Handle expired links better to avoid false positives #562
Comments
|
Related: nextcloud/server#42614 |
|
Being looked into currently. @DaphneMuller |
|
@fenn-cs please let me know a confirmation of in which release the fix will be available. We can then inform the customer. Thanks! |
|
I’ve been able to somewhat reproduce this issue, where I encounter a 429 "Too Many Requests" response.
However, I’m not entirely sure if this scenario mirrors the situation where tens or hundreds of users might be blocked, particularly when it’s a case of multiple users attempting to access the same URL repeatedly from within the same network. In my reproduction case, the 429 error occurs when a single user (apparently as sometimes the IPs can be shared) repeatedly visits the URL within a short time frame. This suggests that the rate-limiting mechanism might be getting triggered even under normal usage conditions. It's important to note that this issue might not be directly related to sharing itself but rather a situation that is more like to be observed frequently in sharing due to how often shared links are revisited. Given that shared links are more likely to be accessed multiple times, especially over time, should we consider making an exception or adjusting the rate-limiting rules specifically for these cases? |
Please test with IPv6. In case of IPv6, a single address from a /64 segment running into the bruteforce protection blocks the whole /64 segment (in our case: every wifi user on campus). |
|
|
Talking with @icewind1991 it seems the most pragmatic approach would be indeed to add a grace period for links that used to be valid and remove bruteforceprotection for those. |
|
PR nextcloud/server#48225 seems like it might be helpful here. |
Originally posted by @DanScharon in #4 (comment)
The text was updated successfully, but these errors were encountered: