Public registration token

Question

Public registration token

Closed this issue 2 years ago · 3 comments

I have just installed chatterbox on my server. I find it very interesting. But what I ask myself all the time: if my registration
token is visible, how do I prevent someone from writing a bot that registers millions of users on my server?

Answer 1 · 2022-07-11T15:58:10.000Z

Hiya, so it's somewhat explained in #77, but to clarify:

You should set your registration token user count to something reasonable to prevent having an avalanche of users overnight. These tokens can be refreshed just by doing another request, so you can always increase it later.
You should ensure that the ratelimiting for registrations on your homeserver is reasonably high. Synapse allows you to do this, and realistically you can probably prevent the millions of bots just by setting this to something sensible.
For anything more complicated like botnet attacks, you'll need something stronger that can detect and prevent nuisance registrations. I'm asking if we have anything like that.

Answer 2 · 2022-07-11T16:22:18.000Z

In the future, we'd like to support #12 recaptcha to prevent spam.

Answer 3 · 2022-07-12T16:04:03.000Z

I think this can be considered answered for now.