fix: Resend Verification Email Can Be Abused to Spam Mail Server

[JASIM0021]

fix: Resend Verification Email Can Be Abused to Spam Mail Server
closes: #35965

Proposed changes (including videos or screenshots)

Attempt to send multiple emails within 1 minute
User receives error indicating rate limit is enforced:

After 1 minute, user is allowed to resend
The rate limit resets and the email is sent successfully:

Rate Limiting on users.sendConfirmationEmail API

To prevent abuse of the users.sendConfirmationEmail endpoint (such as email spamming and server overload), a rate limiter has been implemented .

Issue(s)

closes #35965

Steps to test or reproduce

1. Navigate to: https:///account/profile

2. Below the email input, there's a "Resend Verification Email" button.

3. Click the button 3–4 times — you’ll receive an Error message.

Further comments

---

Pull Request Description

This pull request addresses an issue where the "Resend Verification Email" feature could be exploited to spam the mail server. The changes introduce a rate limiting mechanism for confirmation email requests. Specifically, the implementation tracks the timestamp of the last sent email and enforces a minimum wait time between subsequent requests. This update is made in the apps/meteor/app/api/server/v1/users.ts file. The source branch for this fix is fix/verification-email-rate-limit, and it is targeted to be merged into the develop branch.

Summary by CodeRabbit

• Bug Fixes
  • Fixed a vulnerability where the resend verification email feature could be abused to spam mail servers. Email verification requests are now restricted.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: c0f81f4

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 40 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[kody-ai]

Code Review Completed! 🔥

The code review was successfully completed based on your current configurations.

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Security	✅
Code Style	✅
Kody Rules	✅
Refactoring	✅
Error Handling	✅
Maintainability	✅
Potential Issues	✅
Documentation And Comments	✅
Performance And Optimization	✅
Breaking Changes	❌

Access your configuration settings here.

​

[CLAassistant]

All committers have signed the CLA.

[kody-ai]

Kody Review Complete

Great news! 🎉
No issues were found that match your current review configurations.

Keep up the excellent work! 🚀

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Security	✅
Code Style	✅
Kody Rules	✅
Refactoring	✅
Error Handling	✅
Maintainability	✅
Potential Issues	✅
Documentation And Comments	✅
Performance And Optimization	✅
Breaking Changes	❌

Access your configuration settings here.

​

[kody-ai]

Code Review Completed! 🔥

The code review was successfully completed based on your current configurations.

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Security	✅
Code Style	✅
Kody Rules	✅
Refactoring	✅
Error Handling	✅
Maintainability	✅
Potential Issues	✅
Documentation And Comments	✅
Performance And Optimization	✅
Breaking Changes	❌

Access your configuration settings here.

​

[kody-ai]

Code Review Completed! 🔥

The code review was successfully completed based on your current configurations.

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Security	✅
Code Style	✅
Kody Rules	✅
Refactoring	✅
Error Handling	✅
Maintainability	✅
Potential Issues	✅
Documentation And Comments	✅
Performance And Optimization	✅
Breaking Changes	❌

Access your configuration settings here.

​

[kody-ai]

Code Review Completed! 🔥

The code review was successfully completed based on your current configurations.

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Security	✅
Code Style	✅
Kody Rules	✅
Refactoring	✅
Error Handling	✅
Maintainability	✅
Potential Issues	✅
Documentation And Comments	✅
Performance And Optimization	✅
Breaking Changes	❌

Access your configuration settings here.

​

[kody-ai]

Code Review Completed! 🔥

The code review was successfully completed based on your current configurations.

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Security	✅
Code Style	✅
Kody Rules	✅
Refactoring	✅
Error Handling	✅
Maintainability	✅
Potential Issues	✅
Documentation And Comments	✅
Performance And Optimization	✅
Breaking Changes	❌

Access your configuration settings here.

​

[JASIM0021]

If someone reviews this code, it will be greatly appreciated.

[ggazzo]

please check the suggestions

[coderabbitai]

Walkthrough

Implements rate limiting on the email verification resend endpoint to prevent abuse. The fix constrains the endpoint to accept one request per minute, addressing the security vulnerability where unlimited rapid requests could spam mail servers.

Changes

Cohort / File(s)	Summary
Rate Limiting Implementation apps/meteor/app/api/server/v1/users.ts	Added rate limiting configuration to the sendConfirmationEmail route with numRequestsAllowed: 1 and intervalTimeInMS: 60000, restricting requests to one per minute.
Changeset Documentation .changeset/eighty-windows-join.md	Added patch-level changeset entry for @rocket.chat/meteor documenting the fix for verification email abuse vulnerability.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A rabbit hops to save the day,
No more spam floods coming your way!
One email per minute, that's fair and kind,
Mail servers rejoice—peace of mind! 📧✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main security fix: adding rate limiting to prevent abuse of the Resend Verification Email feature to spam mail servers.
Linked Issues check	✅ Passed	The PR fully addresses the primary objective from #35965: implementing rate limiting (1 request per 60 seconds) to prevent abuse of the sendConfirmationEmail endpoint.
Out of Scope Changes check	✅ Passed	All changes are directly related to the stated objectives: a changeset entry documents the fix, and rate limiting configuration is added to the vulnerable endpoint only.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

No actionable comments were generated in the recent review. 🎉

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d312c6c and d4b492a.

📒 Files selected for processing (2)

• .changeset/eighty-windows-join.md
• apps/meteor/app/api/server/v1/users.ts

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/api/server/v1/users.ts

🔇 Additional comments (2)

.changeset/eighty-windows-join.md (1)

1-5: LGTM!

Changeset entry correctly documents the patch-level fix.

apps/meteor/app/api/server/v1/users.ts (1)

1075-1078: LGTM! The rate limiter configuration is consistent with the existing pattern used by users.updateOwnBasicInfo (lines 158–161) and appropriately restricts the endpoint to 1 request per 60 seconds per authenticated user, mitigating the email spam abuse vector.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 1 file

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.41%. Comparing base (d312c6c) to head (d4b492a).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #35971      +/-   ##
===========================================
- Coverage    70.42%   70.41%   -0.01%     
===========================================
  Files         3174     3174              
  Lines       111005   111005              
  Branches     20005    19965      -40     
===========================================
- Hits         78179    78168      -11     
- Misses       30780    30797      +17     
+ Partials      2046     2040       -6     

Flag	Coverage Δ
e2e	60.44% <ø> (+0.01%)	⬆️
e2e-api	47.81% <ø> (+0.01%)	⬆️
unit	71.36% <ø> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ggazzo]

hey @JASIM0021 it took a while but its done, would you mind accepting the CLA?

[JASIM0021]

hey @JASIM0021 it took a while but its done, would you mind accepting the CLA?

✅