strapi-plugin-magic-link-v5 4.9.4 → 4.11.0

package/admin/src/pages/Settings/SettingsModern.jsx

@@ -138,8 +138,13 @@ const SettingsModern = () => {
     callback_url: '',
     allow_magic_links_on_public_registration: false,
     store_login_info: true,
-    ui_language: 'en'
+    ui_language: 'en',
+    rate_limit_enabled: true,
+    rate_limit_max_attempts: 5,
+    rate_limit_window_minutes: 15
   });
+  
+  const [rateLimitStats, setRateLimitStats] = useState(null);
 
   const loadSettings = useCallback(async () => {
     setIsLoading(true);
@@ -147,6 +152,16 @@ const SettingsModern = () => {
       const res = await get('/magic-link/settings');
       const settingsData = res.data.settings || res.data.data || res.data;
       setSettings(prev => ({ ...prev, ...settingsData }));
+      
+      // Load rate limit stats
+      try {
+        const statsRes = await get('/magic-link/rate-limit/stats');
+        if (statsRes?.data?.data) {
+          setRateLimitStats(statsRes.data.data);
+        }
+      } catch (error) {
+        console.error('Error loading rate limit stats:', error);
+      }
     } catch (error) {
       if (error.name !== 'AbortError') {
         console.error('Error loading settings:', error);
@@ -194,6 +209,40 @@ const SettingsModern = () => {
   const handleLanguageChange = (newLang) => {
     changeLanguage(newLang);
   };
+  
+  const handleRateLimitCleanup = async () => {
+    try {
+      await get('/magic-link/rate-limit/cleanup');
+      toggleNotification({
+        type: 'success',
+        message: formatMessage({ id: getTrad('settings.rateLimit.cleanupSuccess') })
+      });
+      loadSettings();
+    } catch (error) {
+      toggleNotification({
+        type: 'danger',
+        message: formatMessage({ id: getTrad('settings.rateLimit.cleanupError') })
+      });
+    }
+  };
+  
+  const handleRateLimitReset = async () => {
+    if (window.confirm(formatMessage({ id: getTrad('settings.rateLimit.resetConfirm') }))) {
+      try {
+        await get('/magic-link/rate-limit/reset');
+        toggleNotification({
+          type: 'success',
+          message: formatMessage({ id: getTrad('settings.rateLimit.resetSuccess') })
+        });
+        loadSettings();
+      } catch (error) {
+        toggleNotification({
+          type: 'danger',
+          message: formatMessage({ id: getTrad('settings.rateLimit.resetError') })
+        });
+      }
+    }
+  };
 
