Rate limit proofing by SSN (LG-4942)#5307
Conversation
| throttle = Throttle.for( | ||
| target: Digest::SHA256.hexdigest(pii_from_doc[:ssn]), | ||
| throttle_type: :proof_ssn, | ||
| ) | ||
|
|
||
| if throttle.throttled_else_increment? |
There was a problem hiding this comment.
Another option would be to override idv_throttle_params from the base class:
identity-idp/app/services/idv/steps/doc_auth_base_step.rb
Lines 10 to 15 in 04ab9f6
My thinking is, that rate limiting helps to limit individual users doing IDV too much, so by making this a separate check, we still want to have both throttles
| throttle_type: :proof_ssn, | ||
| step_name: self.class, | ||
| ) | ||
| redirect_to idv_session_errors_failure_url |
There was a problem hiding this comment.
This is one of the screens where we use the JavaScript spinner submission, yeah? I think it might handle these redirects gracefully, but worth double-checking, since normally it's dealing with happy-path redirects:
There was a problem hiding this comment.
Confirmed it worked as expected! The error message is a little funky, but that may be OK for now
How important do you think it is to have a feature test that runs through this with JS enabled?
There was a problem hiding this comment.
How important do you think it is to have a feature test that runs through this with JS enabled?
Could be nice, but not a blocker. Do we at least have one for the happy path?
There was a problem hiding this comment.
| throttle_type: :proof_ssn, | ||
| step_name: self.class, | ||
| ) | ||
| redirect_to idv_session_errors_failure_url |
There was a problem hiding this comment.
How important do you think it is to have a feature test that runs through this with JS enabled?
Could be nice, but not a blocker. Do we at least have one for the happy path?
4 participants
This is a kantara requirement, rate limit proofing by SSN (across users), builds on #5302 to not require a user ID