feat: 30s email resend limit

Author: tea-artist

apps/nestjs-backend/src/cache/cache.service.ts

@@ -31,7 +31,7 @@ export class CacheService<T extends ICacheStore = ICacheStore> {
   async setDetail<TKey extends keyof T>(
     key: TKey,
     value: T[TKey],
-    ttl?: number | string
+    ttl?: number | string // seconds
   ): Promise<void> {
     const numberTTL = typeof ttl === 'string' ? second(ttl) : ttl;
     await this.cacheManager.set(key as string, value, numberTTL ? numberTTL * 1000 : undefined);

apps/nestjs-backend/src/cache/types.ts

@@ -31,6 +31,7 @@ export interface ICacheStore {
     mailType: MailType;
   })[];
   [key: `waitlist:invite-code:${string}`]: number;
+  [key: `signup-verification-rate-limit:${string}`]: { email: string; timestamp: number };
 }
 
 export interface IAttachmentSignatureCache {

apps/nestjs-backend/src/features/auth/local-auth/local-auth.controller.ts

@@ -117,9 +117,13 @@ export class LocalAuthController {
   @HttpCode(200)
   async sendSignupVerificationCode(
     @Body(new ZodValidationPipe(sendSignupVerificationCodeRoSchema))
-    body: ISendSignupVerificationCodeRo
+    body: ISendSignupVerificationCodeRo,
+    @Req() req: Request
   ) {
-    return this.authService.sendSignupVerificationCode(body.email);
+    const remoteIp =
+      req.ip || req.connection.remoteAddress || (req.headers['x-forwarded-for'] as string);
+
+    return this.authService.sendSignupVerificationCode(body.email, body.turnstileToken, remoteIp);
   }
 
   @Patch('/change-password')

apps/nestjs-backend/src/features/auth/local-auth/local-auth.service.ts

@@ -17,6 +17,7 @@ import { isEmpty } from 'lodash';
 import ms from 'ms';
 import { ClsService } from 'nestjs-cls';
 import { CacheService } from '../../../cache/cache.service';
+import type { ICacheStore } from '../../../cache/types';
 import { AuthConfig, type IAuthConfig } from '../../../configs/auth.config';
 import { BaseConfig, IBaseConfig } from '../../../configs/base.config';
 import { MailConfig, type IMailConfig } from '../../../configs/mail.config';
@@ -122,14 +123,18 @@ export class LocalAuthService {
     });
   }
 
-  private async verifySignup(body: ISignup) {
+  private async verifySignup(body: ISignup, turnstileToken?: string, remoteIp?: string) {
     const setting = await this.settingService.getSetting();
     if (!setting?.enableEmailVerification) {
       return;
     }
     const { email, verification } = body;
     if (!verification) {
-      const { token, expiresTime } = await this.sendSignupVerificationCode(email);
+      const { token, expiresTime } = await this.sendSignupVerificationCode(
+        email,
+        turnstileToken,
+        remoteIp
+      );
       throw new CustomHttpException(
         'Verification is required',
         HttpErrorCode.UNPROCESSABLE_ENTITY,
@@ -161,11 +166,20 @@ export class LocalAuthService {
     turnstileToken?: string,
     remoteIp?: string
   ): Promise<void> {
-    if (!this.turnstileService.isTurnstileEnabled()) {
-      return; // Turnstile is not enabled, skip validation
+    const isTurnstileEnabled = this.turnstileService.isTurnstileEnabled();
+
+    this.logger.log(
+      `Turnstile validation check - enabled: ${isTurnstileEnabled}, hasToken: ${!!turnstileToken}, tokenLength: ${turnstileToken?.length}, remoteIp: ${remoteIp}`
+    );
+
+    if (!isTurnstileEnabled) {
+      return;
     }
 
     if (!turnstileToken) {
+      this.logger.error(
+        `Turnstile token is missing - enabled: ${isTurnstileEnabled}, remoteIp: ${remoteIp}`
+      );
       throw new BadRequestException('Turnstile token is required');
     }
 
