Skip to content

[pull] main from dubinc:main #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pull merged 10 commits into from
Apr 19, 2025
Merged

[pull] main from dubinc:main #66

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
0d24e81
Implement OTP rate limiting on the signup
devkiran Apr 18, 2025
f6000bb
Merge branch 'main' into improve-signup-security
devkiran Apr 18, 2025
e2bfc72
throw 404 if customer not found
steven-tey Apr 18, 2025
d267c9c
Merge branch 'main' of https://github.com/dubinc/dub
steven-tey Apr 18, 2025
8307ee8
Metadata max length
steven-tey Apr 18, 2025
6c9d1f8
reduce maxlength to 500
steven-tey Apr 18, 2025
73bee20
increase max length to 10K
steven-tey Apr 18, 2025
2c54493
combine to refine only
steven-tey Apr 18, 2025
08be112
Merge pull request #2322 from dubinc/metadata-max-length
steven-tey Apr 18, 2025
e7df05d
Merge pull request #2320 from dubinc/improve-signup-security
steven-tey Apr 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 2 additions & 6 deletions apps/web/app/app.dub.co/(dashboard)/[slug]/customers/[customerId]/page-client.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,7 @@ export function CustomerPageClient() {
const { customerId } = useParams<{ customerId: string }>();

const { id: workspaceId, slug } = useWorkspace();
const {
data: customer,
isLoading,
error,
} = useCustomer<CustomerEnriched>({
const { data: customer, isLoading } = useCustomer<CustomerEnriched>({
customerId,
query: { includeExpandedFields: true },
});
Expand All @@ -41,7 +37,7 @@ export function CustomerPageClient() {
fetcher,
);

if (!customer && !isLoading && !error) notFound();
if (!customer && !isLoading) notFound();

return (
<div className="mb-10 mt-2">
Expand Down
36 changes: 29 additions & 7 deletions apps/web/lib/actions/create-user-account.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@

import { ratelimit } from "@/lib/upstash";
import { prisma } from "@dub/prisma";
import { waitUntil } from "@vercel/functions";
import { flattenValidationErrors } from "next-safe-action";
import { createId } from "../api/create-id";
import { getIP } from "../api/utils";
import { hashPassword } from "../auth/password";
import z from "../zod";
import { signUpSchema } from "../zod/schemas/auth";
Expand All @@ -15,6 +15,9 @@ const schema = signUpSchema.extend({
code: z.string().min(6, "OTP must be 6 characters long."),
});

const MAX_OTP_ATTEMPTS = 5; // Block after 5 failed attempts
const OTP_LOCKOUT_DURATION = "24 h"; // Block for 24 hours

// Sign up a new user using email and password
export const createUserAccountAction = actionClient
.schema(schema, {
Expand All @@ -25,26 +28,45 @@ export const createUserAccountAction = actionClient
.action(async ({ parsedInput }) => {
const { email, password, code } = parsedInput;

const { success } = await ratelimit(2, "1 m").limit(`signup:${getIP()}`);
const signupAttemptKey = `signup:attempts:${email}`;

const { remaining: attemptsRemaining } = await ratelimit(
MAX_OTP_ATTEMPTS,
OTP_LOCKOUT_DURATION,
).getRemaining(signupAttemptKey);

if (!success) {
throw new Error("Too many requests. Please try again later.");
if (attemptsRemaining <= 0) {
throw new Error("Too many failed attempts. You have to try again later.");
}

const verificationToken = await prisma.emailVerificationToken.findUnique({
where: {
identifier: email,
token: code,
expires: {
gte: new Date(),
},
},
});

if (!verificationToken) {
await ratelimit(MAX_OTP_ATTEMPTS, OTP_LOCKOUT_DURATION).limit(
signupAttemptKey,
);

throw new Error("Invalid verification code entered.");
}

if (verificationToken.expires && verificationToken.expires < new Date()) {
waitUntil(
prisma.emailVerificationToken.delete({
where: {
identifier: email,
token: code,
},
}),
);

throw new Error("The OTP has expired. Please request a new one.");
}

await prisma.emailVerificationToken.delete({
where: {
identifier: email,
Expand Down
7 changes: 6 additions & 1 deletion apps/web/lib/zod/schemas/leads.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,12 @@ export const trackLeadRequestSchema = z.object({
.record(z.unknown())
.nullish()
.default(null)
.describe("Additional metadata to be stored with the lead event"),
.refine((val) => !val || JSON.stringify(val).length <= 10000, {
message: "Metadata must be less than 10,000 characters when stringified",
})
.describe(
"Additional metadata to be stored with the lead event. Max 10,000 characters.",
),
mode: z
.enum(["async", "wait"])
.default("async")
Expand Down
7 changes: 6 additions & 1 deletion apps/web/lib/zod/schemas/sales.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,12 @@ export const trackSaleRequestSchema = z.object({
.record(z.unknown())
.nullish()
.default(null)
.describe("Additional metadata to be stored with the sale event."),
.refine((val) => !val || JSON.stringify(val).length <= 10000, {
message: "Metadata must be less than 10,000 characters when stringified",
})
.describe(
"Additional metadata to be stored with the sale event. Max 10,000 characters.",
),
leadEventName: z
.string()
.nullish()
Expand Down