Simple anti-abuse system - throttle addiding annotations per-IP #29
Comments
|
@kaglowka Actually we are even much weaker than we thought. We should also throttle number of sessions per IP, because now we use LazySignup application which means that every first request (also GET) for given client triggers creating a user, so we can be easily DoSed by almost anyone. It does not need to be creating new annotation. Making request to any GET endpoint, ignoring session token we send in response, then another request and so on and we are down because of one kid having fun using pure cURL. |
Possible solutionOptimally for every new installation of extension we should open a page with Captcha and that way validate the session. If somebody cleans his cookies, as soon as client discovers proper 4XX response stating that session validation is required, we should open tab with Captcha again. Once validation is finished, the tab that discovered the 4XX reloads and everything goes smooth again. Captcha validation of every new session will guarantee number of session will not raise above reasonable amount that is equal to number of real users of our extension and that is perfect state :) |
|
Yes, that is an issue. Lazy signup was initially meant as a shortcut to more quickly test the application prototype. Thanks for the idea -- the solution you are mentioning actually looks sustainable in the long term and has a big advantage -- we can manage action permissions for an unlogged user depending purely on what actions we want them to be able to access and not restricting it for security reasons. How about doing it for v3.1? (since 3.0 will be accessible only to non-hostile users and can already be tested in the meantime). |
We do not have any antibot system, so limit adding annotations to 20 per hour and 50 per 24h, per one IP.
The text was updated successfully, but these errors were encountered: