Merge pull request #834 from mfb/rate-limit-fix

Normalize email address for rate limiting
EFForg · Jun 2, 2020 · 866b556 · 866b556
2 parents 67a72ec + 6a8099c
commit 866b556
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
@@ -19,7 +19,8 @@ class Rack::Attack
 
   throttle('password reset', limit: 10, period: 1.day) do |req|
     if req.path == '/password' && req.params['user']
-      req.params['user']['email'].presence
+      # Normalize email address (as Devise does by default).
+      req.params['user']['email'].presence ? req.params['user']['email'].strip.downcase : nil
     end
   end