[SOLVED] Anonymous account creating security issue

No, if you disable Anonymous Users, they can't be used in any way

@ideclon So, I concern that in future everyone can find out my project id and start creating thousands of users and I have nothing to stop it.

How do you thing do I have a chance to handle this case and do something for preventing possible attacks in the future? Cheers.

Why is creating an anonymous user inherently an attack?

I believe it allows putting a lot of documents in the database that leads to unexpected db loads and increase payments for storage I guess

So don't allow anonymous users to create Documents

Database storage isn't mattered for now

Measured, I mean 😅

That a good point. I can allow creating documents only in functions, that gives me freedom for additional security checks. But creating anonymous users also triggers document creating, so technically anyone can create a lot of users just be getting my project id.

Also, what’s about realtime? Keeping a lot of sockets online can be a problem as well.

Don't give anonymous users permission to create documents - as I said near the top of this thread - restrict create to users with a verified email address.

I think there's not too much to do for this case, but you can basically have a function to check that it's not spam or something and perform your own checks there if needed

Instead of directly writing in the DB

Function usage is metered, but they have rate limits per IP address if I'm not wrong

@D5 @ideclon thank you guys, I guess I've figured out the way for handling my case.

So, I believe I do allow anonymous authorization, however an anonymous user doesn't have permissions to create documents or use realtime. Then, when anonymous authorization is finished, the user invokes a function, where the user passes parameters (like checksums, hash and etc) into for proving that the user is working on the official client the server can trust. As soon as the function has checked all parameters, the server grants permission to the user for creating documents and listening to realtime.

How do you thing, is this approach good enoght?

How are you going to make sure a user is using an "official" client?

If you're using flutter, maybe you can work with Google play integrity check and/or Apple in the function as you want. Sincerely unless it's a big app, I think most users will not be even interested in sending spam there 😅

Or if you will have programmers as users

I believe I can pass parameters to the function such as date, ip and checksume (a hash, only the beckend and client know how to generate that hash), then the function gets parameters from the request, generates the hash on its side and compare with the hash that has been provided in the request.

I believe that it will reduce amount of possible attacks cuz desctop/mobile apps disassembling is cumbersum, and 99% of hackers will give up just on this step.

Fair enough 🙂 However I got some experience with users who used our private API and to scum us, so, I believe it's better to figure out all possible issues and prevent them at the beginning 🙂

Understood 💯

Thanks guys for your time, I guess my issue is solved. Happy new year. <:appwriteparty:946072712915341333>

Can I mark this as solved then?

@lkirill

@D5 Sure thing. Cheers

Perfect! Happy new year! <:appwriteparty:946072712915341333> And if you still have issues with this don't hesitate to reopen this or create another post! <:appwritepeepo:1156975874852270110>

[SOLVED] Anonymous account creating security issue