Comments (4)
I found a better and more obvious solution for the work around. Before calling the registration method in the Bottle/app, I do a find_one for the username in the pending_registrations collection. If it returns None, I then call the registration method. This step should be included in the registration method itself.
Given the low likelihood of the occurrence of this situation it may be preferable to simply try the update of the pending_registrations collection and then handle the duplicate key error if it occurs.
from bottle-cork.
Thanks for the feedback @equalogix
Unfortunately handling registrations have some tricky tradeoffs, as the registration method can be exposed to spam robots & co that can try to register large numbers of common names.
If you block duplicate registrations legitimate users can be prevented from registering by bots. Also, users might lose the first email or want to switch to a different email address before validating the registration.
Either the registration or the registration-validation have to work as "first comes first serve" to get a login. The latter seems safer as it requires a working email address.
from bottle-cork.
Federico, thank you for the quick reply.
I see your perspective, and all your points are valid. In terms of spam bots, I think there are more effective ways of dealing with the problem. The issue is that these measures are still required since with the current design a spam bot could still overload your db with pending registrations. One feature that you may want to consider would be adding is a TTL (time to live) index on the pending_registrations, such that records will be deleted after say 24 hours.
I think you are absolutely right when you say there are many trade-offs. In a Utopian world, the package would be agnostic in terms of these trade-offs and it would be up to the app designer to structure the app in way that is optimal for its specific needs. But we do not live in a Utopian world.
Nick
from bottle-cork.
_purge_expired_registrations
does what you are asking for - the default time value is 96 hours - but it's not being run automatically (and maybe it should?).
the package would be agnostic in terms of these trade-offs and it would be up to the app designer to structure the app in way that is optimal for its specific needs
That's what you've done with find_one on pending_registrations - maybe it's a matter of documenting this use-cases. (contributions are welcome :) )
from bottle-cork.
Related Issues (20)
- Doco links to dead-ish downloads page on Github
- Best way to add more user fields to user profile? HOT 1
- Registration email fails if TEMPLATE_PATH is not /views/ HOT 2
- Login timeout too short HOT 1
- make doc error HOT 1
- Subclassing User HOT 2
- Security issue? problematic defaults for hashlib.pbkdf2_hmac HOT 1
- http://cork.firelet.net/ is down HOT 1
- Missing logging for auditing HOT 5
- pip update? HOT 1
- Documentation website is down HOT 1
- mongo backend doesn't work with mongdb 3.4
- Email Not Sent - Auth Error HOT 6
- TypeError @ _setup_cookie when signing/logging in HOT 1
- Docs not accessible
- Question ? Cork without beaker
- There's an error when installing
- Sqlite code leads to SQL injection vulnerability
- Failed to install: dependency issue with pycrypto
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bottle-cork.