feat: configurable email and sms rate limiting

internal/api/api.go

@@ -140,9 +140,8 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 
 		r.Get("/authorize", api.ExternalProviderRedirect)
 
-		sharedLimiter := api.limitEmailOrPhoneSentHandler(api.limiterOpts)
-		r.With(sharedLimiter).With(api.requireAdminCredentials).Post("/invite", api.Invite)
-		r.With(sharedLimiter).With(api.verifyCaptcha).Route("/signup", func(r *router) {
+		r.With(api.requireAdminCredentials).Post("/invite", api.Invite)
+		r.With(api.verifyCaptcha).Route("/signup", func(r *router) {
 			// rate limit per hour
 			limitAnonymousSignIns := api.limiterOpts.AnonymousSignIns
 			limitSignups := api.limiterOpts.Signups
@@ -165,24 +164,20 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 				if _, err := api.limitHandler(limitSignups)(w, r); err != nil {
 					return err
 				}
-				// apply shared rate limiting on email / phone
-				if _, err := sharedLimiter(w, r); err != nil {
-					return err
-				}
 				return api.Signup(w, r)
 			})
 		})
 		r.With(api.limitHandler(api.limiterOpts.Recover)).
-			With(sharedLimiter).With(api.verifyCaptcha).With(api.requireEmailProvider).Post("/recover", api.Recover)
+			With(api.verifyCaptcha).With(api.requireEmailProvider).Post("/recover", api.Recover)
 
 		r.With(api.limitHandler(api.limiterOpts.Resend)).
-			With(sharedLimiter).With(api.verifyCaptcha).Post("/resend", api.Resend)
+			With(api.verifyCaptcha).Post("/resend", api.Resend)
 
 		r.With(api.limitHandler(api.limiterOpts.MagicLink)).
-			With(sharedLimiter).With(api.verifyCaptcha).Post("/magiclink", api.MagicLink)
+			With(api.verifyCaptcha).Post("/magiclink", api.MagicLink)
 
 		r.With(api.limitHandler(api.limiterOpts.Otp)).
-			With(sharedLimiter).With(api.verifyCaptcha).Post("/otp", api.Otp)
+			With(api.verifyCaptcha).Post("/otp", api.Otp)
 
 		r.With(api.limitHandler(api.limiterOpts.Token)).
 			With(api.verifyCaptcha).Post("/token", api.Token)
@@ -200,8 +195,7 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 
 		r.With(api.requireAuthentication).Route("/user", func(r *router) {
 			r.Get("/", api.UserGet)
-			r.With(api.limitHandler(api.limiterOpts.User)).
-				With(sharedLimiter).Put("/", api.UserUpdate)
+			r.With(api.limitHandler(api.limiterOpts.User)).Put("/", api.UserUpdate)
 
 			r.Route("/identities", func(r *router) {
 				r.Use(api.requireManualLinkingEnabled)

internal/api/context.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"net/url"
 
-	"github.com/didip/tollbooth/v5/limiter"
 	jwt "github.com/golang-jwt/jwt/v5"
 	"github.com/supabase/auth/internal/models"
 )
@@ -32,7 +31,6 @@ const (
 	ssoProviderKey          = contextKey("sso_provider")
 	externalHostKey         = contextKey("external_host")
 	flowStateKey            = contextKey("flow_state_id")
-	sharedLimiterKey        = contextKey("shared_limiter")
 )
 
 // withToken adds the JWT token to the context.
@@ -243,20 +241,3 @@ func getExternalHost(ctx context.Context) *url.URL {
 	}
 	return obj.(*url.URL)
 }
-
-type SharedLimiter struct {
-	EmailLimiter *limiter.Limiter
-	PhoneLimiter *limiter.Limiter
-}
-
-func withLimiter(ctx context.Context, limiter *SharedLimiter) context.Context {
-	return context.WithValue(ctx, sharedLimiterKey, limiter)
-}
-
-func getLimiter(ctx context.Context) *SharedLimiter {
-	obj := ctx.Value(sharedLimiterKey)
-	if obj == nil {
-		return nil
-	}
-	return obj.(*SharedLimiter)
-}

internal/api/mail.go

@@ -5,7 +5,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/didip/tollbooth/v5"
 	"github.com/supabase/auth/internal/hooks"
 	mail "github.com/supabase/auth/internal/mailer"
 	"go.opentelemetry.io/otel/attribute"
@@ -578,15 +577,13 @@ func (a *API) sendEmail(r *http.Request, tx *storage.Connection, u *models.User,
 	externalURL := getExternalHost(ctx)
 
