No apparent ratelimit

[utf-4096]

Hi,

From looking at the code, in main.go, it looks like there is nothing preventing an user from flooding the API and creating loads of accounts in a short amount of time. It would probably be a better idea to add a cooldown to all handlers to avoid potentially overloading the server / database.

I haven't checked how this server is run so it's possible there is a ratelimit on the reverse proxy its being run behind.

Maybe worth taking a look? Feel free to point out what I got wrong.

[larsenv]

You have a point. It's something that's a bit worrying. We have the mail server running under Cloudflare and it the account generator checks if the 16 digit Wii Number is algorithmically valid.

For now, I'm not in the contact with the person who wrote the majority of the mail server and they have me blocked. I'm not sure what's the best way to ratelimit this or check that the connection's coming from a Wii.

[utf-4096]

Sadly the Wii number check wouldn't be very effective against spam (nor would the Wii request check), since valid Wii numbers can be generated easily by bruteforce and the Wii request check, if it were to be implemented, could be bypassed assuming it does simple user-agent/http checks (since that's the only thing we really have).

[larsenv]

Yeah, there's a program I wrote to encode and decode a Wii Number, I'd be worried if someone generated Wii Numbers with that.

I honestly was expecting Cloudflare to prevent DDoS through that endpoint, but I'm not sure that it would do anything. I could probably set a page rule to try to prevent people to abuse the system, however when there's a will there's a way.