@@ -202,20 +216,28 @@ export class LocalAuthService {
 
       throw new BadRequestException(errorMessage);
     }
-
-    this.logger.debug('Turnstile validation successful', {
-      hostname: validation.data?.hostname,
-      action: validation.data?.action,
-    });
   }
 
   async signup(body: ISignup, remoteIp?: string) {
     const { email, password, defaultSpaceName, refMeta, inviteCode, turnstileToken } = body;
 
+    this.logger.log(
+      `Signup attempt - email: ${email}, hasPassword: ${!!password}, hasTurnstileToken: ${!!turnstileToken}, tokenLength: ${turnstileToken?.length}, hasVerification: ${!!body.verification}, remoteIp: ${remoteIp}`
+    );
+
+    // Check if email verification is needed first
+    const setting = await this.settingService.getSetting();
+    const needsEmailVerification = setting?.enableEmailVerification && !body.verification;
+
     // Validate Turnstile token if enabled
-    await this.validateTurnstileIfEnabled(turnstileToken, remoteIp);
+    // This will be called once, either here or in sendSignupVerificationCode
+    if (!needsEmailVerification) {
+      // Only validate here if we're not sending verification code
+      // (verification code sending will validate the token)
+      await this.validateTurnstileIfEnabled(turnstileToken, remoteIp);
+    }
 
-    await this.verifySignup(body);
+    await this.verifySignup(body, turnstileToken, remoteIp);
 
     const user = await this.userService.getUserByEmail(email);
     this.isRegisteredValidate(user);
@@ -251,18 +273,45 @@ export class LocalAuthService {
     return res;
   }
 
-  async sendSignupVerificationCode(email: string) {
+  async sendSignupVerificationCode(email: string, turnstileToken?: string, remoteIp?: string) {
+    this.logger.log(
+      `Send verification code attempt - email: ${email}, hasTurnstileToken: ${!!turnstileToken}, tokenLength: ${turnstileToken?.length}, remoteIp: ${remoteIp}`
+    );
+
+    // Validate Turnstile token if enabled
+    await this.validateTurnstileIfEnabled(turnstileToken, remoteIp);
+
+    // Check rate limit: ensure 28 seconds between emails for the same address
+    const rateLimitKey = `signup-verification-rate-limit:${email}` as keyof ICacheStore;
+    const existingRateLimit = await this.cacheService.get(rateLimitKey);
+
+    if (existingRateLimit) {
+      this.logger.warn(
+        `Signup verification rate limit exceeded - email: ${email}, remoteIp: ${remoteIp}, timestamp: ${new Date().toISOString()}`
+      );
+      throw new BadRequestException('Please wait 30 seconds before requesting a new code');
+    }
+
     const code = getRandomString(4, RandomType.Number);
     const token = await this.jwtSignupCode(email, code);
+
     if (this.baseConfig.enableEmailCodeConsole) {
       console.info('Signup Verification code: ', '\x1b[34m' + code + '\x1b[0m');
     }
+
     const user = await this.userService.getUserByEmail(email);
     this.isRegisteredValidate(user);
+
+    // Log verification code sending
+    this.logger.log(
+      `Sending signup verification code - email: ${email}, remoteIp: ${remoteIp}, timestamp: ${new Date().toISOString()}, turnstileVerified: ${!!turnstileToken}`
+    );
+
     const emailOptions = await this.mailSenderService.sendEmailVerifyCodeEmailOptions({
       title: 'Signup verification',
       message: `Your verification code is ${code}, expires in ${this.authConfig.signupVerificationExpiresIn}.`,
     });
+
     await this.mailSenderService.sendMail(
       {
         to: email,
@@ -274,6 +323,10 @@ export class LocalAuthService {
         transporterName: MailTransporterType.Notify,
       }
     );
+
+    // Set rate limit: 28 seconds using setDetail for exact TTL without random addition
+    await this.cacheService.setDetail(rateLimitKey, { email, timestamp: Date.now() }, 28);
+
     return {
       token,
       expiresTime: new Date(

apps/nestjs-backend/src/features/auth/turnstile/turnstile.service.ts

@@ -33,10 +33,14 @@ export class TurnstileService {
     this.turnstileSiteKey = this.configService.get<string>('TURNSTILE_SITE_KEY') || '';
     this.isEnabled = Boolean(this.turnstileSiteKey && this.turnstileSecretKey);
 
