https://blog00.jjj123.com/tags/login/Recent content in Login on WeTalk BlogHugoen-USThu, 10 Apr 2025 03:43:00 +0000https://blog00.jjj123.com/post/2025/04/20250409_234432/Thu, 10 Apr 2025 03:43:00 +0000https://blog00.jjj123.com/post/2025/04/20250409_234432/<h3 id="piece-2-signup-systemlogin-3">Piece 2: Signup System(Login 3)</h3> <p><a href="https://github.com/PrivLocking/signup_daemon">Link : github source code</a></p> <h4 id="components">Components</h4> <ul> <li><strong>HAProxy</strong>: Acts as the reverse proxy, listening on &ldquo;/signup&rdquo; and forwarding requests to the .c2 backend.</li> <li><strong>.c2 Backend</strong>: A separate C-based backend (distinct from the .c login backend) handling signup logic.</li> <li><strong>Redis</strong>: Stores signup tracking (select 5) and user data (select 0).</li> </ul> <h4 id="target">Target</h4> <ul> <li>Allow users to self-sign up for an account with privacy as the highest priority, assigning them level 0 and a 30-day TTL, while preventing bot abuse and ensuring unique usernames.</li> </ul> <h4 id="requirements-your-inputs">Requirements (Your Inputs)</h4> <ol> <li><strong>Endpoint</strong>: HAProxy listens on &ldquo;/signup&rdquo;, accessible to anyone for self-signup.</li> <li><strong>Backend</strong>: Requests are redirected to .c2 (you labeled it .c2 to distinguish it from the login .c backend).</li> <li><strong>IP Limiting</strong>: Track <code>user/ip</code> in Redis &ldquo;select 5&rdquo; with a TTL of 3600s. If an IP has successfully signed up within 3600s, redirect to an HTML page saying &ldquo;Your IP has already registered. Multi-register is not allowed.&rdquo;</li> <li><strong>Username Rules</strong>: Allow signup if the username: <ul> <li>Starts with a-zA-Z.</li> <li>Contains only a-zA-Z0-9.</li> <li>Is more than 8 characters.</li> <li>Doesn’t already exist.</li> <li>Return a generic &ldquo;signup failed&rdquo; error for any failure (no specific reasons like &ldquo;username exists&rdquo;).</li> </ul> </li> <li><strong>New User Settings</strong>: Set TTL to 30 days and level to 0 (no extra privileges).</li> <li><strong>Storage</strong>: Save new users to &ldquo;select 0&rdquo; (you confirmed this as the user database).</li> <li><strong>Privacy</strong>: No email or phone verification—users re-sign up if they lose passwords.</li> <li><strong>Atomicity</strong>: Lock username insertion to prevent simultaneous duplicates (you agreed it’s unlikely but worth doing).</li> <li><strong>IP Blocking Logic</strong>: 1 signup per IP in 3600s isn’t strict—users should wait if they need another account.</li> <li><strong>CAPTCHA</strong>: No Google CAPTCHA; add a self-hosted CAPTCHA replacement for bot protection (you requested this for signup, login, and admin).</li> <li><strong>TTL Expiry</strong>: If a new user’s TTL (30 days) expires, delete the account completely, allowing username reuse.</li> <li><strong>Username as Key</strong>: Use <code>username</code> as the key in Redis (e.g., for GET/SET or HGET/HSET).</li> </ol> <h4 id="conceptual-solutions-my-suggestions-integrated-with-your-decisions">Conceptual Solutions (My Suggestions Integrated with Your Decisions)</h4> <ol> <li> <p><strong>Flow</strong>:</p>