   if (isLoading) {
     return (
@@ -1114,6 +1163,159 @@ ${language === 'de' ? 'Der Link läuft in 1 Stunde ab.' : 'The link expires in 1
               </Box>
             </Accordion.Content>
           </Accordion.Item>
+
+          {/* Rate Limiting */}
+          <Accordion.Item value="ratelimit">
+            <Accordion.Header>
+              <Accordion.Trigger
+                icon={Shield}
+                description={formatMessage({ id: getTrad('settings.section.rateLimit.description') })}
+              >
+                {formatMessage({ id: getTrad('settings.section.rateLimit') })}
+              </Accordion.Trigger>
+            </Accordion.Header>
+            <Accordion.Content>
+              <Box padding={6}>
+                {/* Rate Limit Toggle */}
+                <Box background="neutral100" padding={5} style={{ borderRadius: theme.borderRadius.md, marginBottom: '24px' }}>
+                  <Typography variant="sigma" fontWeight="bold" style={{ marginBottom: '8px', display: 'block', textAlign: 'center', color: theme.colors.neutral[700] }}>
+                    {formatMessage({ id: getTrad('settings.rateLimit.title') })}
+                  </Typography>
+                  <Typography variant="pi" textColor="neutral600" style={{ marginBottom: '20px', display: 'block', textAlign: 'center', fontSize: '12px' }}>
+                    {formatMessage({ id: getTrad('settings.rateLimit.subtitle') })}
+                  </Typography>
+                  <Grid.Root gap={4}>
+                    <Grid.Item col={12}>
+                      <ToggleCard $active={settings.rate_limit_enabled} $statusLabel={settings.rate_limit_enabled ? statusActive : statusInactive}>
+                        <Flex direction="column" gap={3}>
+                          <Flex justifyContent="center" alignItems="center" style={{ marginBottom: '8px' }}>
+                            <Toggle
+                              checked={settings.rate_limit_enabled}
+                              onChange={(e) => updateSetting('rate_limit_enabled', e.target.checked)}
+                              size="L"
+                            />
+                          </Flex>
+                          <Box>
+                            <Typography variant="pi" fontWeight="bold" style={{ fontSize: '14px', marginBottom: '6px', display: 'block', textAlign: 'center' }}>
+                              {formatMessage({ id: getTrad('settings.rateLimit.enable.title') })}
+                            </Typography>
+                            <Typography variant="omega" textColor="neutral600" style={{ fontSize: '12px', lineHeight: '1.4', textAlign: 'center' }}>
+                              {formatMessage({ id: getTrad('settings.rateLimit.enable.description') })}
+                            </Typography>
+                          </Box>
+                        </Flex>
+                      </ToggleCard>
+                    </Grid.Item>
+                  </Grid.Root>
+                </Box>
+
+                {/* Rate Limit Configuration */}
+                <Typography variant="sigma" fontWeight="bold" style={{ marginBottom: '16px', display: 'block', color: theme.colors.neutral[700] }}>
+                  {formatMessage({ id: getTrad('settings.rateLimit.config.title') })}
+                </Typography>
+                <Grid.Root gap={6} style={{ marginBottom: '32px' }}>
+                  <Grid.Item col={6} s={12}>
+                    <Box>
+                      <Typography variant="pi" fontWeight="bold" style={{ marginBottom: '8px', display: 'block' }}>
+                        {formatMessage({ id: getTrad('settings.rateLimit.maxAttempts.label') })}
+                      </Typography>
+                      <NumberInput
+                        hint={formatMessage({ id: getTrad('settings.rateLimit.maxAttempts.hint') })}
+                        value={settings.rate_limit_max_attempts}
+                        onChange={val => updateSetting('rate_limit_max_attempts', val)}
+                        min={1}
+                        max={100}
+                      />
+                    </Box>
+                  </Grid.Item>
+                  <Grid.Item col={6} s={12}>
+                    <Box>
+                      <Typography variant="pi" fontWeight="bold" style={{ marginBottom: '8px', display: 'block' }}>
+                        {formatMessage({ id: getTrad('settings.rateLimit.windowMinutes.label') })}
+                      </Typography>
+                      <NumberInput
+                        hint={formatMessage({ id: getTrad('settings.rateLimit.windowMinutes.hint') })}
+                        value={settings.rate_limit_window_minutes}
+                        onChange={val => updateSetting('rate_limit_window_minutes', val)}
+                        min={1}
+                        max={1440}
+                      />
+                    </Box>
+                  </Grid.Item>
+                </Grid.Root>
+
+                {/* Rate Limit Stats */}
+                {rateLimitStats && (
+                  <>
+                    <Divider style={{ marginBottom: '24px' }} />
+                    <Typography variant="sigma" fontWeight="bold" style={{ marginBottom: '16px', display: 'block', color: theme.colors.neutral[700] }}>
+                      {formatMessage({ id: getTrad('settings.rateLimit.stats.title') })}
+                    </Typography>
+                    <Grid.Root gap={4} style={{ marginBottom: '24px' }}>
+                      <Grid.Item col={3} s={6} xs={12}>
+                        <Box padding={4} background="neutral100" style={{ borderRadius: '8px', textAlign: 'center' }}>
+                          <Typography variant="alpha" style={{ color: theme.colors.primary[600] }}>
+                            {rateLimitStats.totalEntries || 0}
+                          </Typography>
+                          <Typography variant="pi" textColor="neutral600" style={{ fontSize: '11px', marginTop: '4px' }}>
+                            {formatMessage({ id: getTrad('settings.rateLimit.stats.total') })}
+                          </Typography>
+                        </Box>
+                      </Grid.Item>
+                      <Grid.Item col={3} s={6} xs={12}>
+                        <Box padding={4} background="danger100" style={{ borderRadius: '8px', textAlign: 'center' }}>
+                          <Typography variant="alpha" style={{ color: theme.colors.danger[600] }}>
+                            {rateLimitStats.blocked || 0}
+                          </Typography>
+                          <Typography variant="pi" textColor="neutral600" style={{ fontSize: '11px', marginTop: '4px' }}>
+                            {formatMessage({ id: getTrad('settings.rateLimit.stats.blocked') })}
+                          </Typography>
+                        </Box>
+                      </Grid.Item>
+                      <Grid.Item col={3} s={6} xs={12}>
+                        <Box padding={4} background="primary100" style={{ borderRadius: '8px', textAlign: 'center' }}>
+                          <Typography variant="alpha" style={{ color: theme.colors.primary[600] }}>
+                            {rateLimitStats.ipLimits || 0}
+                          </Typography>
+                          <Typography variant="pi" textColor="neutral600" style={{ fontSize: '11px', marginTop: '4px' }}>
+                            {formatMessage({ id: getTrad('settings.rateLimit.stats.ipLimits') })}
+                          </Typography>
+                        </Box>
+                      </Grid.Item>
+                      <Grid.Item col={3} s={6} xs={12}>
+                        <Box padding={4} background="success100" style={{ borderRadius: '8px', textAlign: 'center' }}>
+                          <Typography variant="alpha" style={{ color: theme.colors.success[600] }}>
+                            {rateLimitStats.emailLimits || 0}
+                          </Typography>
+                          <Typography variant="pi" textColor="neutral600" style={{ fontSize: '11px', marginTop: '4px' }}>
+                            {formatMessage({ id: getTrad('settings.rateLimit.stats.emailLimits') })}
+                          </Typography>
+                        </Box>
+                      </Grid.Item>
+                    </Grid.Root>
+                    
+                    {/* Management Buttons */}
+                    <Flex gap={3} justifyContent="center">
+                      <Button
+                        onClick={handleRateLimitCleanup}
+                        variant="secondary"
+                        size="M"
+                      >
+                        {formatMessage({ id: getTrad('settings.rateLimit.cleanup') })}
+                      </Button>
+                      <Button
+                        onClick={handleRateLimitReset}
+                        variant="danger"
+                        size="M"
+                      >
+                        {formatMessage({ id: getTrad('settings.rateLimit.reset') })}
+                      </Button>
+                    </Flex>
+                  </>
+                )}
+              </Box>
+            </Accordion.Content>
+          </Accordion.Item>
         </Accordion.Root>
 
