Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

USH-012 — Lack of Bruteforce Protection new user. #1607

Closed
willdoran opened this issue Mar 6, 2017 · 8 comments

Comments

Projects
None yet
6 participants
@willdoran
Copy link
Contributor

commented Mar 6, 2017

Expected behaviour

  • Captcha
  • IP limit or lockout for a certain amount of time

Actual behaviour

  • There is no protection against the automatic creation of useraccounts. It was possible to create 10 accounts in 10 seconds.

Test script

  • Go to a deployment (ie. qa.ushahididev.com)
  • In under 1 minute:
    • Register a new user
    • Register a second new user
    • Register a third new user
    • Register a fourth new user
  • Assuming this was done quickly, the fourth user should fail
@rjmackay

This comment has been minimized.

Copy link
Contributor

commented Jun 7, 2017

We have a rate limiter for auth, we should add that to this endpoint.

@rjmackay

This comment has been minimized.

Copy link
Contributor

commented May 3, 2018

Tagged this to cycle 4 since its current in progress

@rowasc

This comment has been minimized.

Copy link
Contributor

commented Jun 25, 2018

@willdoran what should we do about this ticket? move to ready for dev to port to kohana?

@rjmackay

This comment has been minimized.

Copy link
Contributor

commented Jun 25, 2018

It still needs to land to develop. We should fix the conflicts and land it. Then close this issue. Backports are tracked in their own issue.

@rjmackay rjmackay self-assigned this Jun 26, 2018

@rjmackay

This comment has been minimized.

Copy link
Contributor

commented Jun 26, 2018

I've rebased the existing PR. It just needs tests to run then it can land and go to QA

@rjmackay rjmackay reopened this Jun 26, 2018

@rjmackay

This comment has been minimized.

Copy link
Contributor

commented Jun 26, 2018

@Eve-wanderi I've added a test script. It's possible this might be too hard to test manually - ie. registration is too slow through the UI so you never hit the rate limit. If so let me know and I can try to test directly on the API

@Eve-wanderi

This comment has been minimized.

Copy link

commented Jun 26, 2018

@rjmackay Yea its quite a challenge for me to Do all four Registrations for a new user in less than 1 minute. Since am doing this manually. Could you please assist testing this directly on the API.

@rjmackay

This comment has been minimized.

Copy link
Contributor

commented Jul 9, 2018

Tested. Rate limiting works but it just throws a 500 error

rjmackay added a commit that referenced this issue Jul 10, 2018

rjmackay added a commit that referenced this issue Jul 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.