0

I'm currently working on a proof of concept system which involves a backend API which is used by multiple possible client applications, including mobile clients and a isomorphic React client.

I've largely taken care of authentication and authorization, the only remaining problem (that I can see at least) is the route to register users - POST /users/, as it is public with no authorization required. My main concern is protecting that route from malicious spamming beyond implementing CORS and rate limiting.

E.g. curl -X POST -d "{ email: 'hello@gmail.com', password: 'nahnah' }" http://host.com/api/v1/users

What would my options be here?

One solution I've come up with is force the SPA to submit the sign up form to an express route within the server that serves the SPA (it requires SSR) to make the API call on the server, meaning the browser's network tab will have no record of the API call. This would mean I'd also have to implement a CSRF token in the SPA.

Also, is this is just generally a bad idea?

redroot
  • 614
  • 2
  • 7
  • 17
  • Don't use another middleman backend server. Your SPA should be static content and connect to an API server. Also possible duplicate: https://stackoverflow.com/questions/8946700/how-to-protect-the-public-part-of-a-rest-service-from-spam – xDreamCoding Nov 16 '17 at 16:08
  • To clarify, the SPA is built in React but requires serverless rendering for SEO so theres happens to be a express server involved. Thanks for the duplicate, saw that earlier but I'm wondering about web clients rather than mobile clients. – redroot Nov 16 '17 at 19:10

1 Answers1

0

I would recommend including a captcha in your registration.

The spamming problem you describe actually consists of 2 parts:

  1. Someone could endlessly spam your endpoint, draining resources of legitimate users. This is can avoided using rate limiting, Denial of Service detection methods, or hiding behind a CDN.
  2. Someone could register a large amount of invalid users in your application. A captcha will stop any requests that arrive at your API from actually getting registered.
DieterDP
  • 4,039
  • 2
  • 29
  • 38