My web app has a pretty standard feature that allows a user who forgot their password to reset it by sending themselves a password reset email with a link to the page to create a new password.
I'm concerned that person1 could use this page to harass person2 by claiming to need a password reset email, but giving the email address of person2, and automate this with a bot, sending massive numbers of emails to person2. It wouldn't reveal any secrets, but it could be very annoying, even a DoS on their inbox, and my application would get the blame.
I understand that I can throttle the api call that sends the email, but how? The user making the api call can't be authenticated, because if they were logged in, they wouldn't need the reset. And if the api call is open, then there's no way to validate the caller, because any general request information (like IP) can be spoofed (or sent through a proxy server).
If I throttle that api call globally, then legitimate users might get locked out if a large number of them just happened to use the feature at the same time.
How do you deal with a situation like this?
Throttle how many mails you will send to the same email address, regardless of how they're requested. This doesn't require you to throttle how many resets you will handle in total; just per address.