feat: Add registration rate limiting mechanism

Introduces a rate limiting mechanism to prevent excessive registration attempts from a single IP address by displaying a custom message when limits are exceeded. Limits users to 5 registration attempts within a 24-hour period by checking recent attempts and blocking additional ones when necessary. This helps prevent abuse and overloading of the registration system.
2024-11-16 22:27:55 +01:00 · 2024-11-16 22:27:55 +01:00 · e67e89a09b
commit e67e89a09b
parent 0e8116cd68
2 changed files with 24 additions and 2 deletions
--- a/src/synapse_registration/registration/templates/registration/ratelimit.html
+++ b/src/synapse_registration/registration/templates/registration/ratelimit.html
@ -0,0 +1,9 @@
+{% extends "base.html" %}
+{% block title %}
+    Hold Your Horses
+{% endblock title %}
+{% block content %}
+    <div class="notification is-danger">
+        You cannot start additional registrations at this time.
+    </div>
+{% endblock content %}
--- a/src/synapse_registration/registration/views.py
+++ b/src/synapse_registration/registration/views.py
@ -3,10 +3,14 @@ from django.shortcuts import render, redirect, get_object_or_404
 from django.urls import reverse_lazy
 from django.core.mail import send_mail
 from django.conf import settings
+
 from .forms import UsernameForm, EmailForm, RegistrationForm
 from .models import UserRegistration
+
 import requests
+
 from secrets import token_urlsafe
+from datetime import datetime, timedelta


 class LandingPageView(TemplateView):
@ -51,13 +55,22 @@ class EmailInputView(FormView):
            )
            return self.form_invalid(form)

-        token = token_urlsafe(32)
-
        if not settings.TRUST_PROXY:
            ip_address = self.request.META.get("REMOTE_ADDR")
        else:
            ip_address = self.request.META.get("HTTP_X_FORWARDED_FOR")

+        if (
+            UserRegistration.objects.filter(
+                ip_address=ip_address,
+                timestamp__gte=datetime.now() - timedelta(hours=24),
+            ).count()
+            >= 5
+        ):
+            return render(self.request, "registration/ratelimit.html", status=429)
+
+        token = token_urlsafe(32)
+
        UserRegistration.objects.create(
            username=self.request.session["username"],
            email=email,