The UI implements captcha for new user registrations, but it is browser side only. It is recommended to have the UI captcha generate a token which can then be verified by the Master Controller before allowing the user create to happen. This, along with the rate limiter, will help prevent bots from spamming new user creates.
This is only valid for user create requests from a web browser going through our UI interface. For mcctl and direct API calls, we can just drop support for the current unauthenticated user create, but also add a restricted-user-create which requires admin authentication. The restricted user create will be used for unit, e2e, and regression testing.
The UI implements captcha for new user registrations, but it is browser side only. It is recommended to have the UI captcha generate a token which can then be verified by the Master Controller before allowing the user create to happen. This, along with the rate limiter, will help prevent bots from spamming new user creates.
This is only valid for user create requests from a web browser going through our UI interface. For mcctl and direct API calls, we can just drop support for the current unauthenticated user create, but also add a restricted-user-create which requires admin authentication. The restricted user create will be used for unit, e2e, and regression testing.