From 7bbbe0aacd093e30c1979a463de0f2badf3b8f61 Mon Sep 17 00:00:00 2001
From: Artem Niehrieiev <r.tem@tuta.io>
Date: Thu, 5 Feb 2026 14:56:22 +0000
Subject: [PATCH 1/2] feat: add throttling to user invitation and login
 endpoints

---
 backend/src/entities/company-info/company-info.controller.ts | 1 +
 backend/src/entities/user/user.controller.ts                 | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/backend/src/entities/company-info/company-info.controller.ts b/backend/src/entities/company-info/company-info.controller.ts
index 5f968c837..2d62193b3 100644
--- a/backend/src/entities/company-info/company-info.controller.ts
+++ b/backend/src/entities/company-info/company-info.controller.ts
@@ -224,6 +224,7 @@ export class CompanyInfoController {
 		type: InvitedUserInCompanyAndConnectionGroupDs,
 	})
 	@UseGuards(CompanyAdminGuard)
+	@Throttle({ default: { limit: isTest() ? 200 : 10, ttl: 60000 } })
 	@Put('user/:companyId')
 	async inviteUserInCompanyAndConnectionGroup(
 		@UserId() userId: string,
diff --git a/backend/src/entities/user/user.controller.ts b/backend/src/entities/user/user.controller.ts
index 7baab372b..f876b40e0 100644
--- a/backend/src/entities/user/user.controller.ts
+++ b/backend/src/entities/user/user.controller.ts
@@ -71,6 +71,8 @@ import { UserSettingsDataRequestDto } from './dto/user-settings-data-request.dto
 import { RequestRestUserPasswordDto } from './dto/request-rest-user-password.dto.js';
 import { SuccessResponse } from '../../microservices/saas-microservice/data-structures/common-responce.ds.js';
 import { Timeout } from '../../decorators/timeout.decorator.js';
+import { Throttle } from '@nestjs/throttler';
+import { isTest } from '../../helpers/app/is-test.js';
 
 @UseInterceptors(SentryInterceptor)
 @Timeout()
@@ -143,6 +145,7 @@ export class UserController {
 		description: 'Login successful.',
 		type: TokenExpDs,
 	})
+	@Throttle({ default: { limit: isTest() ? 200 : 5, ttl: 60000 } })
 	@Post('user/login/')
 	async usualLogin(
 		@Res({ passthrough: true }) response: Response,

From 9b44ef882c7f4c6c1f767e1af6cd329fe56ed150 Mon Sep 17 00:00:00 2001
From: Artem Niehrieiev <r.tem@tuta.io>
Date: Thu, 5 Feb 2026 15:03:00 +0000
Subject: [PATCH 2/2] feat: add throttling to password reset request endpoint

---
 backend/src/entities/user/user.controller.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/backend/src/entities/user/user.controller.ts b/backend/src/entities/user/user.controller.ts
index f876b40e0..7cf2b9997 100644
--- a/backend/src/entities/user/user.controller.ts
+++ b/backend/src/entities/user/user.controller.ts
@@ -297,6 +297,7 @@ export class UserController {
 		description: 'Password reset requested.',
 		type: OperationResultMessageDs,
 	})
+	@Throttle({ default: { limit: isTest() ? 200 : 5, ttl: 60000 } })
 	@Post('user/password/reset/request/')
 	async askResetUserPassword(@Body() emailData: RequestRestUserPasswordDto): Promise<OperationResultMessageDs> {
 		return await this.requestResetUserPasswordUseCase.execute(emailData, InTransactionEnum.ON);