+    this.logger.log(
+      `Turnstile Service Initialization - isEnabled: ${this.isEnabled}, hasSiteKey: ${!!this.turnstileSiteKey}, hasSecretKey: ${!!this.turnstileSecretKey}, siteKeyLength: ${this.turnstileSiteKey?.length}, secretKeyLength: ${this.turnstileSecretKey?.length}`
+    );
+
     if (this.isEnabled) {
       this.logger.log('Turnstile validation is enabled');
     } else {
-      this.logger.log('Turnstile validation is disabled - missing site key or secret key');
+      this.logger.warn('Turnstile validation is disabled - missing site key or secret key');
     }
   }
 

apps/nextjs-app/src/features/auth/components/SendVerificationButton.tsx

@@ -9,12 +9,14 @@ interface SendVerificationButtonProps {
   onClick: (e: React.MouseEvent<HTMLButtonElement>) => void;
   disabled: boolean;
   loading?: boolean;
+  countdown?: number;
 }
 
 export const SendVerificationButton = ({
   disabled,
   onClick,
   loading,
+  countdown = 0,
 }: SendVerificationButtonProps) => {
   const { t } = useTranslation(authConfig.i18nNamespaces);
   const [isSuccess, setIsSuccess] = useState(false);
@@ -37,23 +39,30 @@ export const SendVerificationButton = ({
     };
   }, [loading]);
 
+  const getButtonText = () => {
+    if (countdown > 0) {
+      return `${t('auth:button.resend')} (${countdown}s)`;
+    }
+    return t('auth:button.resend');
+  };
+
   return (
     <Button
       variant={'outline'}
       className="mt-4 w-full"
       disabled={disabled}
       onClick={(e) => {
-        if (isSuccess) {
+        if (isSuccess || countdown > 0) {
           return;
         }
         onClick(e);
       }}
     >
       {loading && <Spin />}
-      {!loading && isSuccess && (
+      {!loading && isSuccess && countdown === 0 && (
         <Check className="size-4 animate-bounce text-green-500 dark:text-green-400" />
       )}
-      {t('auth:button.resend')}
+      {getButtonText()}
     </Button>
   );
 };

apps/nextjs-app/src/features/auth/components/SignForm.tsx

@@ -39,6 +39,8 @@ export const SignForm: FC<ISignForm> = (props) => {
   const [isLoading, setIsLoading] = useState<boolean>(false);
   const [error, setError] = useState<string>();
   const [turnstileToken, setTurnstileToken] = useState<string>();
+  const [countdown, setCountdown] = useState<number>(0);
+  const [turnstileKey, setTurnstileKey] = useState<number>(0);
   const emailRef = useRef<HTMLInputElement>(null);
 
   const { data: setting } = useQuery({
@@ -60,8 +62,18 @@ export const SignForm: FC<ISignForm> = (props) => {
     setSignupVerificationToken(undefined);
     setError(undefined);
     setTurnstileToken(undefined);
+    setCountdown(0);
   }, [type]);
 
