Sign up

Bots sometimes try to sign up to Peels using leaked email addresses. New users must confirm their email address, so they can’t go on to pollute the site. But it is still something to counter-act for these reasons:

• These email addresses are usually legitimate. Real people get seemingly-random emails from Peels (which they’ve never heard of). They often mark these emails as spam. That hurts our email sender reputation and therefore the deliverability of our emails to everyone.
• Fake accounts throw off our numbers. We like to know how many people are signing up, what proportion of people make listings, and so on.

Here’s how we counteract these bots in order of severity:

1. New users must confirm their email addresses before they can log in. Handled via Supabase Auth.

2. There is a rate limit on sign-up (and sign-in) requests per IP address. Set to 12 per (rough) five minute window. Default value is 30. Handled via Supabase Auth.

3. We could use the before_account_created hook to inspect and reject requests. We could block specific IP addresses, enforce stricter rate limits by time, or a combination of those. This is not currently set up.

4. We have Cloudflare Turnstile set up on the sign up form. More info:

   Cloudflare Turnstile Implementation