🦋 Add antispam limitation on session link request & password recovery request #609
Comments
|
We can use hcaptcha: https://www.hcaptcha.com/ |
|
I understand the point but I have cold feet about captchas (especially centralized captcha services) |
|
Hcaptcha is supposed to be the alternative to google captchas, RGPD-focused & so on. And it has a free plan. Open to alternatives but it seems to be the easiest option. A more complicated solution would be nostr-initiated (for npub auth), or preventing email altogether and only allowing SSO, or ask the user to send an email to a specific email address to reset their password (but it can become complicated). |
|
As we're tracking sent emails, is is possible to tack the last one send for "Reset password" ou" Temporary session request" for the target email (idem for nostr) and say "nope, it's too early" in UI while resolving the CTA effect ? |
|
For reset password it's fine, for temporary session request no, a spammer could send 1 million differnet emails and get the bootik blacklisted from all email providers (also send to variations, eg [email protected], [email protected] and so on) |
|
Regarding captchas, with the paid version of hcaptcha ($100/month) it can be invisible to users. Otherwise we can try to limit IPs, eg one IP can only do one send email request of any kind per 15 minutes, just have to handle IPv4 and IPv6 |
|
My proposition : let's split into 3 tickets with 3 priorities.
|
|
Added IP-based rate limting in #747 |
Anonymous users can currently use https://dev-bootik.pvh-labs.ch/customer/login to spam people with messages.
Anonymous users finding the admin url and an employee login or contact can currently use https://dev-bootik.pvh-labs.ch/admin-tirodem/login/recovery can do it too (still bothersome but less luck it happens).
We need a way to block this to avoid for beBOP to become a spam tool.
The text was updated successfully, but these errors were encountered: