Enforce rate limit per IP on /users/:username/exists (!77119) · Merge requests · GitLab.org / GitLab

Magdalena Frankiewicz requested to merge rate-limit-username-exists-endpoint into master Dec 20, 2021

What does this MR do and why?

This MR enforces a rate limit per IP address on the /users/:username/exists internal API endpoint, used by the registration to perform a client-side validation of the uniqueness of the chosen username. This is to mitigate attempts to misuse the endpoint, for example to mass-discover usernames in use. It refers to #29040 (closed)

Rollout issue for the feature flag: #348974 (closed)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Dec 21, 2021 by Magdalena Frankiewicz

Enforce rate limit per IP on /users/:username/exists

What does this MR do and why?

MR acceptance checklist

Merge request reports