From 9c11562ea111c154947a789757c850e2bada1f9b Mon Sep 17 00:00:00 2001
From: Daniel Aloni <daniel@globekeeper.com>
Date: Mon, 1 May 2023 12:06:27 +0300
Subject: [PATCH] Rate limiting on authenticateDb.

---
 clientapi/auth/password.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/clientapi/auth/password.go b/clientapi/auth/password.go
index 15712ba20..e636f731e 100644
--- a/clientapi/auth/password.go
+++ b/clientapi/auth/password.go
@@ -208,6 +208,9 @@ func (t *LoginTypePassword) authenticateDb(ctx context.Context, localpart string
 		// Technically we could tell them if the user does not exist by checking if err == sql.ErrNoRows
 		// but that would leak the existence of the user.
 		if !res.Exists {
+			if t.Rt != nil {
+				t.Rt.Act(localpart)
+			}
 			return nil, &util.JSONResponse{
 				Code: http.StatusForbidden,
 				JSON: jsonerror.Forbidden("The username or password was incorrect or the account does not exist."),