Aktueller Stand

2026-01-15 23:18:42 +01:00
parent 46eae2a2a9
commit dcf45bac3d
32 changed files with 2625 additions and 395 deletions
--- a/app/api/password-reset/request/route.ts
+++ b/app/api/password-reset/request/route.ts
@@ -2,6 +2,8 @@ import { randomUUID } from "crypto";
 import { NextResponse } from "next/server";
 import { prisma } from "../../../../lib/prisma";
 import { sendMail } from "../../../../lib/mailer";
+import { checkRateLimit, getRateLimitConfig } from "../../../../lib/rate-limit";
+import { getClientIp } from "../../../../lib/request";

 export async function POST(request: Request) {
  const body = await request.json();
@@ -11,9 +13,37 @@ export async function POST(request: Request) {
    return NextResponse.json({ error: "E-Mail erforderlich." }, { status: 400 });
  }

-  const user = await prisma.user.findUnique({ where: { email } });
+  const normalizedEmail = String(email).trim().toLowerCase();
+  const ip = getClientIp(request);
+  const rateKey = `pwreset:${normalizedEmail}:${ip}`;
+  const rateConfig = getRateLimitConfig("RATE_LIMIT_PASSWORD_RESET", 3);
+  const rate = await checkRateLimit({
+    key: rateKey,
+    limit: rateConfig.limit,
+    windowMs: rateConfig.windowMs
+  });
+  if (!rate.ok) {
+    return NextResponse.json(
+      { error: "Zu viele Anfragen. Bitte später erneut versuchen." },
+      { status: 429 }
+    );
+  }
+
+  const user = await prisma.user.findUnique({ where: { email: normalizedEmail } });

  if (user) {
+    const existingToken = await prisma.passwordResetToken.findFirst({
+      where: {
+        userId: user.id,
+        createdAt: { gt: new Date(Date.now() - 15 * 60 * 1000) }
+      },
+      orderBy: { createdAt: "desc" }
+    });
+
+    if (existingToken) {
+      return NextResponse.json({ ok: true });
+    }
+
    await prisma.passwordResetToken.deleteMany({ where: { userId: user.id } });

    const token = randomUUID();
@@ -31,7 +61,7 @@ export async function POST(request: Request) {
    const resetUrl = `${baseUrl}/reset/confirm?token=${token}`;

    await sendMail({
-      to: email,
+      to: normalizedEmail,
      subject: "Passwort zurücksetzen",
      text: `Passwort zurücksetzen: ${resetUrl}`
    });