 	// apply rate limiting before the email is sent out
-	if limiter := getLimiter(ctx); limiter != nil {
-		if err := tollbooth.LimitByKeys(limiter.EmailLimiter, []string{"email_functions"}); err != nil {
-			emailRateLimitCounter.Add(
-				ctx,
-				1,
-				metric.WithAttributeSet(attribute.NewSet(attribute.String("path", r.URL.Path))),
-			)
-			return EmailRateLimitExceeded
-		}
+	if ok := a.limiterOpts.Email.Allow(); !ok {
+		emailRateLimitCounter.Add(
+			ctx,
+			1,
+			metric.WithAttributeSet(attribute.NewSet(attribute.String("path", r.URL.Path))),
+		)
+		return EmailRateLimitExceeded
 	}
 
 	if config.Hook.SendEmail.Enabled {

internal/api/middleware.go

@@ -77,27 +77,6 @@ func (a *API) limitHandler(lmt *limiter.Limiter) middlewareHandler {
 	}
 }
 
-func (a *API) limitEmailOrPhoneSentHandler(limiterOptions *LimiterOptions) middlewareHandler {
-	return func(w http.ResponseWriter, req *http.Request) (context.Context, error) {
-		c := req.Context()
-		config := a.config
-		shouldRateLimitEmail := config.External.Email.Enabled && !config.Mailer.Autoconfirm
-		shouldRateLimitPhone := config.External.Phone.Enabled && !config.Sms.Autoconfirm
-
-		if shouldRateLimitEmail || shouldRateLimitPhone {
-			if req.Method == "PUT" || req.Method == "POST" {
-				// store rate limiter in request context
-				c = withLimiter(c, &SharedLimiter{
-					EmailLimiter: limiterOptions.Email,
-					PhoneLimiter: limiterOptions.Phone,
-				})
-			}
-		}
-
-		return c, nil
-	}
-}
-
 func (a *API) requireAdminCredentials(w http.ResponseWriter, req *http.Request) (context.Context, error) {
 	t, err := a.extractBearerToken(req)
 	if err != nil || t == "" {

internal/api/middleware_test.go

@@ -185,52 +185,6 @@ func (ts *MiddlewareTestSuite) TestVerifyCaptchaInvalid() {
 	}
 }
 
-func (ts *MiddlewareTestSuite) TestLimitEmailOrPhoneSentHandler() {
-	// Set up rate limit config for this test
-	ts.Config.RateLimitEmailSent = 5
-	ts.Config.RateLimitSmsSent = 5
-	ts.Config.External.Phone.Enabled = true
-
-	cases := []struct {
-		desc             string
-		expectedErrorMsg string
-		requestBody      map[string]interface{}
-	}{
-		{
-			desc:             "Email rate limit exceeded",
-			expectedErrorMsg: "429: Email rate limit exceeded",
-			requestBody: map[string]interface{}{
-				"email": "[email protected]",
-			},
-		},
-		{
-			desc:             "SMS rate limit exceeded",
-			expectedErrorMsg: "429: SMS rate limit exceeded",
-			requestBody: map[string]interface{}{
-				"phone": "+1233456789",
-			},
-		},
-	}
-
-	limiter := ts.API.limitEmailOrPhoneSentHandler(NewLimiterOptions(ts.Config))
-	for _, c := range cases {
-		ts.Run(c.desc, func() {
-			var buffer bytes.Buffer
-			require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(c.requestBody))
-			req := httptest.NewRequest(http.MethodPost, "http://localhost", &buffer)
-			req.Header.Set("Content-Type", "application/json")
-			w := httptest.NewRecorder()
-
-			ctx, err := limiter(w, req)
-			require.NoError(ts.T(), err)
-
-			// check that shared limiter is set in the request context
-			sharedLimiter := getLimiter(ctx)
-			require.NotNil(ts.T(), sharedLimiter)
-		})
-	}
-}
-
 func (ts *MiddlewareTestSuite) TestIsValidExternalHost() {
 	cases := []struct {
 		desc        string
@@ -388,134 +342,6 @@ func (ts *MiddlewareTestSuite) TestLimitHandler() {
 	require.Equal(ts.T(), http.StatusTooManyRequests, w.Code)
 }
 
