feat: 30s email resend limit (#1951)

Author: tea-artist

apps/nestjs-backend/src/cache/cache.service.ts

@@ -31,7 +31,7 @@ export class CacheService<T extends ICacheStore = ICacheStore> {
   async setDetail<TKey extends keyof T>(
     key: TKey,
     value: T[TKey],
-    ttl?: number | string
+    ttl?: number | string // seconds
   ): Promise<void> {
     const numberTTL = typeof ttl === 'string' ? second(ttl) : ttl;
     await this.cacheManager.set(key as string, value, numberTTL ? numberTTL * 1000 : undefined);

apps/nestjs-backend/src/cache/types.ts

@@ -31,6 +31,7 @@ export interface ICacheStore {
     mailType: MailType;
   })[];
   [key: `waitlist:invite-code:${string}`]: number;
+  [key: `signup-verification-rate-limit:${string}`]: { email: string; timestamp: number };
 }
 
 export interface IAttachmentSignatureCache {

apps/nestjs-backend/src/configs/auth.config.ts

@@ -74,6 +74,10 @@ export const authConfig = registerAs('auth', () => ({
       ? Number(process.env.SIGNIN_ACCOUNT_LOCKOUT_MINUTES)
       : undefined,
   },
+  signupVerificationCodeRateLimitSeconds: process.env
+    .BACKEND_SIGNUP_VERIFICATION_CODE_RATE_LIMIT_SECONDS
+    ? Number(process.env.BACKEND_SIGNUP_VERIFICATION_CODE_RATE_LIMIT_SECONDS)
+    : 30,
 }));
 
 export const AuthConfig = () => Inject(authConfig.KEY);

apps/nestjs-backend/src/features/auth/local-auth/local-auth.controller.ts

@@ -117,9 +117,13 @@ export class LocalAuthController {
   @HttpCode(200)
   async sendSignupVerificationCode(
     @Body(new ZodValidationPipe(sendSignupVerificationCodeRoSchema))
-    body: ISendSignupVerificationCodeRo
+    body: ISendSignupVerificationCodeRo,
+    @Req() req: Request
   ) {
-    return this.authService.sendSignupVerificationCode(body.email);
+    const remoteIp =
+      req.ip || req.connection.remoteAddress || (req.headers['x-forwarded-for'] as string);
+
+    return this.authService.sendSignupVerificationCode(body.email, body.turnstileToken, remoteIp);
   }
 
   @Patch('/change-password')

apps/nestjs-backend/src/features/auth/local-auth/local-auth.service.ts

@@ -17,6 +17,7 @@ import { isEmpty } from 'lodash';
 import ms from 'ms';
 import { ClsService } from 'nestjs-cls';
 import { CacheService } from '../../../cache/cache.service';
+import type { ICacheStore } from '../../../cache/types';
 import { AuthConfig, type IAuthConfig } from '../../../configs/auth.config';
 import { BaseConfig, IBaseConfig } from '../../../configs/base.config';
 import { MailConfig, type IMailConfig } from '../../../configs/mail.config';
@@ -161,11 +162,20 @@ export class LocalAuthService {
     turnstileToken?: string,
     remoteIp?: string
   ): Promise<void> {
-    if (!this.turnstileService.isTurnstileEnabled()) {
-      return; // Turnstile is not enabled, skip validation
+    const isTurnstileEnabled = this.turnstileService.isTurnstileEnabled();
+
+    this.logger.log(
+      `Turnstile validation check - enabled: ${isTurnstileEnabled}, hasToken: ${!!turnstileToken}, tokenLength: ${turnstileToken?.length}, remoteIp: ${remoteIp}`
+    );
+
+    if (!isTurnstileEnabled) {
+      return;
     }
 
     if (!turnstileToken) {
+      this.logger.error(
+        `Turnstile token is missing - enabled: ${isTurnstileEnabled}, remoteIp: ${remoteIp}`
+      );
       throw new BadRequestException('Turnstile token is required');
     }
 
@@ -202,17 +212,15 @@ export class LocalAuthService {
 
       throw new BadRequestException(errorMessage);
     }
-
-    this.logger.debug('Turnstile validation successful', {
-      hostname: validation.data?.hostname,
-      action: validation.data?.action,
-    });
   }
 
   async signup(body: ISignup, remoteIp?: string) {
     const { email, password, defaultSpaceName, refMeta, inviteCode, turnstileToken } = body;
 
