cgolubi1
commented
3 weeks ago What i did on my local site:
I created new accounts as quickly as i could: c1, c2, c3, c4, c5 succeeded, and c6 failed:
Then i waited exactly 15 minutes from c1's validation timestamp and tried again, and c6 succeeded:
Then i immediately tried to create another account, c7, and that one failed (because c2-c6 were now within the 15m):
Records in player_verification table:
mysql> select * from player_verification;
+-----------+----------------------------------+------------+---------------------+
| player_id | verification_key | ipaddr | generation_time |
+-----------+----------------------------------+------------+---------------------+
| 1 | 9e290dbb063c8a1b78586cfb37c93684 | 172.17.0.1 | 2024-10-26 21:26:04 |
| 2 | 61d311c35628c0aeedc25a285ce40fcb | 172.17.0.1 | 2024-10-26 21:26:33 |
| 3 | 721b2c2e497a6c5d428ff3e47cf5a26f | 172.17.0.1 | 2024-10-26 21:26:43 |
| 4 | 6471400b152d0ebb72f9fa03cfdcb93e | 172.17.0.1 | 2024-10-26 21:26:52 |
| 5 | 2eefb7d9b19a63e7d9dd23da18d09adf | 172.17.0.1 | 2024-10-26 21:27:01 |
| 6 | d898da064ad90e1a12edc16d6d3e6cdf | 172.17.0.1 | 2024-10-26 21:41:05 |
+-----------+----------------------------------+------------+---------------------+
6 rows in set (0.01 sec)
blackshadowshade
This is the simplest fix for the issue i could think of.
We don't have a very well-defined goal in limiting the number of new user creation requests --- it's just that user creation and password reset verification are parts of the site that can be accessed without an account, so they're relatively more DoS-prone than most of the site for which you have to be logged in.
So "no more than 5 new accounts within 15 minutes" is completely arbitrary, but IMO it's better to have some speedbump than none, and the details don't matter very much.
I'm standing up a dev site for this, and also did some local testing, which i'll describe in a comment to the PR.
Dev site: https://2977-account-creation-ipaddr-check.cgolubi1.dev.buttonweavers.com/ui/