Throttle admin password reset

config/initializers/rack_attack.rb

@@ -14,6 +14,12 @@ Rack::Attack.throttle("password reset requests", limit: 5, period: 60.seconds) d
   end
 end
 
+Rack::Attack.throttle("admin password reset requests", limit: 5, period: 60.seconds) do |request|
+  if request.params["admin_user"].present? && request.path == "/admin/password" && request.post?
+    request.params["admin_user"]["email"].to_s.downcase.gsub(/\s+/, "")
+  end
+end
+
 Rack::Attack.throttled_responder = lambda do |_env|
   headers = {
     "Location" => "/429",

spec/requests/rack_attack_spec.rb

@@ -12,8 +12,11 @@ describe "Rack::Attack" do
   let(:devise_notify_mailer) { DeviseNotifyMailer.new }
 
   let(:params) { { user: { email: } } }
+  let(:admin_params) { { admin_user: { email: admin_email } } }
   let(:user) { FactoryBot.create(:user) }
+  let(:admin_user) { FactoryBot.create(:admin_user) }
   let(:email) { user.email }
+  let(:admin_email) { admin_user.email }
 
   before do
     Rack::Attack.enabled = true
@@ -29,7 +32,7 @@ describe "Rack::Attack" do
 
   context "when a password reset is requested" do
     context "when the number of requests is under the throttle limit" do
-      it "does not throttle" do
+      it "does not throttle for a regular user" do
         under_limit.times do
           post "/account/password", params: params
           follow_redirect!
@@ -37,13 +40,42 @@ describe "Rack::Attack" do
         last_response = response
         expect(last_response.status).to eq(200)
       end
+
+      it "does not throttle for an admin user" do
+        under_limit.times do
+          post "/admin/password", params: admin_params
+          follow_redirect!
+        end
+        last_response = response
+        expect(last_response.status).to eq(200)
+      end
     end
 
     context "when the number of requests is at the throttle limit" do
-      it "does not throttle" do
+      it "does not throttle for a regular user" do
+        limit.times do
+          post "/account/password", params: params
+          follow_redirect!
+        end
+        last_response = response
+        expect(last_response.status).to eq(200)
+      end
+
+      it "does not throttle for an admin user" do
+        limit.times do
+          post "/admin/password", params: admin_params
+          follow_redirect!
+        end
+        last_response = response
+        expect(last_response.status).to eq(200)
+      end
+
+      it "does not throttle if both endpoints are hit" do
         limit.times do
           post "/account/password", params: params
           follow_redirect!
+          post "/admin/password", params: admin_params
+          follow_redirect!
         end
         last_response = response
         expect(last_response.status).to eq(200)
@@ -51,7 +83,7 @@ describe "Rack::Attack" do
     end
 
     context "when the number of requests is over the throttle limit" do
-      it "throttles" do
+      it "throttles for a regular user" do
         over_limit.times do
           post "/account/password", params: params
           follow_redirect!
@@ -59,6 +91,15 @@ describe "Rack::Attack" do
         last_response = response
         expect(last_response.status).to eq(429)
       end
+
+      it "throttles for an admin user" do
+        over_limit.times do
+          post "/admin/password", params: admin_params
+          follow_redirect!
+        end
+        last_response = response
+        expect(last_response.status).to eq(429)
+      end
     end
   end
 end