Skip to content

fix(sms+auth): close open SMS relay, restore-flow rate limit#125

Merged
ralyodio merged 2 commits into
masterfrom
worktree-sms-lockdown
Jun 30, 2026
Merged

fix(sms+auth): close open SMS relay, restore-flow rate limit#125
ralyodio merged 2 commits into
masterfrom
worktree-sms-lockdown

Conversation

@ralyodio

Copy link
Copy Markdown
Contributor

What

  1. Delete /api/sms/send-notification — unauthenticated, unrate-limited open SMS relay using app Twilio creds; orphaned (no caller). Likely vector behind the SMS-billing drain (SMS pumping).
  2. Loosen key-backup restore rate limitGET /api/auth/key-backup was 5/hour; new-device E2EE key restore fires several GETs per attempt, locking users out for an hour after ~2 tries. Now 10 per 15 min.

Related infra (already applied, not in this diff)

  • New Twilio creds patched into Supabase Auth phone provider (verification SMS restored).
  • Supabase rate_limit_sms_sent lowered 30 → 10/hour as a hard global cost cap.

🤖 Generated with Claude Code

ralyodio and others added 2 commits June 30, 2026 22:45
DELETE /api/sms/send-notification — it accepted an arbitrary
phoneNumber + message from any anonymous caller and sent it via the
app's Twilio creds with no auth, rate limiting, or origin check. It was
orphaned (no caller anywhere in the app) and is the likely vector behind
the runaway SMS billing (SMS-pumping/toll fraud).

The legitimate offline-message SMS path is unaffected: it runs through
SMSNotificationService, invoked server-side from the WebSocket handler.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Restoring E2EE keys on a new device fires several GET /api/auth/key-backup
calls per attempt (on-mount hasBackup check + the restore itself), so the
old 5-per-hour cap locked users out after ~2 restore attempts for a full
hour. Raise to 10 requests and shorten the window to 15 min so legitimate
multi-attempt restores work and any lockout clears quickly.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@ralyodio ralyodio merged commit f02db51 into master Jun 30, 2026
5 checks passed
@github-actions

Copy link
Copy Markdown

vu1nz Security Review

0 finding(s) in PR #?

No security issues found.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant