Limit spamming via unconfirmed email confirmation resend (#4721)

config/initializers/rack_attack.rb

@@ -208,11 +208,19 @@ def self.api_key_owner_id(req)
     end
   end
 
-  protected_confirmation_action = [{ controller: "email_confirmations", action: "create" }]
+  protected_confirmation_action = [
+    { controller: "email_confirmations", action: "create" },
+    { controller: "email_confirmations", action: "unconfirmed" }
+  ]
 
   throttle("email_confirmations/email", limit: REQUEST_LIMIT_PER_EMAIL, period: LIMIT_PERIOD) do |req|
-    if protected_route?(protected_confirmation_action, req.path, req.request_method) && req.params['email_confirmation']
-      User.normalize_email(req.params['email_confirmation']['email']).presence
+    if protected_route?(protected_confirmation_action, req.path, req.request_method)
+      if req.params['email_confirmation']
+        User.normalize_email(req.params['email_confirmation']['email']).presence
+      else
+        action_dispatch_req = ActionDispatch::Request.new(req.env)
+        User.find_by_remember_token(action_dispatch_req.cookie_jar.signed["remember_token"])&.email.presence
+      end
     end
   end
 

test/integration/rack_attack_test.rb

@@ -60,6 +60,17 @@ class RackAttackTest < ActionDispatch::IntegrationTest
       assert_response :success
     end
 
+    should "allow email confirmation resend via unconfirmed" do
+      stay_under_limit_for("clearance/ip/1")
+      stay_under_email_limit_for("email_confirmations/email")
+
+      patch "/email_confirmations/unconfirmed",
+        headers: { REMOTE_ADDR: @ip_address }
+      follow_redirect!
+
+      assert_response :success
+    end
+
     context "owners requests" do
       setup do
         post session_path(session: { who: @user.handle, password: PasswordHelpers::SECURE_TEST_PASSWORD })