Prevent abuse of registration

[rien]

With #61 each new registration now sends an email to admins and there is nothing stopping someone from spamming the registration form at this moment. To ensure availability, we should add some kind of barrier. There are multiple options:

• add a CAPTCHA to the registration form (this can be either hcaptcha or a more old school captcha)
• only send an email to admins periodically (e.g. daily at noon), this would require implementing something cronjob-like
• requiring a user to confirm their email first before sending an email to the admin, but this is still susceptible to abuse
• a combination of the above.

I need opinions on this: paging @redfast00, @iasoon, @wschella, @ajuvercr

[wschella]

Another suggestion, design a cool single small puzzle or question and validate the answer. If it doesn't stop the spam, add a captcha.

I'll figure out something tomorrow.

[rien]

It would be fun to have the puzzle be something which can change each time and which is easily verifiable. The hard thing is preventing someone from solving the challenge once and then "replaying" the same challenge response over and over again.

[rien]

I guess if #83 is a thing, we could allow for unauthenticated sessions and store the correct challenge response there.

[wschella]

Is the scope to to stop spam/abuse by bots & other automated networks or by people looking to troll?

[rien]

Is the scope to to stop spam/abuse by bots & other automated networks or by people looking to troll?

Ideally, both. But I would think it is far more likely that someone will troll the registration form than that we get a lot of spambots.

[iasoon]

requiring a user to confirm their email first before sending an email to the admin, but this is still susceptible to abuse

Why is this the case? I think email confirmation should make it non-trivial to create registration spam.

[rien]

Related to this issue @mcbloch also mentioned that might be more logical to send an email to the newly registered user first before notifying admins.

This would certainly disable spam, but would not stop anyone with a list of (compromised) email addresses from writing a script

while read email; do
  curl -X POST https://auth.zeus.gent/users/register --data "username=$RANDOM&email=$email&not_a_robot=true"
done < ugent-emails.txt

Which would cause Zauth to happily accept all registrations and send a confirmation email to each of the addresses in the list, which would result in DICT being very angry for the large amount of email traffic.

[rien]

A more simple way I can think of to avoid is issue, is to limit the amount of newly registered users with unconfirmed emails.

[chvp]

Anyone with their own domain has infinite email addresses and can easily script clicking the links in the confirmation mails.

[wschella]

Conclusion is we actually do need some form of captcha that makes scripting not possible. What is currently implemented in #107 is not that ofc.

(BTW, my original comment was because I thought the scope was inverted, and we were just trying to stop automated bots)

[rien]

Anyone with their own domain has infinite email addresses and can easily script clicking the links in the confirmation mails.

You're right. To fix this we can also disable registrations once a certain amount of pending users (which have to be accepted by an admin) is reached.

Conclusion is we actually do need some form of captcha that makes scripting not possible. What is currently implemented in #107 is not that ofc.

I think a captcha is not necessarily needed with the limited registrations, unless we notice a large amount of abuse. Ideas and PR's for implementing that are still welcome though!

[redfast00]

You're right. To fix this we can also disable registrations once a certain amount of pending users (which have to be accepted by an admin) is reached.

This does make it trivial for an attacker to deny usage of the signup form for other users. Maybr we can do something with the domain (for example: everyone has about 1 UGent mailing address). This should of course also work with non-UGent mailing addresses

[rien]

This does make it trivial for an attacker to deny usage of the signup form for other users.

Correct, but this is only a temporary inconvenience compared to a potential DOS of the Zeus/UGent mailservices.

If we reach the registration is reached, we can show a error message like this:

Oh no! It looks like we are receiving an unusual amount of registrations so we have temporarily disabled this form.
Please send an email to admin@zeus.ugent.be to request a user account and we'll be in touch soon.

Which would not prevent new users who want an account from requesting one.

For the record: I think the chance of someone trying to attack our systems is very low (both trolls or automated bots), but I do think that we should protect our application and mitigate the amount of damage that can be caused.

[redfast00]

Sounds good!

[maartenvn]

This can be closed right? (#107)

[rien]

The fix (limiting the amount of pending users) is included in #64 so I will leave this open until that PR is merged.