From 6252e4f04e7459e81f31459828e26502ac48bfec Mon Sep 17 00:00:00 2001
From: isra el <vernu1997@gmail.com>
Date: Fri, 20 Jun 2025 19:45:01 +0300
Subject: [PATCH] chore(api): limit max 5 pw reset requests per day

---
 api/src/auth/auth.service.ts | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/api/src/auth/auth.service.ts b/api/src/auth/auth.service.ts
index dacc4b3..3878f62 100644
--- a/api/src/auth/auth.service.ts
+++ b/api/src/auth/auth.service.ts
@@ -160,6 +160,20 @@ export class AuthService {
       }
     }
 
+    // Check if user has requested password reset more than 5 times in the last 24 hours
+    const twentyFourHoursAgo = new Date(Date.now() - 24 * 60 * 60 * 1000)
+    const resetCount = await this.passwordResetModel.countDocuments({
+      user: user._id,
+      createdAt: { $gte: twentyFourHoursAgo }
+    })
+
+    if (resetCount >= 5) {
+      throw new HttpException(
+        { error: 'Too many password reset requests. Please try again later.' },
+        HttpStatus.TOO_MANY_REQUESTS
+      )
+    }
+
     const otp = Math.floor(100000 + Math.random() * 900000).toString()
     const expiresAt = new Date(Date.now() + 20 * 60 * 1000)
 
@@ -169,7 +183,7 @@ export class AuthService {
       otp: hashedOtp,
       expiresAt,
     })
-    passwordReset.save()
+    await passwordReset.save()
 
     const resetLink = `${process.env.FRONTEND_URL || 'https://textbee.dev'}/reset-password?email=${encodeURIComponent(user.email)}&otp=${otp}`