-func (ts *MiddlewareTestSuite) TestLimitHandlerWithSharedLimiter() {
-	// setup config for shared limiter and ip-based limiter to work
-	ts.Config.RateLimitHeader = "X-Rate-Limit"
-	ts.Config.External.Email.Enabled = true
-	ts.Config.External.Phone.Enabled = true
-	ts.Config.Mailer.Autoconfirm = false
-	ts.Config.Sms.Autoconfirm = false
-
-	ipBasedLimiter := func(max float64) *limiter.Limiter {
-		return tollbooth.NewLimiter(max, &limiter.ExpirableOptions{
-			DefaultExpirationTTL: time.Hour,
-		})
-	}
-
-	okHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		limiter := getLimiter(r.Context())
-		if limiter != nil {
-			var requestBody struct {
-				Email string `json:"email"`
-				Phone string `json:"phone"`
-			}
-			err := retrieveRequestParams(r, &requestBody)
-			require.NoError(ts.T(), err)
-
-			if requestBody.Email != "" {
-				if err := tollbooth.LimitByKeys(limiter.EmailLimiter, []string{"email_functions"}); err != nil {
-					sendJSON(w, http.StatusTooManyRequests, HTTPError{
-						HTTPStatus: http.StatusTooManyRequests,
-						ErrorCode:  ErrorCodeOverEmailSendRateLimit,
-						Message:    "Email rate limit exceeded",
-					})
-				}
-			}
-			if requestBody.Phone != "" {
-				if err := tollbooth.LimitByKeys(limiter.EmailLimiter, []string{"phone_functions"}); err != nil {
-					sendJSON(w, http.StatusTooManyRequests, HTTPError{
-						HTTPStatus: http.StatusTooManyRequests,
-						ErrorCode:  ErrorCodeOverSMSSendRateLimit,
-						Message:    "SMS rate limit exceeded",
-					})
-				}
-			}
-		}
-		w.WriteHeader(http.StatusOK)
-	})
-
-	cases := []struct {
-		desc                 string
-		sharedLimiterConfig  *conf.GlobalConfiguration
-		ipBasedLimiterConfig float64
-		body                 map[string]interface{}
-		expectedErrorCode    string
-	}{
-		{
-			desc: "Exceed ip-based rate limit before shared limiter",
-			sharedLimiterConfig: &conf.GlobalConfiguration{
-				RateLimitEmailSent: 10,
-				RateLimitSmsSent:   10,
-			},
-			ipBasedLimiterConfig: 1,
-			body: map[string]interface{}{
-				"email": "[email protected]",
-			},
-			expectedErrorCode: ErrorCodeOverRequestRateLimit,
-		},
-		{
-			desc: "Exceed email shared limiter",
-			sharedLimiterConfig: &conf.GlobalConfiguration{
-				RateLimitEmailSent: 1,
-				RateLimitSmsSent:   1,
-			},
-			ipBasedLimiterConfig: 10,
-			body: map[string]interface{}{
-				"email": "[email protected]",
-			},
-			expectedErrorCode: ErrorCodeOverEmailSendRateLimit,
-		},
-		{
-			desc: "Exceed sms shared limiter",
-			sharedLimiterConfig: &conf.GlobalConfiguration{
-				RateLimitEmailSent: 1,
-				RateLimitSmsSent:   1,
-			},
-			ipBasedLimiterConfig: 10,
-			body: map[string]interface{}{
-				"phone": "123456789",
-			},
-			expectedErrorCode: ErrorCodeOverSMSSendRateLimit,
-		},
-	}
-
-	for _, c := range cases {
-		ts.Run(c.desc, func() {
-			ts.Config.RateLimitEmailSent = c.sharedLimiterConfig.RateLimitEmailSent
-			ts.Config.RateLimitSmsSent = c.sharedLimiterConfig.RateLimitSmsSent
-			lmt := ts.API.limitHandler(ipBasedLimiter(c.ipBasedLimiterConfig))
-			sharedLimiter := ts.API.limitEmailOrPhoneSentHandler(NewLimiterOptions(ts.Config))
-
-			// get the minimum amount to reach the threshold just before the rate limit is exceeded
-			threshold := min(c.sharedLimiterConfig.RateLimitEmailSent, c.sharedLimiterConfig.RateLimitSmsSent, c.ipBasedLimiterConfig)
-			for i := 0; i < int(threshold); i++ {
-				var buffer bytes.Buffer
-				require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(c.body))
-				req := httptest.NewRequest(http.MethodPost, "http://localhost", &buffer)
-				req.Header.Add(ts.Config.RateLimitHeader, "0.0.0.0")
-
-				w := httptest.NewRecorder()
-				lmt.handler(sharedLimiter.handler(okHandler)).ServeHTTP(w, req)
-				require.Equal(ts.T(), http.StatusOK, w.Code)
-			}
-
-			var buffer bytes.Buffer
-			require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(c.body))
-			req := httptest.NewRequest(http.MethodPost, "http://localhost", &buffer)
-			req.Header.Add(ts.Config.RateLimitHeader, "0.0.0.0")
-
-			// check if the rate limit is exceeded with the expected error code
-			w := httptest.NewRecorder()
-			lmt.handler(sharedLimiter.handler(okHandler)).ServeHTTP(w, req)
-			require.Equal(ts.T(), http.StatusTooManyRequests, w.Code)
-
-			var data map[string]interface{}
-			require.NoError(ts.T(), json.NewDecoder(w.Body).Decode(&data))
-			require.Equal(ts.T(), c.expectedErrorCode, data["error_code"])
-		})
-	}
-}
-
 func (ts *MiddlewareTestSuite) TestIsValidAuthorizedEmail() {
 	ts.API.config.External.Email.AuthorizedAddresses = []string{"[email protected]"}
 

