Closed Bug 1448854 Opened 7 years ago Closed 7 years ago

SMS limit reached waiting time is incorrect

Categories

(Cloud Services :: Server: Firefox Accounts, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ohorvath, Unassigned)

Details

Platform: Win 10 Build Beta 60.0b5 FxA & Sync server STAGING STR: 1. Create a new account. 2. Upon email confirmation, make sure that the send SMS link page is opened. 3. Send the sms 5 times, until the sms limit is reached and a failure message is displayed. 4. Wait for the indicated amount of time (30 minutes). 5. Try to re-send the sms. *6. Log out and login in with a different existing account. Expected results: After the waiting time displayed has expired, you should be able to re-send the sms. Actual results: - After the initial 30 minutes (as indicated in the message displayed), the waiting message appears again. This can indicate a 30 min or 1-hour waiting time until the next try. I got both. *While waiting, logging out and trying to login with a different existing account will display the same message. Logging in is unsuccessful: https://www.screencast.com/t/OYgCHLWu
Need to add: after the second waiting time expires, the sms works again.
Component: QA: General → Server: Firefox Accounts
> *While waiting, logging out and trying to login with a different existing account will display the same message. > Logging in is unsuccessful This may be an unfortunate consequence of the way our rate-limiting works - if you send to many SMS from a single IP, then that IP address gets banned for a short time, and the ban then prevents you from doing *any* rate-limited actions rather than just the action you were repeating. This could explain why login attempts fail during the ban period.
I tried to repro this, but the error message I got said "You've tried too many times. Try again in an hour." At step 4 above where you say: > 4. Wait for the indicated amount of time (30 minutes). Did the page tell you to wait for 30 minutes? I'm surprised to get a different wait-time than you, so this may be a bug. Also, did you attempt to send any additional SMS during the wait time? Sending additional SMS (or trying other rate-limited actions like logging in) can increase the duration of the wait time.
Flags: needinfo?(oana.horvath)
Yes, the first error message said "30 minutes". After another try, it increased to 1 hour.
Flags: needinfo?(oana.horvath)
OK, interesting, thanks. After a bit of a deep dive into this, there are two independent rules that rate-limit SMS sending: 1) You can make up to `maxSms` send attempts within `ipRateLimitIntervalMs` from a single IP address (but to any phone number). If you exceed this, you're blocked for `ipRateLimitBanDurationMs`. 2) You can make up to `maxSms` send attempts within `smsRateLimitIntervalMs` to a single phone number (but from any IP address). If you exceed this, you're blocked for `smsRateLimitIntervalMs`. The production values for these config items are: * maxSms = 5 * ipRateLimitIntervalMs = 10 minutes * ipRateLimitBanDurationMs = 30 minutes * smsRateLimitIntervalMs = 1 hour So I think what's happened here may be, that you did 5 sms sends from the same IP address within 10 minutes, but they were to several different phone numbers. This triggered rate-limit (1) but not rate-limit (2), blocking you for 15 minutes. Your next attempt to send an sms was blocked, but still counted as an attempt, and put you up to 5 send attempts to the same phone number, triggering rate-limit (2) and bloking you for an hour. Does this sound plausible? If so, I think everything is working "correctly" here, in the sense that the code is doing what we intended it to do. But it may be worth tweaking the configs to reduce potential for user confusion, e.g. by making `smsRateLimitIntervalMs` be a half-hour rather than an hour. Phil, do you recall if there's any particular reason for it to be an hour?
Flags: needinfo?(pbooth)
> Does this sound plausible? ni? Oana to check plausibility of this explanation, recalling that you may be on a shared IP if you're in e.g. a shared office.
Flags: needinfo?(oana.horvath)
> Phil, do you recall if there's any particular reason for it to be an hour? Nope, as far as I recall that number was pulled out of thin air with no thought given to how it would interact with the other limits in practice. Changing it sounds sensible to me.
Flags: needinfo?(pbooth)
> Changing it sounds sensible to me. Thanks; PR here: https://github.com/mozilla/fxa-customs-server/pull/235
I'm going to resolve this on the assumption that Comment 5 correctly explains the observed behavior, but please re-open if it sounds like it was off base.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(oana.horvath)
Resolution: --- → FIXED
Hello, sorry for the delayed response. I checked today on the staging server and you are right: the 30 minutes message appears if you send the SMS from the same IP to 2 different phone nrs. The problem was that it kept showing 30 minutes from then on, and I didn't realize the cause. Otherwhise I got the 1 hour waiting time. Will this fix be in the next FxA train 110?
> Will this fix be in the next FxA train 110? Yes, it should be.
You need to log in before you can comment on or make changes to this bug.