[FEATURE] Add RateLimit spam check method #1314
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A new spam prevention method that marks form submissions as spam when a user submits forms too often in a given time frame, e.g. 10x in 5 minutes. This helps reducing spam flood attacks, because only the first submissions will be allowed. The RateLimitMethod utilizes the Symfony rate limiter that is already used by the TYPO3 backend login to prevent brute-force attacks. Only valid form submissions are counted toward the rate limit. This requires splitting the rate limit check (RateLimitMethod) from the actual rate limit consumption (RateLimitFinisher). Both interval and limit are configurable via TypoScript. All valid DateTimeInterval strings are accepted, allowing interval declarations like "10 minutes" or "5 hours". Configuring the properties for rate limiting identifier is possible: Either rate limit all submissions from an IP address, or rate limit submissions from an IP to a certain form only. Adding form field values is possible as well, preventing duplicate submissions from e.g. an e-mail addresses. Rate limit information is stored via TYPO3's caching framework in the 'ratelimiter' cache. This allows admins to share the limit across multiple machines by configuring it to use a database or redis backend. Heavily inspired by Chris Müller's brotkrueml/typo3-form-rate-limit extension.
Contributor
Author
|
I've rebased and split rate limit token consumption from the spam check, so that only valid form submissions are counted towards the rate limit. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A new spam prevention method that marks form submissions as spam when a user submits forms too often in a given time frame, e.g. 10x in 5 minutes.
This helps reducing spam flood attacks, because only the first submissions will be allowed.
The RateLimitMethod utilizes the Symfony rate limiter that is already used by the TYPO3 backend login to prevent brute-force attacks.
Implementation notes
Only valid form submissions are counted toward the rate limit. This requires splitting the rate limit check (RateLimitMethod) from the actual rate limit consumption (RateLimitFinisher).
Configuration
Both interval and limit are configurable via TypoScript. All valid DateTimeInterval strings are accepted, allowing interval declarations like "10 minutes" or "5 hours".
Configuring the properties for rate limiting identifier is possible:
Either rate limit all submissions from an IP address, or rate limit submissions from an IP to a certain form only.
Adding form field values is possible as well, preventing duplicate submissions from e.g. an e-mail addresses.
Storage
Rate limit information is stored via TYPO3's caching framework in the 'ratelimiter' cache. This allows admins to share the limit across multiple machines by configuring it to use a database or redis backend.
Heavily inspired by Chris Müller's brotkrueml/typo3-form-rate-limit extension.
When using this spam check method, users will get the standard error:
Maybe it would be better to build this as a global validator? This would allow us to display a specific error message.
The downside would be that manual ip-whitelisting would be needed, which already exists for spam shield.