feat(api): always require captcha for signup

api/api/settings.py

@@ -172,9 +172,9 @@ NORECAPTCHA_WIDGET_TEMPLATE = 'captcha-widget.html'
 
 # abuse protection
 MINIMUM_TTL_DEFAULT = int(os.environ['DESECSTACK_MINIMUM_TTL_DEFAULT'])
-ABUSE_BY_REMOTE_IP_LIMIT = 1
-ABUSE_BY_REMOTE_IP_PERIOD_HRS = 48
-ABUSE_BY_EMAIL_HOSTNAME_LIMIT = 1
+ABUSE_BY_REMOTE_IP_LIMIT = 0
+ABUSE_BY_REMOTE_IP_PERIOD_HRS = 7*24
+ABUSE_BY_EMAIL_HOSTNAME_LIMIT = 0
 ABUSE_BY_EMAIL_HOSTNAME_PERIOD_HRS = 24
 LIMIT_USER_DOMAIN_COUNT_DEFAULT = 5
 

api/api/settings_quick_test.py

@@ -13,6 +13,12 @@ DATABASES = {
 
 }
 
+# abuse protection
+ABUSE_BY_REMOTE_IP_LIMIT = 1
+ABUSE_BY_REMOTE_IP_PERIOD_HRS = 48
+ABUSE_BY_EMAIL_HOSTNAME_LIMIT = 1
+ABUSE_BY_EMAIL_HOSTNAME_PERIOD_HRS = 24
+
 # avoid computationally expensive password hashing for tests
 PASSWORD_HASHERS = [
     'django.contrib.auth.hashers.MD5PasswordHasher',

api/desecapi/tests/test_registration.py

@@ -38,10 +38,9 @@ class SingleRegistrationTestCase(RegistrationTestCase):
 
     def test_registration_successful(self):
         self.assertEqual(self.user.registration_remote_ip, "1.3.3.7")
-        self.assertIsNone(self.user.locked)
 
     def test_token_email(self):
-        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(len(mail.outbox), 1 if not self.user.locked else 2)
         self.assertTrue(self.user.get_or_create_first_token() in mail.outbox[-1].body)
 
     def test_send_captcha_email_manually(self):
@@ -132,7 +131,6 @@ class MultipleRegistrationSameEmailHostShortTime(MultipleRegistrationTestCase):
         ]
 
     def test_is_locked(self):
-        self.assertIsNone(self.users[0].locked)
         for i in range(self.NUM_REGISTRATIONS):
             if i < settings.ABUSE_BY_EMAIL_HOSTNAME_LIMIT:
                 self.assertIsNone(self.users[i].locked)