Stage 8: document the friend-code brute-force mitigation (ARCHITECTURE §12)
This commit is contained in:
Ilia Denisov
@@ -423,6 +423,15 @@ This is an explicit, accepted MVP risk: compromise of the gateway↔backend
|
||||
network segment defeats backend authentication. Mitigated by network isolation;
|
||||
mutual auth is a future hardening step.
|
||||
|
||||
**Short numeric codes** (email confirm-codes and Stage 8 friend codes) are stored
|
||||
only as SHA-256 hashes and are short-lived and single-use. The unauthenticated
|
||||
email path carries a tight per-IP sub-limit (5 / 10 min); the **friend-code redeem**
|
||||
is authenticated, so it rides the per-user limit (120 / min) and is further bounded
|
||||
by the code's 12 h TTL, single use, and **one live code per issuer** (which caps the
|
||||
valid-code population). Brute-forcing a 6-digit friend code within these limits is an
|
||||
accepted MVP risk with low blast radius (an unwanted friendship is removable/blockable);
|
||||
a dedicated redeem sub-limit or a longer code is the hardening step if abuse appears.
|
||||
|
||||
## 13. Deployment (informational)
|
||||
|
||||
Single public origin, path-routed: the UI, the gateway public surface and the
|
||||
|
||||
Reference in New Issue
Block a user