There has security issue with the current jwt auth function, it only takes 6 digit random number, which is easy to get decoded by using brute-force method #12
The current 6-digit random string can get cracked within int((10**6) / 5000 / 60) = 3 minute if the hacker's requests the auth API in a rate of 5000 times per second.
You need to set an auth limit for each email account for every 12 hours. Let's say, 3 times per 12 hours.
So it will take int(10**6 / 3 / 30 / 12) = 925 years to crack it.
This change will affect: user_register_request and user_register_confirm API.
The current 6-digit random string can get cracked within
int((10**6) / 5000 / 60) = 3
minute if the hacker's requests the auth API in a rate of 5000 times per second.You need to set an auth limit for each email account for every 12 hours. Let's say, 3 times per 12 hours.
So it will take
int(10**6 / 3 / 30 / 12) = 925
years to crack it.This change will affect:
user_register_request
anduser_register_confirm
API.