On Thu, 20 Sep 2018 at 14:35, Ryan Kelly <rfke...@mozilla.com> wrote:
> > Hi All, > > Over in github we've been discussing our options of rate-limiting pairing > channel creation attempts: > > https://github.com/mozilla-services/channelserver/issues/21 > > One obvious approach would be to use the existing fxa-customs-server, and > just add some new action types like "createPairingChannel" and > "connetToPairingChannel" that the channelserver can send over for > checking. However, the fxa-customs-server is currently run as a private > "sidecar" service for fxa-auth-server, exposed only over a localhost > interface. > > Does it make sense for us to try to extract fxa-customs-server into its > own standalone service that can be accessed by multiple consumers? Or is > that likely to be more work than just adding rate-limiting code directly > into the channelserver? > Another option would be to try running a third-party ratelimiting daemon that can be shared among different services, such as: https://github.com/lyft/ratelimit https://github.com/limitd/limitd Which may be less work than adding custom rate-limiting code in channelserver. +ulfr for possible opinions from opsec team. Cheers, Ryan
_______________________________________________ Dev-fxacct mailing list Dev-fxacct@mozilla.org https://mail.mozilla.org/listinfo/dev-fxacct