@orchid Hey, I just registered to let you know about a potential issue with your API. It could be exploited by people looking to cause trouble with just a few lines of code. Consider fixing this to prevent misuse.

He who desires but acts not breeds pestilence

(Don't worry I deleted all the damage that I did and I'm sorry for doing it but I wanted to see if it could cause a lot of damage)

He knows his shit, worth hearing him out on this to make sure this place can be future proofed.

i just deployed a new change requiring a user to have a least 1 post before creating a thread.

we've had some issues with bots in the past few months, so hopefully that change should mitigate some of that, but I'll keep this in mind and look for other solutions thanks for bringing this up!

I'm sorry, but the '1 post to create a thread' rule is not good at all. There are more methods to prevent this, one of which is simply removing the API /register. In my opinion, it shouldn't have existed in the first place.

I'd highly advise an approval queue if you can implement one for new users, my site uses Xenforo which makes it easy so I can understand if that would be harder to put in but I highly respect you are doing all this on your own end. Just having that filter where you can see who comes in would help so much and help against potential raids massively as in the site's current state it would be so susceptible to malicious actions if it pops up on the wrong person's radar, bad actors have come across my site and it's really helped shoo them away quickly.

ok man i hear you but consider this: i am one person working a full time job and this is a hobby project

what would you suggest to mitigate that? a paywall? email verification? something else?

Right, but all XenForo websites look the same if you look closely, and it's more expensive. While it does offer better protection, this comes at a higher price. However, it all depends from owner to owner.

this actually exists and is easy to flip back on but it's off for now because i didn't feel like having people wait on me to approve their account before they can post

I'm not trying to be mean, but yes, email verification would be a massive step. If you want a quick fix, just remove the /register API.

Sorry if we may be coming off the wrong way, my mate just saw these issues and wants to help in case someone negative does occur that could cause issues for the site into the future.

Yeah exactly and that's why I said I respect admin in taking the barebones approach in making this place and not taking the more expensive Xenforo route. Awesome so far with the work.

Yeah fair I do get that, especially when the forum is still relatively small and unknown, I only have it turned on permanently due to where I advertise and what kind of people it can attract now and then. You do you ultimately.

yeah it's a fair point and email verification has slowly been growing to be more and more of a priority as time has went on.

it's looking like that's gonna be the next thing I work on. We already have mechanisms for sending out emails and performing some action based on a short-lived token (the forgot/update password flow). it's really just about finding the time and energy to actually work on it.

but either way I appreciate the concern!

email verification (for new users) coming tonight.

i hope you're happy @V. I could have had a perfectly good night last night playing doom eternal

Why do I have to be the one that's happy? You should be happy because now the raids won't be so bad anymore.