Closed
Bug 1448854
Opened 7 years ago
Closed 7 years ago
SMS limit reached waiting time is incorrect
Categories
(Cloud Services :: Server: Firefox Accounts, defect)
Cloud Services
Server: Firefox Accounts
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: ohorvath, Unassigned)
Details
Platform:
Win 10
Build
Beta 60.0b5
FxA & Sync server
STAGING
STR:
1. Create a new account.
2. Upon email confirmation, make sure that the send SMS link page is opened.
3. Send the sms 5 times, until the sms limit is reached and a failure message is displayed.
4. Wait for the indicated amount of time (30 minutes).
5. Try to re-send the sms.
*6. Log out and login in with a different existing account.
Expected results:
After the waiting time displayed has expired, you should be able to re-send the sms.
Actual results:
- After the initial 30 minutes (as indicated in the message displayed), the waiting message appears again. This can indicate a 30 min or 1-hour waiting time until the next try. I got both.
*While waiting, logging out and trying to login with a different existing account will display the same message. Logging in is unsuccessful: https://www.screencast.com/t/OYgCHLWu
Reporter | ||
Comment 1•7 years ago
|
||
Need to add: after the second waiting time expires, the sms works again.
Updated•7 years ago
|
Component: QA: General → Server: Firefox Accounts
Comment 2•7 years ago
|
||
> *While waiting, logging out and trying to login with a different existing account will display the same message.
> Logging in is unsuccessful
This may be an unfortunate consequence of the way our rate-limiting works - if you send to many SMS from a single IP, then that IP address gets banned for a short time, and the ban then prevents you from doing *any* rate-limited actions rather than just the action you were repeating. This could explain why login attempts fail during the ban period.
Comment 3•7 years ago
|
||
I tried to repro this, but the error message I got said "You've tried too many times. Try again in an hour." At step 4 above where you say:
> 4. Wait for the indicated amount of time (30 minutes).
Did the page tell you to wait for 30 minutes? I'm surprised to get a different wait-time than you, so this may be a bug.
Also, did you attempt to send any additional SMS during the wait time? Sending additional SMS (or trying other rate-limited actions like logging in) can increase the duration of the wait time.
Flags: needinfo?(oana.horvath)
Reporter | ||
Comment 4•7 years ago
|
||
Yes, the first error message said "30 minutes". After another try, it increased to 1 hour.
Flags: needinfo?(oana.horvath)
Comment 5•7 years ago
|
||
OK, interesting, thanks.
After a bit of a deep dive into this, there are two independent rules that rate-limit SMS sending:
1) You can make up to `maxSms` send attempts within `ipRateLimitIntervalMs` from a single IP address (but to any phone number). If you exceed this, you're blocked for `ipRateLimitBanDurationMs`.
2) You can make up to `maxSms` send attempts within `smsRateLimitIntervalMs` to a single phone number (but from any IP address). If you exceed this, you're blocked for `smsRateLimitIntervalMs`.
The production values for these config items are:
* maxSms = 5
* ipRateLimitIntervalMs = 10 minutes
* ipRateLimitBanDurationMs = 30 minutes
* smsRateLimitIntervalMs = 1 hour
So I think what's happened here may be, that you did 5 sms sends from the same IP address within 10 minutes, but they were to several different phone numbers. This triggered rate-limit (1) but not rate-limit (2), blocking you for 15 minutes. Your next attempt to send an sms was blocked, but still counted as an attempt, and put you up to 5 send attempts to the same phone number, triggering rate-limit (2) and bloking you for an hour.
Does this sound plausible?
If so, I think everything is working "correctly" here, in the sense that the code is doing what we intended it to do. But it may be worth tweaking the configs to reduce potential for user confusion, e.g. by making `smsRateLimitIntervalMs` be a half-hour rather than an hour. Phil, do you recall if there's any particular reason for it to be an hour?
Flags: needinfo?(pbooth)
Comment 6•7 years ago
|
||
> Does this sound plausible?
ni? Oana to check plausibility of this explanation, recalling that you may be on a shared IP if you're in e.g. a shared office.
Flags: needinfo?(oana.horvath)
Comment 7•7 years ago
|
||
> Phil, do you recall if there's any particular reason for it to be an hour?
Nope, as far as I recall that number was pulled out of thin air with no thought given to how it would interact with the other limits in practice. Changing it sounds sensible to me.
Flags: needinfo?(pbooth)
Comment 8•7 years ago
|
||
> Changing it sounds sensible to me.
Thanks; PR here:
https://github.com/mozilla/fxa-customs-server/pull/235
Comment 9•7 years ago
|
||
I'm going to resolve this on the assumption that Comment 5 correctly explains the observed behavior, but please re-open if it sounds like it was off base.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(oana.horvath)
Resolution: --- → FIXED
Reporter | ||
Comment 10•7 years ago
|
||
Hello, sorry for the delayed response. I checked today on the staging server and you are right: the 30 minutes message appears if you send the SMS from the same IP to 2 different phone nrs. The problem was that it kept showing 30 minutes from then on, and I didn't realize the cause. Otherwhise I got the 1 hour waiting time. Will this fix be in the next FxA train 110?
Comment 11•7 years ago
|
||
> Will this fix be in the next FxA train 110?
Yes, it should be.
You need to log in
before you can comment on or make changes to this bug.
Description
•