Flask: throttle initiation requests per me/ip

[fluffy-critter]

To prevent a site from being used in an amplification attack or part of an email bomb or whatever, the login endpoint should throttle requests made based on both the me parameter and on the originating IP address (as determined by eg flask.request.headers.get(“x-forwarded-for”,flask.request.remote_addr) or whatever the correct invocation is). The timeout should probably be stored in an expiringdict with the next timeout computed by adding the delta between the current timeout and the current time multiplied by some constant, with the initial timeout and constant being configurable.

Care should be taken to not accidentally make this a vector for maliciously locking people out, though.

[fluffy-critter]

Might not really be necessary/useful though. #18 handles the email bomb case, and fixed OAuth-based handlers only produce a forwarding URL for the user to follow. Discovery-based handlers (mastodon/indieauth) should be caching the discovered endpoint/credentials already.

So this feels like a low priority but it’s something to keep in mind for any future auth mechanisms which come along.