0

Rate limiting on signup is important to prevent an attacker to create lots of spam accounts in the database and eventually to exhaust database resources or disrupt the flow.

Rate limiting on password reset is important to prevent an attacker from flooding a victim's mailbox.

So here is my question: How do I prevent this? I didn't find any mention of this scenario on the devise github repo. I think the implementation part would be okay for me: put the code in the corresponding action in the devise controller. My question is mainly about discussion which approach to take.

A strategy I can think of is saving the amount of signup request for each IP in redis, with maybe an expiration time of 30 minutes or whatever. And if that amount is higher than, let's say, 10, fail with a notice. Similarly, Redis could be used to save and expire email addresses to which password reset emails have been sent and allow only one every 30 minutes.

But one could also use postgres for that, or maybe even something in-memory. Is there any more or less standard approach for this? How do you handle this?

Improve this question
5
  • 1
    Rate limiting/throttling isn't really a concern of Device. For that you want Rack::Attack or optimially to perform the throttling on the HTTP server layer (such as Apache or NGiNX). While you could do throttling on the controller layer in Rails it's quite inefficient to do it that far down the pipeline. If you're blocking requests simply based on IP you're want to stop it as early as possible before you have expended any more web worker time. Commented May 14, 2024 at 9:32
  • However throttling is not really an effective way of dealing with bad actors creating spam accounts and If thats an issue you need to look into anti-bot protection like CAPTCHA. Throttling can however be a part of the line of defense against rainbow table attacks. Commented May 14, 2024 at 9:40
  • "Redis could be used to save and expire email addresses to which password reset emails have been sent and allow only one every 30 minutes". This provides no real protection as spammers can have an unlimited number of potential emails. It just takes a (hijacked) domain and a simple email server. Commented May 14, 2024 at 10:48
  • Thank you for your thoughts on this. As a matter of fact, I don't have access to the web server in front of my rails application. And captcha is already implemented. As for the last comment: Asking for a password reset email for an email address that does not have an account simple returns an error. Therefore, I don't think the objection applies here. Commented May 15, 2024 at 20:38
  • Your hint at Rack::Attack seems to be what I was looking for though. Thank you. I'd accept that as answer if you submit it as answer. Commented May 15, 2024 at 20:39
Related questions
1586
How can I rename a database column in a Ruby on Rails migration?
1132
How do I get the current absolute URL in Ruby on Rails?
399
No route matches "/users/sign_out" devise rails 3
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.