[Update: User error] Flood control is somehow being bypassed by the same IP

[joehmphack]

I have 'YOURLS_FLOOD_DELAY_SECONDS' set to 30 seconds and when I test it myself, it correctly detects flooding and prevents creation. However, I'm seeing in the admin interface a single IP has created entries that are much less than 30 seconds apart. I know the IP can be spoofed to bypass flood control, but that's not the case because the same IP is being stored for the links that are created a few seconds apart.

How could this be? Is there some API/backend/bypass method I've unknowingly left accessible that does not check for flooding?

[dgw]

Authenticated users are not throttled in private mode:

YOURLS/includes/functions.php

Lines 640 to 644 in 395dabe

	// Don't throttle logged in users
	if( yourls_is_private() ) {
	if( yourls_is_valid_user() === true )
	return true;
	}

[joehmphack]

Thanks, but I did know that. I'm the only authenticated user. All other users, including the one flooding, are not authenticated.

[dgw]

You didn't specify, and the default configuration is that YOURLS only allows authenticated users to shorten new links.

There's really nothing in this thread for me to investigate, as you've also not given the version of YOURLS you use nor the active plugins. YOURLS' flooding protection logic has several hooks throughout for plugins to modify or override the core behavior, and that's the most likely source here.

Please tell us which plugins you are using, or search your own plugin files for any of the filter/hook names used in the IP flood logic:

• shunt_check_IP_flood
• pre_check_ip_flood
• check_ip_flood

You might also find useful information in your HTTP server logs, in case the client in question is passing some unusual parameter to YOURLS.

[joehmphack]

I'm an idiot. This whole time I misread the minutes in the timestamp as seconds. The entries that I thought were a few seconds apart are actually a few minutes apart. I'm sorry for wasting your time.

[dgw]

I read your original comment via email notifications, and that was a good rundown of your setup and what else you've tried. It's a great place to start if there's a next time you need to ask for help.

But the important thing is that the question's answered now. Glad to hear it!