-    // Validate Turnstile token if enabled
+    this.logger.log(
+      `Signup attempt - email: ${email}, hasPassword: ${!!password}, hasTurnstileToken: ${!!turnstileToken}, tokenLength: ${turnstileToken?.length}, hasVerification: ${!!body.verification}, remoteIp: ${remoteIp}`
+    );
+
     await this.validateTurnstileIfEnabled(turnstileToken, remoteIp);
 
     await this.verifySignup(body);
@@ -251,18 +259,54 @@ export class LocalAuthService {
     return res;
   }
 
-  async sendSignupVerificationCode(email: string) {
+  async sendSignupVerificationCode(email: string, turnstileToken?: string, remoteIp?: string) {
+    this.logger.log(
+      `Send verification code attempt - email: ${email}, hasTurnstileToken: ${!!turnstileToken}, tokenLength: ${turnstileToken?.length}, remoteIp: ${remoteIp}`
+    );
+
+    // Validate Turnstile token if enabled
+    await this.validateTurnstileIfEnabled(turnstileToken, remoteIp);
+
+    // Check rate limit: ensure interval between emails for the same address
+    // Backend rate limit is configured limit - 2 seconds (to account for network latency)
+    // If configured limit is 0, skip rate limiting entirely
+    const configuredLimit = this.authConfig.signupVerificationCodeRateLimitSeconds;
+    const backendRateLimit = configuredLimit > 0 ? configuredLimit - 2 : 0;
+
+    if (backendRateLimit > 0) {
+      const rateLimitKey = `signup-verification-rate-limit:${email}` as keyof ICacheStore;
+      const existingRateLimit = await this.cacheService.get(rateLimitKey);
+
+      if (existingRateLimit) {
+        this.logger.warn(
+          `Signup verification rate limit exceeded - email: ${email}, remoteIp: ${remoteIp}, timestamp: ${new Date().toISOString()}`
+        );
+        throw new BadRequestException(
+          `Please wait ${configuredLimit} seconds before requesting a new code`
+        );
+      }
+    }
+
     const code = getRandomString(4, RandomType.Number);
     const token = await this.jwtSignupCode(email, code);
+
     if (this.baseConfig.enableEmailCodeConsole) {
       console.info('Signup Verification code: ', '\x1b[34m' + code + '\x1b[0m');
     }
+
     const user = await this.userService.getUserByEmail(email);
     this.isRegisteredValidate(user);
+
+    // Log verification code sending
+    this.logger.log(
+      `Sending signup verification code - email: ${email}, remoteIp: ${remoteIp}, timestamp: ${new Date().toISOString()}, turnstileVerified: ${!!turnstileToken}`
+    );
+
     const emailOptions = await this.mailSenderService.sendEmailVerifyCodeEmailOptions({
       title: 'Signup verification',
       message: `Your verification code is ${code}, expires in ${this.authConfig.signupVerificationExpiresIn}.`,
     });
+
     await this.mailSenderService.sendMail(
       {
         to: email,
@@ -274,6 +318,17 @@ export class LocalAuthService {
         transporterName: MailTransporterType.Notify,
       }
     );
+
+    // Set rate limit using setDetail for exact TTL without random addition
+    if (backendRateLimit > 0) {
+      const rateLimitKey = `signup-verification-rate-limit:${email}` as keyof ICacheStore;
+      await this.cacheService.setDetail(
+        rateLimitKey,
+        { email, timestamp: Date.now() },
+        backendRateLimit
+      );
+    }
+
     return {
       token,
       expiresTime: new Date(

apps/nestjs-backend/src/features/auth/turnstile/turnstile.service.ts

@@ -33,10 +33,14 @@ export class TurnstileService {
     this.turnstileSiteKey = this.configService.get<string>('TURNSTILE_SITE_KEY') || '';
     this.isEnabled = Boolean(this.turnstileSiteKey && this.turnstileSecretKey);
 
