Throttle email updates per wallet

MoneroOcean · MoneroOcean · commit 7917a77cb96b · 2026-05-23T18:18:41.000Z
diff --git a/lib/api/account.js b/lib/api/account.js
@@ -35,12 +35,12 @@ module.exports = function registerAccountRoutes(ctx) {
         return "";
     }
 
-    function sensitiveKey(kind, username, from, to, enabled) {
+    function sensitiveKey(kind, username) {
         const userValue = sensitivePart(username);
         if (!userValue) return null;
 
         const hash = crypto.createHash("sha256");
-        for (const part of [kind, userValue, sensitivePart(from), sensitivePart(to), sensitivePart(enabled)]) {
+        for (const part of [sensitivePart(kind), userValue]) {
             hash.update(String(Buffer.byteLength(part)));
             hash.update(":");
             hash.update(part);
@@ -140,7 +140,7 @@ module.exports = function registerAccountRoutes(ctx) {
             if (body) return sendJson(res, 401, { success: false, msg: "No \"username\" parameter was found" });
             return;
         }
-        const throttleKey = sensitiveKey("subscribeEmail", body.username, body.from, body.to, body.enabled);
+        const throttleKey = sensitiveKey("subscribeEmail", body.username);
         const throttle = acquireSensitiveAttempt(throttleKey);
         if (throttle) return sendJson(res, 429, throttle);
 
diff --git a/tests/api/public_and_auth.js b/tests/api/public_and_auth.js
@@ -347,7 +347,8 @@ test.describe("api public and auth", { concurrency: false }, () => {
         });
     });
 
-    test("email subscription throttle does not let a mismatched email block a valid update", async () => {
+    test("email subscription throttle cannot be bypassed by changing email fields", async () => {
+        let nowValue = 0;
         let updateCalls = 0;
         const mysql = createMysql(async function handler(sql, params) {
             if (sql.startsWith("UPDATE users SET enable_email = ?, email = ? WHERE username = ? AND email = ?")) {
@@ -365,7 +366,7 @@ test.describe("api public and auth", { concurrency: false }, () => {
             config: createConfig(),
             database: createDatabase({ caches: {} }),
             mysql: mysql,
-            now: () => 0,
+            now: () => nowValue,
             support: createSupport()
         }, async (port) => {
             const attackerFailure = await requestJson(port, "POST", "/user/subscribeEmail", {
@@ -377,6 +378,17 @@ test.describe("api public and auth", { concurrency: false }, () => {
             assert.equal(attackerFailure.statusCode, 401);
             assert.deepEqual(attackerFailure.json, { error: "FROM email does not match" });
 
+            const variedGuess = await requestJson(port, "POST", "/user/subscribeEmail", {
+                username: "wallet",
+                enabled: 0,
+                from: "old@example.com",
+                to: "new@example.com"
+            });
+            assert.equal(variedGuess.statusCode, 429);
+            assert.match(variedGuess.json.msg, /Too many attempts/);
+            assert.equal(updateCalls, 1);
+
+            nowValue += 2001;
             const validUpdate = await requestJson(port, "POST", "/user/subscribeEmail", {
                 username: "wallet",
                 enabled: 1,