internal/api/options.go

@@ -13,8 +13,9 @@ type Option interface {
 }
 
 type LimiterOptions struct {
-	Email            *limiter.Limiter
-	Phone            *limiter.Limiter
+	Email *RateLimiter
+	Phone *RateLimiter
+
 	Signups          *limiter.Limiter
 	AnonymousSignIns *limiter.Limiter
 	Recover          *limiter.Limiter
@@ -35,16 +36,8 @@ func (lo *LimiterOptions) apply(a *API) { a.limiterOpts = lo }
 func NewLimiterOptions(gc *conf.GlobalConfiguration) *LimiterOptions {
 	o := &LimiterOptions{}
 
-	o.Email = tollbooth.NewLimiter(gc.RateLimitEmailSent/(60*60),
-		&limiter.ExpirableOptions{
-			DefaultExpirationTTL: time.Hour,
-		}).SetBurst(int(gc.RateLimitEmailSent)).SetMethods([]string{"PUT", "POST"})
-
-	o.Phone = tollbooth.NewLimiter(gc.RateLimitSmsSent/(60*60),
-		&limiter.ExpirableOptions{
-			DefaultExpirationTTL: time.Hour,
-		}).SetBurst(int(gc.RateLimitSmsSent)).SetMethods([]string{"PUT", "POST"})
-
+	o.Email = newRateLimiter(gc.RateLimitEmailSent)
+	o.Phone = newRateLimiter(gc.RateLimitSmsSent)
 	o.AnonymousSignIns = tollbooth.NewLimiter(gc.RateLimitAnonymousUsers/(60*60),
 		&limiter.ExpirableOptions{
 			DefaultExpirationTTL: time.Hour,

internal/api/phone.go

@@ -8,7 +8,6 @@ import (
 	"text/template"
 	"time"
 
-	"github.com/didip/tollbooth/v5"
 	"github.com/supabase/auth/internal/hooks"
 
 	"github.com/pkg/errors"
@@ -45,7 +44,6 @@ func formatPhoneNumber(phone string) string {
 
 // sendPhoneConfirmation sends an otp to the user's phone number
 func (a *API) sendPhoneConfirmation(r *http.Request, tx *storage.Connection, user *models.User, phone, otpType string, channel string) (string, error) {
-	ctx := r.Context()
 	config := a.config
 
 	var token *string
@@ -89,11 +87,8 @@ func (a *API) sendPhoneConfirmation(r *http.Request, tx *storage.Connection, use
 	// not using test OTPs
 	if otp == "" {
 		// apply rate limiting before the sms is sent out
-		limiter := getLimiter(ctx)
-		if limiter != nil {
-			if err := tollbooth.LimitByKeys(limiter.PhoneLimiter, []string{"phone_functions"}); err != nil {
-				return "", tooManyRequestsError(ErrorCodeOverSMSSendRateLimit, "SMS rate limit exceeded")
-			}
+		if ok := a.limiterOpts.Phone.Allow(); !ok {
+			return "", tooManyRequestsError(ErrorCodeOverSMSSendRateLimit, "SMS rate limit exceeded")
 		}
 		otp, err = crypto.GenerateOtp(config.Sms.OtpLength)
 		if err != nil {