+    this.logger.log(
+      `Turnstile Service Initialization - isEnabled: ${this.isEnabled}, hasSiteKey: ${!!this.turnstileSiteKey}, hasSecretKey: ${!!this.turnstileSecretKey}, siteKeyLength: ${this.turnstileSiteKey?.length}, secretKeyLength: ${this.turnstileSecretKey?.length}`
+    );
+
     if (this.isEnabled) {
       this.logger.log('Turnstile validation is enabled');
     } else {
-      this.logger.log('Turnstile validation is disabled - missing site key or secret key');
+      this.logger.warn('Turnstile validation is disabled - missing site key or secret key');
     }
   }
 

apps/nestjs-backend/src/features/setting/open-api/setting-open-api.controller.ts

@@ -27,6 +27,7 @@ import {
   ISetSettingMailTransportConfigRo,
   SettingKey,
 } from '@teable/openapi';
+import { AuthConfig, type IAuthConfig } from '../../../configs/auth.config';
 import { ZodValidationPipe } from '../../../zod.validation.pipe';
 import { Permissions } from '../../auth/decorators/permissions.decorator';
 import { Public } from '../../auth/decorators/public.decorator';
@@ -37,7 +38,8 @@ import { SettingOpenApiService } from './setting-open-api.service';
 export class SettingOpenApiController {
   constructor(
     private readonly settingOpenApiService: SettingOpenApiService,
-    private readonly turnstileService: TurnstileService
+    private readonly turnstileService: TurnstileService,
+    @AuthConfig() private readonly authConfig: IAuthConfig
   ) {}
 
   /**
@@ -85,6 +87,8 @@ export class SettingOpenApiController {
       appGenerationEnabled: Boolean(appConfig?.apiKey),
       webSearchEnabled: Boolean(webSearchConfig?.apiKey),
       turnstileSiteKey: this.turnstileService.getTurnstileSiteKey(),
+      signupVerificationCodeRateLimitSeconds:
+        this.authConfig.signupVerificationCodeRateLimitSeconds,
     };
   }
 

apps/nestjs-backend/test/auth.e2e-spec.ts

@@ -60,6 +60,9 @@ describe('Auth Controller (e2e)', () => {
   const authTestEmail = 'auth@test-auth.com';
 
   beforeAll(async () => {
+    // Disable signup verification code rate limit for E2E tests
+    process.env.BACKEND_SIGNUP_VERIFICATION_CODE_RATE_LIMIT_SECONDS = '0';
+
     const appCtx = await initApp();
     app = appCtx.app;
     clsService = app.get(ClsService);

apps/nextjs-app/.env.example

@@ -186,3 +186,5 @@ BACKEND_PERFORMANCE_CACHE=redis://default:teable@127.0.0.1:6379/0
 # cloudflare turnstile config for auth verify
 TURNSTILE_SITE_KEY=1x00000000000000000000AA
 TURNSTILE_SECRET_KEY=1x0000000000000000000000000000000AA
+
+BACKEND_SIGNUP_VERIFICATION_CODE_RATE_LIMIT_SECONDS=30

apps/nextjs-app/src/features/auth/components/SendVerificationButton.tsx

@@ -9,12 +9,14 @@ interface SendVerificationButtonProps {
   onClick: (e: React.MouseEvent<HTMLButtonElement>) => void;
   disabled: boolean;
   loading?: boolean;
+  countdown?: number;
 }
 
 export const SendVerificationButton = ({
   disabled,
   onClick,
   loading,
+  countdown = 0,
 }: SendVerificationButtonProps) => {
   const { t } = useTranslation(authConfig.i18nNamespaces);
   const [isSuccess, setIsSuccess] = useState(false);
@@ -37,23 +39,30 @@ export const SendVerificationButton = ({
     };
   }, [loading]);
 
+  const getButtonText = () => {
+    if (countdown > 0) {
+      return `${t('auth:button.resend')} (${countdown}s)`;
+    }
+    return t('auth:button.resend');
+  };
+
   return (
     <Button
       variant={'outline'}
       className="mt-4 w-full"
       disabled={disabled}
       onClick={(e) => {
-        if (isSuccess) {
+        if (isSuccess || countdown > 0) {
           return;
         }
         onClick(e);
       }}
     >
       {loading && <Spin />}
-      {!loading && isSuccess && (
+      {!loading && isSuccess && countdown === 0 && (
         <Check className="size-4 animate-bounce text-green-500 dark:text-green-400" />
       )}
-      {t('auth:button.resend')}
+      {getButtonText()}
     </Button>
   );
 };