[Bug] Rate limiting on judge login page

[MichaelZhao21]

What Happened?

Well... someone tried to hack jury DURING hackutd smh by just brute force iterating through codes, which unfortunately does work.

Steps to Reproduce

1. well im not telling u how to do it smh

but given that there are 1,000,000 possible codes and no limit on the login endpoint, its not difficult to figure out...

What device(s) are you seeing this issue on?

No response

What browser are you seeing this issue on?

No response

Possible Solutions

So there's a lot of complex solutions, but the simplest way to solve the problem is to implement the following steps:

• Increase the number of digits in the code from 6 to 8 (simply have 2 sets of 4 numbers). This is still easy enough for someone to type in manually, but now there are a total of 10^8 codes
• Add rate limiting to the login page. The default will be set to 500 per minute, which should be more than enough for any event (you shouldn't have more than 200 judges, so even if they all fail to login once, it should be fine). Add an option to change this limit too just in case.
• Add an option to completely disable judge logins.
• Disable the fixed code length (can click "login" with any length of code). Although a malicious actor can just look at the code and figure this out, the disabling of code length makes it harder!

The rate limit and increased digits should honestly be enough to deter anyone performing this attack. Ideally, events should have judges log in before sending out expo pages to all users, allowing them to simply disable the login if they wanted (tho they may still want to keep it open for late judges).

One last note: All events should use the QR code judge account creation system instead of through emails (this isn't for security but rather just simplicity and consistency on judge account logins)

Additional Info

No response