    rateLimit: [
+      {
+        durationMs: DAY,
+        points: 10,
+        calcKey: ({ auth }) => auth.credentials.did,
+      },
+      {
+        durationMs: HOUR,
+        points: 10,
+      },
+    ],
     auth: ctx.authVerifier.accessCheckTakedown,
     handler: async ({ auth }) => {
       const did = auth.credentials.did

packages/pds/src/api/com/atproto/server/requestPasswordReset.ts

@@ -1,20 +1,34 @@
+import { DAY, HOUR } from '@atproto/common'
 import AppContext from '../../../../context'
 import { Server } from '../../../../lexicon'
 
 export default function (server: Server, ctx: AppContext) {
-  server.com.atproto.server.requestPasswordReset(async ({ input }) => {
-    const email = input.body.email.toLowerCase()
+  server.com.atproto.server.requestPasswordReset({
+    rateLimit: [
+      {
+        durationMs: DAY,
+        points: 10,
+        calcKey: ({ input }) => input.body.email.toLowerCase(),
+      },
+      {
+        durationMs: HOUR,
+        points: 10,
+      },
+    ],
+    handler: async ({ input }) => {
+      const email = input.body.email.toLowerCase()
 
-    const user = await ctx.services.account(ctx.db).getAccountByEmail(email)
+      const user = await ctx.services.account(ctx.db).getAccountByEmail(email)
 
-    if (user) {
-      const token = await ctx.services
-        .account(ctx.db)
-        .createEmailToken(user.did, 'reset_password')
-      await ctx.mailer.sendResetPassword(
-        { handle: user.handle, token },
-        { to: user.email },
-      )
-    }
+      if (user) {
+        const token = await ctx.services
+          .account(ctx.db)
+          .createEmailToken(user.did, 'reset_password')
+        await ctx.mailer.sendResetPassword(
+          { handle: user.handle, token },
+          { to: user.email },
+        )
+      }
+    },
   })
 }