From 5e0b8a2fe80feae112743abbe48e483954208554 Mon Sep 17 00:00:00 2001
From: janis steiner <janis@jakach.ch>
Date: Wed, 6 May 2026 09:43:10 +0200
Subject: [PATCH] setting rate limiting higher

---
 app-code/api/account/update_2fa.php | 2 +-
 app-code/api/login/check_mfa.php    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app-code/api/account/update_2fa.php b/app-code/api/account/update_2fa.php
index 7ab160c..2921791 100644
--- a/app-code/api/account/update_2fa.php
+++ b/app-code/api/account/update_2fa.php
@@ -47,7 +47,7 @@ if($data->enable_2fa==true){
 		exit();
 	}
 
-	check_rate_limit($conn, 'setup_2fa', 5, 10 * 60, (string)$id);
+	check_rate_limit($conn, 'setup_2fa', 5, 60, (string)$id);
 	$twofa_secret = $_SESSION["pending_2fa_secret"] ?? "";
 	if ($twofa_secret === "" || !hash_equals(generateTOTP($twofa_secret), $twofa_pin)) {
 		echo json_encode(['success' => false, 'message' => 'Invalid 2FA code.']);
diff --git a/app-code/api/login/check_mfa.php b/app-code/api/login/check_mfa.php
index d9197ca..076daf8 100644
--- a/app-code/api/login/check_mfa.php
+++ b/app-code/api/login/check_mfa.php
@@ -14,7 +14,7 @@ include "../utils/generate_pin.php";
 $conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE);
 
 $username=$_SESSION["username"];
-check_rate_limit($conn, 'login_mfa', 5, 10 * 60, $username);
+check_rate_limit($conn, 'login_mfa', 5, 60, $username);
 $sql="SELECT 2fa FROM users WHERE username = ?";
 $stmt = mysqli_prepare($conn, $sql);
 mysqli_stmt_bind_param($stmt, 's', $username);