Page MenuHomePhabricator
Create Task
Maniphest T345813

Implement rate limits for submitting data to ReportIncident API
Closed, ResolvedPublic
Actions

Assigned To
kostajh
Authored By
kostajh
Sep 7 2023, 10:43 AM
Tags
Referenced Files
F39999389: image.png
Oct 25 2023, 3:41 AM
F39999322: image.png
Oct 25 2023, 3:41 AM
F39999342: image.png
Oct 25 2023, 3:41 AM
F39778842: image.png
Oct 25 2023, 3:41 AM
F39778825: image.png
Oct 25 2023, 3:41 AM
F39778738: image.png
Oct 25 2023, 3:41 AM
F39778192: image.png
Oct 25 2023, 3:41 AM
F39778029: image.png
Oct 25 2023, 3:41 AM
View All 9 Files
Subscribers
Aklapper
Djackson-ctr
Dreamy_Jazz
JSengupta-WMF
kostajh
Madalina
Tchanders

Description

In T337635: Create API endpoint for receiving report data we are defining an API endpoint for receiving data that a logged-in user submits via a form.

We will want to provide some rate limits for this API endpoint, to reduce a malicious user's capability for abuse.

We can set separate rate limits for non-autoconfirmed users (new user accounts) and longer standing user accounts.

One proposal:

  • limit submissions to 1 per 24 hour period for non-autoconfirmed users
  • limit submissions to 5 per 24 hour period for autoconfirmed users

After we decide on the rate limits, we'll clarify the design and implementation of a user-facing message if they trip the rate limit in T338804: [S] Inform the user about the success or failure of submitting a report

Details

SubjectRepoBranchLines +/-
api: Implement rate limits for endpointmediawiki/extensions/ReportIncidentmaster+94 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

kostajh created this task.Sep 7 2023, 10:43 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 7 2023, 10:43 AM
kostajh mentioned this in T337635: Create API endpoint for receiving report data.Sep 7 2023, 1:43 PM
kostajh claimed this task.Sep 19 2023, 7:18 PM
kostajh moved this task from 🎬 Ready to 💻 In Progress on the Trust and Safety Tools Team Backlog (Kanban) board.
kostajh updated the task description. (Show Details)Sep 19 2023, 7:43 PM
kostajh updated the task description. (Show Details)
gerritbot added a comment.Sep 19 2023, 7:46 PM

Change 959046 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/ReportIncident@master] api: Implement rate limits for endpoint

https://gerrit.wikimedia.org/r/959046

gerritbot added a project: Patch-For-Review.Sep 19 2023, 7:46 PM
kostajh moved this task from 💻 In Progress to 🔍 Review/Feedback on the Trust and Safety Tools Team Backlog (Kanban) board.Sep 19 2023, 7:47 PM
Tchanders subscribed.Oct 16 2023, 12:38 PM

One proposal:

limit submissions to 1 per 24 hour period for non-autoconfirmed users
limit submissions to 5 per 24 hour period for autoconfirmed users

Should we have a wider conversation about this elsewhere (so without blocking this task) and maybe consult some product/community people?

I see that a new account might be less trustworthy, but wondering if they might also be more vulnerable...

gerritbot added a comment.Oct 17 2023, 1:21 PM

Change 959046 merged by jenkins-bot:

[mediawiki/extensions/ReportIncident@master] api: Implement rate limits for endpoint

https://gerrit.wikimedia.org/r/959046

Dreamy_Jazz mentioned this in rEREI3da30e859ef6: api: Implement rate limits for endpoint.Oct 17 2023, 1:22 PM
Maintenance_bot removed a project: Patch-For-Review.Oct 17 2023, 1:30 PM
ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.2; 2023-10-24).Oct 17 2023, 2:00 PM
kostajh added a comment.Oct 18 2023, 12:15 PM
In T345813#9253539, @Tchanders wrote:

One proposal:

limit submissions to 1 per 24 hour period for non-autoconfirmed users
limit submissions to 5 per 24 hour period for autoconfirmed users

Should we have a wider conversation about this elsewhere (so without blocking this task) and maybe consult some product/community people?