+  // Countdown timer for send verification code button
+  useEffect(() => {
+    if (countdown <= 0) return;
+    const timer = setTimeout(() => {
+      setCountdown((prev) => prev - 1);
+    }, 1000);
+    return () => clearTimeout(timer);
+  }, [countdown]);
+
   const { mutate: submitMutation } = useMutation({
     mutationFn: ({ type, form }: { type: 'signin' | 'signup'; form: ISignin }) => {
       if (type === 'signin') {
@@ -86,6 +98,7 @@ export const SignForm: FC<ISignForm> = (props) => {
           if (error.data && typeof error.data === 'object' && 'token' in error.data) {
             setSignupVerificationToken(error.data.token as string);
             setError(undefined);
+            setCountdown(30);
           } else {
             setError(error.message);
           }
@@ -109,13 +122,19 @@ export const SignForm: FC<ISignForm> = (props) => {
         default:
           setError(error.message);
       }
+      // Reset turnstile token on any error to force re-verification
+      setTurnstileToken(undefined);
+      setTurnstileKey((prev) => prev + 1);
       setIsLoading(false);
       return true;
     },
     meta: {
       preventGlobalError: true,
     },
     onSuccess: () => {
+      // Reset turnstile token after successful submission
+      setTurnstileToken(undefined);
+      setTurnstileKey((prev) => prev + 1);
       onSuccess?.();
     },
   });
@@ -124,9 +143,24 @@ export const SignForm: FC<ISignForm> = (props) => {
     mutate: sendSignupVerificationCodeMutation,
     isLoading: sendSignupVerificationCodeLoading,
   } = useMutation({
-    mutationFn: (email: string) => sendSignupVerificationCode(email),
+    mutationFn: ({ email, turnstileToken }: { email: string; turnstileToken?: string }) =>
+      sendSignupVerificationCode(email, turnstileToken),
     onSuccess: (data) => {
       setSignupVerificationToken(data.data.token);
+      // Start 30 second countdown
+      setCountdown(30);
+      // Reset turnstile token and force widget refresh
+      setTurnstileToken(undefined);
+      setTurnstileKey((prev) => prev + 1);
+    },
+    onError: (error: HttpError) => {
+      // Reset turnstile on error
+      setTurnstileToken(undefined);
+      setTurnstileKey((prev) => prev + 1);
+      setError(error.message);
+    },
+    meta: {
+      preventGlobalError: true,
     },
   });
 
@@ -317,7 +351,7 @@ export const SignForm: FC<ISignForm> = (props) => {
                   onChange={(e) => setSignupVerificationCode(e.target.value)}
                 />
                 <SendVerificationButton
-                  disabled={sendSignupVerificationCodeLoading}
+                  disabled={sendSignupVerificationCodeLoading || countdown > 0}
                   onClick={(e) => {
                     e.preventDefault();
                     e.stopPropagation();
@@ -328,14 +362,25 @@ export const SignForm: FC<ISignForm> = (props) => {
                     if (!email) {
                       return;
                     }
-                    const res = sendSignupVerificationCodeRoSchema.safeParse({ email });
+
+                    // Check Turnstile verification if enabled
+                    if (turnstileSiteKey && !turnstileToken) {
+                      setError(t('auth:signError.turnstileRequired'));
+                      return;
+                    }
+
+                    const res = sendSignupVerificationCodeRoSchema.safeParse({
+                      email,
+                      turnstileToken,
+                    });
                     if (!res.success) {
                       setError(fromZodError(res.error).message);
                       return;
                     }
-                    sendSignupVerificationCodeMutation(email);
+                    sendSignupVerificationCodeMutation({ email, turnstileToken });
                   }}
                   loading={sendSignupVerificationCodeLoading}
+                  countdown={countdown}
                 />
               </div>
             )}
@@ -345,6 +390,7 @@ export const SignForm: FC<ISignForm> = (props) => {
           {turnstileSiteKey && (
             <div className="flex justify-center">
               <TurnstileWidget
+                key={turnstileKey}
                 siteKey={turnstileSiteKey}
                 onVerify={handleTurnstileVerify}
                 onError={handleTurnstileError}

packages/openapi/src/auth/send-signup-verification-code.ts

@@ -7,6 +7,7 @@ export const SEND_SIGNUP_VERIFICATION_CODE = '/auth/send-signup-verification-cod
 
 export const sendSignupVerificationCodeRoSchema = z.object({
   email: z.string().email(),
+  turnstileToken: z.string().optional(),
 });
 
 export type ISendSignupVerificationCodeRo = z.infer<typeof sendSignupVerificationCodeRoSchema>;
@@ -44,5 +45,8 @@ export const sendSignupVerificationCodeRoute: RouteConfig = registerRoute({
   tags: ['auth'],
 });
 
-export const sendSignupVerificationCode = (email: string) =>
-  axios.post<ISendSignupVerificationCodeVo>(SEND_SIGNUP_VERIFICATION_CODE, { email });
+export const sendSignupVerificationCode = (email: string, turnstileToken?: string) =>
+  axios.post<ISendSignupVerificationCodeVo>(SEND_SIGNUP_VERIFICATION_CODE, {
+    email,
+    turnstileToken,
+  });