There has security issue with the current jwt auth function, it only takes 6 digit random number, which is easy to get decoded by using brute-force method

yingshaoxo / we_love_party

Let's party.

0 stars 0 forks source link

There has security issue with the current jwt auth function, it only takes 6 digit random number, which is easy to get decoded by using brute-force method #12

Closed yingshaoxo closed 1 year ago

yingshaoxo commented 1 year ago

The current 6-digit random string can get cracked within int((10**6) / 5000 / 60) = 3 minute if the hacker's requests the auth API in a rate of 5000 times per second.

You need to set an auth limit for each email account for every 12 hours. Let's say, 3 times per 12 hours.

So it will take int(10**6 / 3 / 30 / 12) = 925 years to crack it.

This change will affect: user_register_request and user_register_confirm API.

yingshaoxo commented 1 year ago

Oh, thanks for the advice.

I'll change it to 10 numbers for sure.

yingshaoxo commented 1 year ago

I did the change.