Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve email safety #18

Closed
fluffy-critter opened this issue Jul 13, 2019 · 2 comments · Fixed by #27 or #78
Closed

Improve email safety #18

fluffy-critter opened this issue Jul 13, 2019 · 2 comments · Fixed by #27 or #78
Labels
enhancement New feature or request

Comments

@fluffy-critter
Copy link
Contributor

fluffy-critter commented Jul 13, 2019

The EmailHandler should keep track of the addresses it's sent a link to in the last few minutes, and not allow spamming an address. This is both to prevent Authl from being used as an intermediary for flooding someone else's email address, and to avoid issues with a /_login/?me=user@example.com address living in someone's history causing the user to get spammed (due to browser prefetch or whatever)

@fluffy-critter
Copy link
Contributor Author

fluffy-critter commented Jul 18, 2019

Probably should make the initial timeout some fraction of the key timeout, and give it an exponential backoff, with an error of “you are trying to log in too frequently, please wait {timeout} minutes before trying again” (configurable of course)

@fluffy-critter
Copy link
Contributor Author

Maybe also limit per domain?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
1 participant