In order to deny request propagation down to the auth service coming from offending domains, we need to update the axios interceptor to block those domains.
Please refer to Investigations/Investigation: Create-user exploit
To do
- Create an IaC variable for offending_domains domain_denylist (refer to malicious_ips_denylist as an example).
- Pass this variable to the dashboard service. Use it in the axios interceptor to block the request from these domains.
QA / Acceptance criteria
- On dev, set domain_denylist as ["abc.com"]. Using dashboard, perform sign up with email something@abc.com. Your request should be denied. Check the /ecs/auth_pr_wme log, you should not see a /create-user API call corresponding to your request.