GraphQL forgot password rate limiting issue in Adobe Commerce cloud 2.4.8
In Adobe Commerce on cloud infrastructure version 2.4.8, the rate limiting configuration for the forgot password feature isn’t enforced when using GraphQL endpoints. The requestPasswordResetEmail mutation ignores the Max Number of Password Reset Requests admin setting. This article explains how to address this issue.
Description description
Environment
Adobe Commerce on cloud infrastructure v2.4.8
Issue/Symptoms
- Forgot password requests made via GraphQL don’t follow the configured rate limits set in the admin panel.
- The system doesn’t allow requests as specified by Max Number of Password Reset Requests in the admin configuration.
- When using the
requestPasswordResetEmailmutation, you get the error: Cannot reset the customer’s password on the second attempt.
Steps to replicate
- Create a customer account.
- Sign in to Admin, go to Configuration
>Customer Configuration>Password Options, and set Max Number of Password Reset Requests to 5. - Use the GraphQL mutation
requestPasswordResetEmailto try resetting the password.
Resolution resolution
To resolve this, make sure the following admin configurations are set and understood for the requestPasswordResetEmail mutation:
- Max Number of Password Reset Requests lets a user make 5 password reset attempts per hour.
- Min Time Between Password Reset Requests means a user can make 1 password reset attempt every 10 minutes by default.
- The GraphQL
requestPasswordResetEmailmutation respects both Min Time Between Password Reset Requests and Max Number of Password Reset Requests.
Verify that forgot password requests made via GraphQL now respect both the max request count and minimum time interval settings as configured in admin. If you hit the limit, retry the password reset after the minimum 10-minute interval.
recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f