The /invite endpoint (protected by requireAdminCredentials) has no rate limiting. Compare with /token which has a tollbooth limiter. The invite endpoint also lacks the maxFrequency check that other email-sending endpoints have (like /recover). A compromised admin token could be used to send bulk invite emails.
Moved from CI 53
The
/inviteendpoint (protected byrequireAdminCredentials) has no rate limiting. Compare with/tokenwhich has a tollbooth limiter. The invite endpoint also lacks themaxFrequencycheck that other email-sending endpoints have (like/recover). A compromised admin token could be used to send bulk invite emails.Moved from CI 53