From 4aa126fe0fb0779a877be82c48942a52777fa2b6 Mon Sep 17 00:00:00 2001
From: Bohdan Shtepan <bohdan@modern-dev.com>
Date: Mon, 12 May 2025 10:23:19 +0200
Subject: [PATCH] IDTEAM-4740: use parallel_limiter to prevent auth_mfa
 abusing. (#2464)

* IDTEAM-4740: use parallel_limiter to prevent auth_mfa abusing.

* IDTEAM-4740: put back the regular rate limiter.
---
 app/api/views/auth_mfa.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/api/views/auth_mfa.py b/app/api/views/auth_mfa.py
index aa770ca4..b7126de6 100644
--- a/app/api/views/auth_mfa.py
+++ b/app/api/views/auth_mfa.py
@@ -3,6 +3,7 @@ from flask import jsonify, request
 from flask_login import login_user
 from itsdangerous import Signer
 
+from app import parallel_limiter
 from app.api.base import api_bp
 from app.config import FLASK_SECRET
 from app.db import Session
@@ -14,6 +15,7 @@ from app.models import User, ApiKey
 
 @api_bp.route("/auth/mfa", methods=["POST"])
 @limiter.limit("10/minute")
+@parallel_limiter.lock(name="mfa_auth")
 def auth_mfa():
     """
     Validate the OTP Token