         {/* Info Footer */}

package/admin/src/translations/de.json

@@ -172,6 +172,30 @@
   
   "magic-link.settings.footer.quickhelp": "💡 Schnell-Hilfe",
   "magic-link.settings.footer.reminder": "Nicht vergessen: Nach dem Speichern einen Test-Token erstellen und den Magic Link testen!",
+  
+  "magic-link.settings.section.rateLimit": "Sicherheit & Rate Limiting",
+  "magic-link.settings.section.rateLimit.description": "Schutz vor Missbrauch und Brute-Force-Angriffen",
+  "magic-link.settings.rateLimit.title": "RATE LIMITING",
+  "magic-link.settings.rateLimit.subtitle": "Verhindere Missbrauch durch Begrenzung der Anfragen pro IP und E-Mail",
+  "magic-link.settings.rateLimit.enable.title": "Rate Limiting aktivieren",
+  "magic-link.settings.rateLimit.enable.description": "Schützt vor Brute-Force-Angriffen und Spam durch Begrenzung der Token-Erstellungsanfragen.",
+  "magic-link.settings.rateLimit.config.title": "RATE LIMIT KONFIGURATION",
+  "magic-link.settings.rateLimit.maxAttempts.label": "Maximale Versuche",
+  "magic-link.settings.rateLimit.maxAttempts.hint": "Wie viele Anfragen sind erlaubt, bevor blockiert wird",
+  "magic-link.settings.rateLimit.windowMinutes.label": "Zeitfenster (Minuten)",
+  "magic-link.settings.rateLimit.windowMinutes.hint": "Zeitraum für die Zählung von Anfragen (1-1440 Minuten)",
+  "magic-link.settings.rateLimit.stats.title": "AKTUELLE STATISTIKEN",
+  "magic-link.settings.rateLimit.stats.total": "Gesamt Einträge",
+  "magic-link.settings.rateLimit.stats.blocked": "Aktuell Blockiert",
+  "magic-link.settings.rateLimit.stats.ipLimits": "IP Limits",
+  "magic-link.settings.rateLimit.stats.emailLimits": "E-Mail Limits",
+  "magic-link.settings.rateLimit.cleanup": "Abgelaufene aufräumen",
+  "magic-link.settings.rateLimit.reset": "Alle Limits zurücksetzen",
+  "magic-link.settings.rateLimit.cleanupSuccess": "Abgelaufene Einträge erfolgreich aufgeräumt",
+  "magic-link.settings.rateLimit.cleanupError": "Fehler beim Aufräumen abgelaufener Einträge",
+  "magic-link.settings.rateLimit.resetSuccess": "Alle Rate Limits erfolgreich zurückgesetzt",
+  "magic-link.settings.rateLimit.resetError": "Fehler beim Zurücksetzen der Rate Limits",
+  "magic-link.settings.rateLimit.resetConfirm": "Sind Sie sicher, dass Sie alle Rate Limits zurücksetzen möchten? Dies ermöglicht es allen blockierten IPs und E-Mails, wieder Anfragen zu stellen.",
 
   "magic-link.tokens.title": "Magic Link Tokens",
   "magic-link.tokens.page.title": "Token-Verwaltung",

package/admin/src/translations/en.json

@@ -37,6 +37,8 @@
   "magic-link.settings.section.email.description": "Configure email templates and sender information",
   "magic-link.settings.section.advanced": "Advanced Settings",
   "magic-link.settings.section.advanced.description": "Additional configuration options",
+  "magic-link.settings.section.rateLimit": "Security & Rate Limiting",
+  "magic-link.settings.section.rateLimit.description": "Protect against abuse and brute-force attacks",
   
   "magic-link.settings.features.title": "MAIN FEATURES",
   "magic-link.settings.features.subtitle": "Enable or disable the main features of the Magic Link plugin",
@@ -172,6 +174,28 @@
   
