From 5a55d1824e72b72103fbc9af967d1e9d732af95c Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 16 Apr 2023 12:57:20 +0200
Subject: [PATCH] Make it happen post-deduplication

---
 core/admin/mailu/limiter.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/limiter.py b/core/admin/mailu/limiter.py
index d2c6e9eb..6fc078c1 100644
--- a/core/admin/mailu/limiter.py
+++ b/core/admin/mailu/limiter.py
@@ -71,12 +71,12 @@ class LimitWraperFactory(object):
     def rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None, password=''):
         limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user')
         if self.is_subject_to_rate_limits(ip):
-            self.rate_limit_ip(ip, username)
             truncated_password = hmac.new(bytearray(username, 'utf-8'), bytearray(password, 'utf-8'), 'sha256').hexdigest()[-6:]
             if password and (self.storage.get(f'dedup2-{username}-{truncated_password}') > 0):
                 return
             self.storage.incr(f'dedup2-{username}-{truncated_password}', limits.parse(app.config['AUTH_RATELIMIT_USER']).GRANULARITY.seconds, True)
             limiter.hit(device_cookie if device_cookie_name == username else username)
+            self.rate_limit_ip(ip, username)
 
     """ Device cookies as described on:
     https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies