You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since we now have public signup after #1114 lands, we could expect some spam signups to happen.
Especially for self-hosted instances, we should have some way of limiting the amount of signups/login attempts that can happen per IP + UA combo.
Requirements
Determine a good rate limit (e.g. requests per minute) for the signup and login pages.
Limit the number of requests an individual IP + UA combo can make to our signup and login pages to the limits(s) you selected.
Acceptance Criteria
Justify the chosen limit(s) with some napkin math.
Must use the key/value store from Autocache using redis #1131 to store the time of the last request to each application-level rate-limited endpoint (signup and login) by IP address + UA combo.
Must add an end-to-end test that demonstrates rate limiting working for both signups and login attempts.
Motivation
Since we now have public signup after #1114 lands, we could expect some spam signups to happen.
Especially for self-hosted instances, we should have some way of limiting the amount of signups/login attempts that can happen per IP + UA combo.
Requirements
Acceptance Criteria