Limit registration attempts to one per 8 hours.

Woke up this morning to a lot of spam on our registration form. While this is not a big deal for the website (we don't allow login until manually reviewed), it kinds of defeats the purpose of the self-registration by giving us extra work for review instead of streamlining the process. I also noticed that a lot of the spam was trying to find SQL injection issues, which should not happen, but could.

This commit adds a first layer of defense against these registration attempts by limiting the rate at which we allow registrations to once every 8 hours. Probably something smarter would be good, maybe involving captcha or email validation, but this is a good first step.

The last registration attempt is stored in the cache, since this does not require very accurate timing; it is not a big deal if we allow one extra registration when restarting the container. This gives us expiration of keys for free, and avoids cluttering backups.

championship/tests/test_registration.py

@@ -13,8 +13,9 @@
 # limitations under the License.
 
 from django.contrib.auth.models import User
-from django.test import TestCase
+from django.test import TestCase, override_settings
 from django.urls import reverse
+from rest_framework.status import HTTP_429_TOO_MANY_REQUESTS
 
 from championship.models import Address, EventOrganizer
 
@@ -89,3 +90,18 @@ class OrganizerRegistrationTestCase(TestCase):
             "An account with this name already exists. We will contact you shortly.",
         )
         self.assertFalse(User.objects.filter(email=self.data["email"]).exists())
+
+    @override_settings(
+        CACHES={"default": {"BACKEND": "django.core.cache.backends.locmem.LocMemCache"}}
+    )
+    def test_rate_limit_submission(self):
+        """Test that registrations are capped per IP.
+
+        Note that the rate limit implementation uses the cache to store its
+        state, so we need to override a functioning cache for this test.."""
+        # First, normal response
+        self.client.post(reverse("register"), data=self.data)
+
+        # Second response will be rate limited
+        response = self.client.post(reverse("register"), data=self.data)
+        self.assertEqual(HTTP_429_TOO_MANY_REQUESTS, response.status_code)