For now, we should set a limit of 6 temp account creations per IP per day, matching what is defined for wgAccountCreationThrottle. We would add an entry to wgRateLimits as part of this work, or create a separate throttle for temp accounts (wgTempAccountCreationThrottle).
Once we've resolved T342880: Decide what the rate limit should be for temporary account creations, we can implement a more nuanced rate limit.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Restricted Task | |||||
| Resolved | kostajh | T294511 2021 Security Team wikireplicas audit | |||
| Declined | None | T284948 Raw IPs of logged-out users disclosed in wiki-replicas | |||
| Resolved | Niharika | T324492 Temporary accounts - MVP | |||
| Resolved | kostajh | T357776 [Epic] Mitigate abilities to abuse temporary accounts | |||
| Resolved | kostajh | T357777 Implement more restrictive rate limit for temporary account creation | |||
| Resolved | kostajh | T342880 Decide what the rate limit should be for temporary account creations | |||
| Resolved | jwang | T357771 Analyze how many distinct devices edit per day from a given IP address | |||
| Declined | kostajh | T359194 Instrument potential temporary account creations |
Alright, I missed something obvious, because I had assumed $wgAccountCreationThrottle had a default value, but it doesn't.
Once I set $wgAccountCreationThrottle to e.g. 6 accounts per 86400 seconds (a day), matching the production value, then I can see that TempUserCreator correctly follows the rate limit defined there.
So, in this task, I think we should do two things:
If we introduce $wgTempAccountCreationThrottle and use that in TempAccountCreator, we can:
Visitors to this wiki using your IP address have created {{PLURAL:$1|1 account|$1 accounts}} in the last day, which is the maximum allowed in this time period.
As a result, visitors using this IP address cannot create any more accounts at the moment.
If you are at an event where contributing to Wikimedia projects is the focus, please see [[m:Mass account creation#Requesting_temporary_lift_of_IP_cap|Requesting temporary lift of IP cap]] to help resolve this issue.
I think we want a message that is more tailored to temporary account creations, thinking about how these are created in the editing process. One thing we probably want to suggest is that the user visit Special:CreateAccount in order to proceed with their edit (T357802: Design & Copy: Prompt user to create a regular account after temp account creation rate limit trip). cc @KColeman-WMF and @Madalina to think about what that might be
Change 1008111 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):
[mediawiki/core@master] TempUserCreator: Use separate rate limit for temp account creations
Change 1008112 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):
[operations/mediawiki-config@master] throttle: Allow for overriding temp account creation limits
Change 1008111 merged by jenkins-bot:
[mediawiki/core@master] TempUserCreator: Use separate rate limit for temp account creations
The maintenance script patch (https://gerrit.wikimedia.org/r/c/1008112) in operations/mediawiki-config is a no-op at this point, so I think this could be in QA.
I set $wgAccountCreationThrottle and $wgTempAccountCreationThrottle to different values on my local wiki. I see that two different throttles are applied when creating a temporary user (i.e. editing while logged out) and when creating a named user via Special:CreateAccount.
I also tested that I could reset the throttle for temporary accounts for a specific IP using the resetAuthenticationThrottle.php script.
Reading the code, we seem to rely on existing functionality to do the throttling, so I don't think I need to do anything additional like stress testing.
I notice that even after setting $wgGroupPermissions['*']['noratelimit'] = true; an anonymous user is still throttled from creating temporary accounts. But, they are not throttled from creating named accounts. I don't know if this matters.
Test environment: local docker MediaWiki 1.42.0-alpha (41642c6) 07:06, 12 March 2024.
Change 1008112 merged by jenkins-bot:
[operations/mediawiki-config@master] throttle: Allow for overriding temp account creation limits
Mentioned in SAL (#wikimedia-operations) [2024-03-18T08:47:04Z] <kharlan@deploy2002> Started scap: Backport for [[gerrit:1008112|throttle: Allow for overriding temp account creation limits (T357777)]], [[gerrit:1011662|throttle: Add throttle rule for editathon (T360145)]]
Mentioned in SAL (#wikimedia-operations) [2024-03-18T09:16:09Z] <kharlan@deploy2002> ammarpad and kharlan: Backport for [[gerrit:1008112|throttle: Allow for overriding temp account creation limits (T357777)]], [[gerrit:1011662|throttle: Add throttle rule for editathon (T360145)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)
Mentioned in SAL (#wikimedia-operations) [2024-03-18T09:29:27Z] <kharlan@deploy2002> Finished scap: Backport for [[gerrit:1008112|throttle: Allow for overriding temp account creation limits (T357777)]], [[gerrit:1011662|throttle: Add throttle rule for editathon (T360145)]] (duration: 42m 23s)
Change #1023737 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):
[mediawiki/core@master] DevelopmentSettings: Disable rate limiting for temp accounts
Change #1023737 merged by jenkins-bot:
[mediawiki/core@master] DevelopmentSettings: Disable rate limiting for temp accounts