   "magic-link.settings.footer.quickhelp": "💡 Quick Help",
   "magic-link.settings.footer.reminder": "Don't forget: After saving, create a test token and test the Magic Link!",
+  
+  "magic-link.settings.rateLimit.title": "RATE LIMITING",
+  "magic-link.settings.rateLimit.subtitle": "Prevent abuse by limiting the number of requests per IP and email",
+  "magic-link.settings.rateLimit.enable.title": "Enable Rate Limiting",
+  "magic-link.settings.rateLimit.enable.description": "Protects against brute-force attacks and spam by limiting token creation requests.",
+  "magic-link.settings.rateLimit.config.title": "RATE LIMIT CONFIGURATION",
+  "magic-link.settings.rateLimit.maxAttempts.label": "Maximum Attempts",
+  "magic-link.settings.rateLimit.maxAttempts.hint": "How many requests are allowed before blocking",
+  "magic-link.settings.rateLimit.windowMinutes.label": "Time Window (Minutes)",
+  "magic-link.settings.rateLimit.windowMinutes.hint": "Time period for counting requests (1-1440 minutes)",
+  "magic-link.settings.rateLimit.stats.title": "CURRENT STATISTICS",
+  "magic-link.settings.rateLimit.stats.total": "Total Entries",
+  "magic-link.settings.rateLimit.stats.blocked": "Currently Blocked",
+  "magic-link.settings.rateLimit.stats.ipLimits": "IP Limits",
+  "magic-link.settings.rateLimit.stats.emailLimits": "Email Limits",
+  "magic-link.settings.rateLimit.cleanup": "Cleanup Expired",
+  "magic-link.settings.rateLimit.reset": "Reset All Limits",
+  "magic-link.settings.rateLimit.cleanupSuccess": "Expired entries cleaned up successfully",
+  "magic-link.settings.rateLimit.cleanupError": "Error cleaning up expired entries",
+  "magic-link.settings.rateLimit.resetSuccess": "All rate limits reset successfully",
+  "magic-link.settings.rateLimit.resetError": "Error resetting rate limits",
+  "magic-link.settings.rateLimit.resetConfirm": "Are you sure you want to reset all rate limits? This will allow all blocked IPs and emails to make requests again.",
 
   "magic-link.tokens.title": "Magic Link Tokens",
   "magic-link.tokens.page.title": "Token Management",

package/admin/src/translations/es.json

@@ -172,6 +172,30 @@
   
   "magic-link.settings.footer.quickhelp": "💡 Ayuda rápida",
   "magic-link.settings.footer.reminder": "No olvide: ¡Después de guardar, cree un token de prueba y pruebe el Magic Link!",
+  
+  "magic-link.settings.section.rateLimit": "Seguridad y limitación de velocidad",
+  "magic-link.settings.section.rateLimit.description": "Protección contra abusos y ataques de fuerza bruta",
+  "magic-link.settings.rateLimit.title": "LIMITACIÓN DE VELOCIDAD",
+  "magic-link.settings.rateLimit.subtitle": "Previene abusos limitando el número de solicitudes por IP y correo",
+  "magic-link.settings.rateLimit.enable.title": "Activar limitación de velocidad",
+  "magic-link.settings.rateLimit.enable.description": "Protege contra ataques de fuerza bruta y spam limitando las solicitudes de creación de tokens.",
+  "magic-link.settings.rateLimit.config.title": "CONFIGURACIÓN DE LÍMITES",
+  "magic-link.settings.rateLimit.maxAttempts.label": "Intentos máximos",
+  "magic-link.settings.rateLimit.maxAttempts.hint": "Cuántas solicitudes se permiten antes del bloqueo",
+  "magic-link.settings.rateLimit.windowMinutes.label": "Ventana de tiempo (Minutos)",
+  "magic-link.settings.rateLimit.windowMinutes.hint": "Período de tiempo para contar solicitudes (1-1440 minutos)",
+  "magic-link.settings.rateLimit.stats.title": "ESTADÍSTICAS ACTUALES",
+  "magic-link.settings.rateLimit.stats.total": "Entradas totales",
+  "magic-link.settings.rateLimit.stats.blocked": "Actualmente bloqueados",
+  "magic-link.settings.rateLimit.stats.ipLimits": "Límites IP",
+  "magic-link.settings.rateLimit.stats.emailLimits": "Límites email",
+  "magic-link.settings.rateLimit.cleanup": "Limpiar expirados",
+  "magic-link.settings.rateLimit.reset": "Restablecer todos los límites",
+  "magic-link.settings.rateLimit.cleanupSuccess": "Entradas expiradas limpiadas correctamente",
+  "magic-link.settings.rateLimit.cleanupError": "Error al limpiar entradas expiradas",
+  "magic-link.settings.rateLimit.resetSuccess": "Todos los límites restablecidos correctamente",
+  "magic-link.settings.rateLimit.resetError": "Error al restablecer límites",
+  "magic-link.settings.rateLimit.resetConfirm": "¿Está seguro de que desea restablecer todos los límites de velocidad? Esto permitirá que todas las IPs y correos bloqueados realicen solicitudes nuevamente.",
 