I see that a new account might be less trustworthy, but wondering if they might also be more vulnerable...

Ack. I will leave that for @Madalina and @JSengupta-WMF to think about. The rate limits are basically an earlier version of what we are doing in T348322: Set up anti abuse measures, the idea being to make it a little harder for people with bad intentions to spam the people processing this form.

JSengupta-WMF added a comment.Oct 18 2023, 3:29 PM

For MTP we can agree on a fixed number but for future versions, I feel we should revisit the one size fits all model. As @Tchanders mentioned, "I see that a new account might be less trustworthy, but wondering if they might also be more vulnerable..." this needs more thought.

Dreamy_Jazz moved this task from 🔍 Review/Feedback to 🐛 QA on the Trust and Safety Tools Team Backlog (Kanban) board.Oct 23 2023, 10:45 PM
Dreamy_Jazz subscribed.

Suggested QA steps:

  1. Install ReportIncident extension
  2. Create a new account (or use an account that does not have the autoconfirmed group and has not been used to submit an incident report within the last day)
  3. Go to a user talk page
  4. Open the DevTools 'Network' tab
  5. Click on Report in the Tools menu
  6. Navigate to step 2 and fill out the form with valid data
  7. Submit the form
  8. Verification step 1: Verify that the API request has either a status code of 200 or 204.
  9. Perform steps 5 to 7 again
  10. Verification step 2: Verify that the API request fails with the status code of 429.

Showing an error message to the user when they hit the rate limit will come in T338804.

PatchDemoBot added a comment.Oct 23 2023, 11:17 PM

Test wiki created on Patch demo by DJacksonA using patch(es) linked to this task:
https://patchdemo.wmflabs.org/wikis/a5932c8782/w

Djackson-ctr subscribed.Oct 25 2023, 3:41 AM

I have verified the code implementation will limit submissions of 1 per 24 hour period for non-autoconfirmed users, and have also verified the limit submissions of 5 per 24 hour period for autoconfirmed users.
Great work as always @Dreamy_Jazz, and thank you for the QA Steps!!!!

Below is a screenshot with a (non-autoconfirmed) user's form data from page 2 of the Report Incident:

image.png (849×1 px, 93 KB)

Below is a screenshot with a status of 204 (non-autoconfirmed user):

image.png (931×1 px, 133 KB)

Below is a screenshot with a status of 429 on more than 1 submission of Report Incident for (non-autoconfirmed user):

image.png (938×1 px, 109 KB)

Below is a screenshot with an (autoconfirmed) user's form data from page 2 of the Report Incident:

image.png (397×965 px, 188 KB)

Below is a screenshot with a status of 204 (autoconfirmed user):

image.png (808×1 px, 346 KB)

Below is a screenshot with a status of 429 on more than 5 submissions of Report Incident for (autoconfirmed):

image.png (807×1 px, 357 KB)

Below is a screenshot with an (autoconfirmed from Patch Demo) user's form data from page 2 of the Report Incident:

image.png (445×1 px, 70 KB)

Below is a screenshot with a status of 204 (autoconfirmed user from Patch Demo):

image.png (967×1 px, 185 KB)

Below is a screenshot with a status of 429 on more than 5 submissions of Report Incident for (autoconfirmed user from Patch Demo):

image.png (971×1 px, 155 KB)

Djackson-ctr moved this task from 🐛 QA to 🤘 Done on the Trust and Safety Tools Team Backlog (Kanban) board.Oct 25 2023, 3:44 AM
Dreamy_Jazz closed this task as Resolved.Oct 25 2023, 1:02 PM
Dreamy_Jazz mentioned this in T348322: Set up anti abuse measures.Oct 27 2023, 3:41 PM
PatchDemoBot added a comment.Tue, Apr 23, 3:51 PM

Test wiki on Patch demo by DJacksonA using patch(es) linked to this task was deleted:

https://patchdemo.wmflabs.org/wikis/a5932c8782/w/

Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptTue, Apr 23, 3:51 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL