fuomag9
commented
1 year ago A stupid yet simple idea would be to pass a captcha in order to make the request. That way you can't spam the endpoint
Open jemand771 opened 2 years ago
fuomag9
commented
1 year ago A stupid yet simple idea would be to pass a captcha in order to make the request. That way you can't spam the endpoint
rucciva
commented
1 year ago Hi @fuomag9 , just wondering how do you configure the captcha to prevent spam?
Because, CMIIW, once you pass the captcha stage, you can still spam the button as usual.
I have checked this with capctha protected login stage, which after i got the login form loaded after captcha stage, i can copy the cookie to automator such as burp suite and do brute force on the login page.
Describe your question With the default recovery flow (reset password with email validation), it's possible to spam authentik users with emails. just enter their username/email, hit "forgot password?" and go nuts on the "resend email" button.
I'd like to somehow prevent this. The first solution that came to my mind is limiting the recovery flow to running once every x minutes (per user), but maybe there is an entirely different (and possibly better) way of doing this. Question: how?
Version and Deployment
Additional context The whole flow/stage concept is pretty overwhelming so it's possible that I've just missed some obvious config option. I've looked through the docs and clicked around in the admin interface but couldn't find anything related.
As a hacky workaround I thought of something like adding users to a group "is-in-recovery" and taking the group membership away after x minutes. the recovery flow may then only be executed by people without the group