   "magic-link.tokens.title": "Tokens Magic Link",
   "magic-link.tokens.page.title": "Gestión de tokens",

package/admin/src/translations/fr.json

@@ -172,6 +172,30 @@
   
   "magic-link.settings.footer.quickhelp": "💡 Aide rapide",
   "magic-link.settings.footer.reminder": "N'oubliez pas : Après l'enregistrement, créez un jeton de test et testez le Magic Link !",
+  
+  "magic-link.settings.section.rateLimit": "Sécurité & Limitation de débit",
+  "magic-link.settings.section.rateLimit.description": "Protection contre les abus et les attaques par force brute",
+  "magic-link.settings.rateLimit.title": "LIMITATION DE DÉBIT",
+  "magic-link.settings.rateLimit.subtitle": "Prévenez les abus en limitant le nombre de requêtes par IP et email",
+  "magic-link.settings.rateLimit.enable.title": "Activer la limitation de débit",
+  "magic-link.settings.rateLimit.enable.description": "Protège contre les attaques par force brute et le spam en limitant les requêtes de création de jetons.",
+  "magic-link.settings.rateLimit.config.title": "CONFIGURATION DE LA LIMITATION",
+  "magic-link.settings.rateLimit.maxAttempts.label": "Tentatives maximales",
+  "magic-link.settings.rateLimit.maxAttempts.hint": "Combien de requêtes sont autorisées avant le blocage",
+  "magic-link.settings.rateLimit.windowMinutes.label": "Fenêtre de temps (Minutes)",
+  "magic-link.settings.rateLimit.windowMinutes.hint": "Période de temps pour compter les requêtes (1-1440 minutes)",
+  "magic-link.settings.rateLimit.stats.title": "STATISTIQUES ACTUELLES",
+  "magic-link.settings.rateLimit.stats.total": "Total d'entrées",
+  "magic-link.settings.rateLimit.stats.blocked": "Actuellement bloqués",
+  "magic-link.settings.rateLimit.stats.ipLimits": "Limites IP",
+  "magic-link.settings.rateLimit.stats.emailLimits": "Limites email",
+  "magic-link.settings.rateLimit.cleanup": "Nettoyer expirés",
+  "magic-link.settings.rateLimit.reset": "Réinitialiser toutes les limites",
+  "magic-link.settings.rateLimit.cleanupSuccess": "Entrées expirées nettoyées avec succès",
+  "magic-link.settings.rateLimit.cleanupError": "Erreur lors du nettoyage des entrées expirées",
+  "magic-link.settings.rateLimit.resetSuccess": "Toutes les limites réinitialisées avec succès",
+  "magic-link.settings.rateLimit.resetError": "Erreur lors de la réinitialisation des limites",
+  "magic-link.settings.rateLimit.resetConfirm": "Êtes-vous sûr de vouloir réinitialiser toutes les limites de débit ? Cela permettra à toutes les IPs et emails bloqués de faire à nouveau des requêtes.",
 
   "magic-link.tokens.title": "Jetons Magic Link",
   "magic-link.tokens.page.title": "Gestion des jetons",

package/admin/src/translations/pt.json

@@ -172,6 +172,30 @@
   
   "magic-link.settings.footer.quickhelp": "💡 Ajuda rápida",
   "magic-link.settings.footer.reminder": "Não esqueça: Após salvar, crie um token de teste e teste o Magic Link!",
+  
+  "magic-link.settings.section.rateLimit": "Segurança e limitação de taxa",
+  "magic-link.settings.section.rateLimit.description": "Proteção contra abusos e ataques de força bruta",
+  "magic-link.settings.rateLimit.title": "LIMITAÇÃO DE TAXA",
+  "magic-link.settings.rateLimit.subtitle": "Previne abusos limitando o número de solicitações por IP e e-mail",
+  "magic-link.settings.rateLimit.enable.title": "Ativar limitação de taxa",
+  "magic-link.settings.rateLimit.enable.description": "Protege contra ataques de força bruta e spam limitando solicitações de criação de tokens.",
+  "magic-link.settings.rateLimit.config.title": "CONFIGURAÇÃO DE LIMITES",
+  "magic-link.settings.rateLimit.maxAttempts.label": "Tentativas máximas",
+  "magic-link.settings.rateLimit.maxAttempts.hint": "Quantas solicitações são permitidas antes do bloqueio",
+  "magic-link.settings.rateLimit.windowMinutes.label": "Janela de tempo (Minutos)",
+  "magic-link.settings.rateLimit.windowMinutes.hint": "Período de tempo para contar solicitações (1-1440 minutos)",
+  "magic-link.settings.rateLimit.stats.title": "ESTATÍSTICAS ATUAIS",
+  "magic-link.settings.rateLimit.stats.total": "Total de entradas",
+  "magic-link.settings.rateLimit.stats.blocked": "Atualmente bloqueados",
+  "magic-link.settings.rateLimit.stats.ipLimits": "Limites IP",
+  "magic-link.settings.rateLimit.stats.emailLimits": "Limites email",
+  "magic-link.settings.rateLimit.cleanup": "Limpar expirados",
+  "magic-link.settings.rateLimit.reset": "Redefinir todos os limites",
+  "magic-link.settings.rateLimit.cleanupSuccess": "Entradas expiradas limpas com sucesso",
+  "magic-link.settings.rateLimit.cleanupError": "Erro ao limpar entradas expiradas",
+  "magic-link.settings.rateLimit.resetSuccess": "Todos os limites redefinidos com sucesso",
+  "magic-link.settings.rateLimit.resetError": "Erro ao redefinir limites",
+  "magic-link.settings.rateLimit.resetConfirm": "Tem certeza de que deseja redefinir todos os limites de taxa? Isso permitirá que todos os IPs e e-mails bloqueados façam solicitações novamente.",
 
   "magic-link.tokens.title": "Tokens Magic Link",
   "magic-link.tokens.page.title": "Gerenciamento de tokens",

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "4.9.4",
+  "version": "4.11.0",
   "keywords": [],
   "type": "commonjs",
   "exports": {

package/server/src/bootstrap.js

@@ -70,6 +70,10 @@ Thanks.`,
       jwt_token_expires_in: '30d',
       callback_url: serverUrl,
       allow_magic_links_on_public_registration: false,
+      // Rate Limiting Settings
+      rate_limit_enabled: true,
+      rate_limit_max_attempts: 5,
+      rate_limit_window_minutes: 15,
     };
 
     await pluginStore.set({ key: 'settings', value });
@@ -119,6 +123,19 @@ Thanks.`,
     return next();
   });
 
+  // Initialize Rate Limiter Cleanup Job
+  const rateLimiter = strapi.plugin('magic-link').service('rate-limiter');
+  
+  // Initial cleanup
+  setTimeout(() => {
+    rateLimiter.cleanupExpired();
+  }, 5000);
+  
+  // Cleanup every 30 minutes
+  setInterval(() => {
+    rateLimiter.cleanupExpired();
+  }, 30 * 60 * 1000);
+
   // Initialize License Guard
   try {
     const licenseGuardService = strapi.plugin('magic-link').service('license-guard');

package/server/src/controllers/auth.js

@@ -160,6 +160,7 @@ module.exports = {
   async sendLink(ctx) {
     // Strapi v5 pattern für Service Zugriff
     const magicLink = strapi.plugin('magic-link').service('magic-link');
+    const rateLimiter = strapi.plugin('magic-link').service('rate-limiter');
 
     const isEnabled = await magicLink.isEnabled();
 
@@ -178,6 +179,22 @@ module.exports = {
     if (email && !isEmail) {
       return ctx.badRequest('wrong.email');
     }
+    
+    // Rate limiting check - both IP and email
+    const ipAddress = ctx.request.ip;
+    const ipCheck = await rateLimiter.checkRateLimit(ipAddress, 'ip');
+    
+    if (!ipCheck.allowed) {
+      return ctx.tooManyRequests(`Too many requests. Please try again in ${ipCheck.retryAfter} seconds.`);
+    }
+    
+    if (email) {
+      const emailCheck = await rateLimiter.checkRateLimit(email, 'email');
+      
+      if (!emailCheck.allowed) {
+        return ctx.tooManyRequests(`Too many requests for this email. Please try again in ${emailCheck.retryAfter} seconds.`);
+      }
+    }
 
     let user;
     try {

package/server/src/controllers/index.js

@@ -8,6 +8,7 @@ const auth = require('./auth');
 const tokens = require('./tokens');
 const jwt = require('./jwt');
 const license = require('./license');
+const rateLimit = require('./rate-limit');
 
 module.exports = {
   controller,
@@ -15,4 +16,5 @@ module.exports = {
   tokens,
   jwt,
   license,
+  rateLimit,
 };

