Adding a captcha rate limit. Fixes #1755 #1941
Conversation
| // Handle captcha separately | ||
| web::resource("/user/get_captcha") | ||
| .wrap(rate_limit.image()) | ||
| .route(web::get().to(route_get::<GetCaptcha>)), |
There was a problem hiding this comment.
This is the rate limit for image uploads, which is 6 per hour by default. Seems a bit low if someone requests a new captcha a few times in a row, and fails a few. Maybe the message rate limit would work.
There was a problem hiding this comment.
It was using the message rate limit before, check out these problems: https://git.radicallyopensecurity.com/nlnet/off-ngid-lemmy/-/issues/14
There was a problem hiding this comment.
Then i think it needs a separate limit. Maybe reusing the post/comment limit (6 in 10 minutes) could work, but without burst it also seems a bit low. Plus it would be really confusing to use that setting for something completely different.
There was a problem hiding this comment.
I thought image made sense, because it is an image being generated. But I'd be fine with the post limit, I'll change it to that.
There was a problem hiding this comment.
Its not a great solution, because then a user might be unable to post if they requested a new captcha a couple times. I think it really needs a separate limit, i would say rougly 60 per hour?
There was a problem hiding this comment.
Its pry good enough for now, and if ppl run into this limit often, we could add another one to the config.
There was a problem hiding this comment.
Alright. Federation tests are failing though.
There was a problem hiding this comment.
Its a yerba builder issue, they're passing on cloud drone: https://cloud.drone.io/LemmyNet/lemmy/2065
No description provided.