package/server/src/controllers/rate-limit.js

@@ -0,0 +1,71 @@
+'use strict';
+
+/**
+ * Rate Limit Controller
+ */
+
+module.exports = {
+  /**
+   * Get rate limit statistics
+   */
+  async getStats(ctx) {
+    try {
+      const rateLimiter = strapi.plugin('magic-link').service('rate-limiter');
+      const stats = await rateLimiter.getStats();
+      
+      if (!stats) {
+        return ctx.badRequest('Failed to get rate limit stats');
+      }
+      
+      ctx.send({
+        success: true,
+        data: stats,
+      });
+    } catch (error) {
+      strapi.log.error('Error getting rate limit stats:', error);
+      ctx.throw(500, error);
+    }
+  },
+  
+  /**
+   * Cleanup expired rate limit entries
+   */
+  async cleanup(ctx) {
+    try {
+      const rateLimiter = strapi.plugin('magic-link').service('rate-limiter');
+      const result = await rateLimiter.cleanupExpired();
+      
+      ctx.send({
+        success: true,
+        message: `Cleaned up ${result.cleaned} expired entries`,
+        data: result,
+      });
+    } catch (error) {
+      strapi.log.error('Error cleaning up rate limits:', error);
+      ctx.throw(500, error);
+    }
+  },
+  
+  /**
+   * Reset all rate limits
+   */
+  async reset(ctx) {
+    try {
+      const pluginStore = strapi.store({
+        type: 'plugin',
+        name: 'magic-link',
+      });
+      
+      await pluginStore.set({ key: 'rate_limits', value: { limits: {} } });
+      
+      ctx.send({
+        success: true,
+        message: 'All rate limits have been reset',
+      });
+    } catch (error) {
+      strapi.log.error('Error resetting rate limits:', error);
+      ctx.throw(500, error);
+    }
+  },
+};
+

package/server/src/controllers/tokens.js

@@ -94,6 +94,21 @@ module.exports = {
         return ctx.badRequest('Email is required');
       }
       
+      // Rate limiting check
+      const rateLimiter = strapi.plugin('magic-link').service('rate-limiter');
+      const ipAddress = ctx.request.ip;
+      const ipCheck = await rateLimiter.checkRateLimit(ipAddress, 'ip');
+      
+      if (!ipCheck.allowed) {
+        return ctx.tooManyRequests(`Too many token creation requests. Please try again in ${ipCheck.retryAfter} seconds.`);
+      }
+      
+      const emailCheck = await rateLimiter.checkRateLimit(email, 'email');
+      
+      if (!emailCheck.allowed) {
+        return ctx.tooManyRequests(`Too many requests for this email. Please try again in ${emailCheck.retryAfter} seconds.`);
+      }
+      
       // Überprüfe, ob die Plugin-Einstellungen das Erstellen neuer Benutzer erlauben
       const pluginStore = strapi.store({
         type: 'plugin',

package/server/src/routes/admin.js

@@ -214,5 +214,31 @@ module.exports = {
         policies: [],
       },
     },
+    
+    // Rate Limiting
+    {
+      method: 'GET',
+      path: '/rate-limit/stats',
+      handler: 'rateLimit.getStats',
+      config: {
+        policies: [],
+      },
+    },
+    {
+      method: 'POST',
+      path: '/rate-limit/cleanup',
+      handler: 'rateLimit.cleanup',
+      config: {
+        policies: [],
+      },
+    },
+    {
+      method: 'POST',
+      path: '/rate-limit/reset',
+      handler: 'rateLimit.reset',
+      config: {
+        policies: [],
+      },
+    },
   ],
 }; 

package/server/src/services/index.js

@@ -4,6 +4,7 @@ const service = require('./service');
 const magicLink = require('./magic-link');
 const store = require('../../services/store');
 const licenseGuard = require('./license-guard');
+const rateLimiter = require('./rate-limiter');
 
 module.exports = {
   service,
@@ -12,4 +13,6 @@ module.exports = {
   store,
   'license-guard': licenseGuard,
   licenseGuard, // Alias für Kompatibilität
+  'rate-limiter': rateLimiter,
+  rateLimiter, // Alias für Kompatibilität
 };

package/server/src/services/rate-limiter.js

@@ -0,0 +1,186 @@
+'use strict';
+
+/**
+ * Rate Limiter Service
+ * Prevents abuse by limiting token creation requests per IP and email
+ */
+
+module.exports = ({ strapi }) => ({
+  /**
+   * Check if request should be rate limited
+   * @param {string} identifier - IP address or email
+   * @param {string} type - 'ip' or 'email'
+   * @returns {Promise<{allowed: boolean, retryAfter: number}>}
+   */
+  async checkRateLimit(identifier, type = 'ip') {
+    try {
+      const pluginStore = strapi.store({
+        type: 'plugin',
+        name: 'magic-link',
+      });
+      
+      // Get settings for rate limit configuration
+      const settings = await pluginStore.get({ key: 'settings' });
+      
+      // Check if rate limiting is enabled
+      if (settings?.rate_limit_enabled === false) {
+        return { allowed: true, retryAfter: 0 };
+      }
+      
+      const maxAttempts = settings?.rate_limit_max_attempts || 5;
+      const windowMinutes = settings?.rate_limit_window_minutes || 15;
+      
+      // Get current rate limit data
+      const rateLimitData = (await pluginStore.get({ key: 'rate_limits' })) || { limits: {} };
+      
+      const key = `${type}_${identifier}`;
+      const now = Date.now();
+      const windowMs = windowMinutes * 60 * 1000;
+      
+      // Get or create limit entry
+      let limitEntry = rateLimitData.limits[key];
+      
+      if (!limitEntry) {
+        // First request
+        limitEntry = {
+          count: 1,
+          firstRequest: now,
+          lastRequest: now,
+        };
+        rateLimitData.limits[key] = limitEntry;
+        await pluginStore.set({ key: 'rate_limits', value: rateLimitData });
+        
+        return { allowed: true, retryAfter: 0 };
+      }
+      
+      // Check if window has expired
+      const timeSinceFirst = now - limitEntry.firstRequest;
+      
+      if (timeSinceFirst > windowMs) {
+        // Window expired, reset counter
+        limitEntry = {
+          count: 1,
+          firstRequest: now,
+          lastRequest: now,
+        };
+        rateLimitData.limits[key] = limitEntry;
+        await pluginStore.set({ key: 'rate_limits', value: rateLimitData });
+        
+        return { allowed: true, retryAfter: 0 };
+      }
+      
+      // Check if limit exceeded
+      if (limitEntry.count >= maxAttempts) {
+        const timeRemaining = windowMs - timeSinceFirst;
+        const retryAfterSeconds = Math.ceil(timeRemaining / 1000);
+        
+        strapi.log.warn(`⚠️ Rate limit exceeded for ${type}: ${identifier} (${limitEntry.count}/${maxAttempts} requests)`);
+        
+        return {
+          allowed: false,
+          retryAfter: retryAfterSeconds,
+        };
+      }
+      
+      // Increment counter
+      limitEntry.count++;
+      limitEntry.lastRequest = now;
+      rateLimitData.limits[key] = limitEntry;
+      await pluginStore.set({ key: 'rate_limits', value: rateLimitData });
+      
+      return { allowed: true, retryAfter: 0 };
+    } catch (error) {
+      strapi.log.error('Error checking rate limit:', error);
+      // On error, allow request (fail open for availability)
+      return { allowed: true, retryAfter: 0 };
+    }
+  },
+  
+  /**
+   * Clean up expired rate limit entries
+   */
+  async cleanupExpired() {
+    try {
+      const pluginStore = strapi.store({
+        type: 'plugin',
+        name: 'magic-link',
+      });
+      
+      const settings = await pluginStore.get({ key: 'settings' });
+      const windowMinutes = settings?.rate_limit_window_minutes || 15;
+      const windowMs = windowMinutes * 60 * 1000;
+      
+      const rateLimitData = (await pluginStore.get({ key: 'rate_limits' })) || { limits: {} };
+      const now = Date.now();
+      
+      let cleaned = 0;
+      
+      // Remove expired entries
+      Object.keys(rateLimitData.limits).forEach(key => {
+        const entry = rateLimitData.limits[key];
+        const timeSinceFirst = now - entry.firstRequest;
+        
+        if (timeSinceFirst > windowMs) {
+          delete rateLimitData.limits[key];
+          cleaned++;
+        }
+      });
+      
+      if (cleaned > 0) {
+        await pluginStore.set({ key: 'rate_limits', value: rateLimitData });
+        strapi.log.info(`🧹 Cleaned up ${cleaned} expired rate limit entries`);
+      }
+      
+      return { cleaned };
+    } catch (error) {
+      strapi.log.error('Error cleaning up rate limits:', error);
+      return { cleaned: 0 };
+    }
+  },
+  
+  /**
+   * Get rate limit stats
+   */
+  async getStats() {
+    try {
+      const pluginStore = strapi.store({
+        type: 'plugin',
+        name: 'magic-link',
+      });
+      
+      const rateLimitData = (await pluginStore.get({ key: 'rate_limits' })) || { limits: {} };
+      const settings = await pluginStore.get({ key: 'settings' });
+      const maxAttempts = settings?.rate_limit_max_attempts || 5;
+      const windowMinutes = settings?.rate_limit_window_minutes || 15;
+      
+      const stats = {
+        totalEntries: Object.keys(rateLimitData.limits).length,
+        maxAttempts,
+        windowMinutes,
+        ipLimits: 0,
+        emailLimits: 0,
+        blocked: 0,
+      };
+      
+      Object.keys(rateLimitData.limits).forEach(key => {
+        const entry = rateLimitData.limits[key];
+        
+        if (key.startsWith('ip_')) {
+          stats.ipLimits++;
+        } else if (key.startsWith('email_')) {
+          stats.emailLimits++;
+        }
+        
+        if (entry.count >= maxAttempts) {
+          stats.blocked++;
+        }
+      });
+      
+      return stats;
+    } catch (error) {
+      strapi.log.error('Error getting rate limit stats:', error);
+      return null;
+    }
+  },
+});
+