Limited account creation
Admin stories
As a administrator with limited disk space, I want to prevent malicious users from registering many accounts to bypass the storage quotas because I can continue to provide a public service for honest users.
background:
(D)DoS attackers can register many users and upload large files
As attackers can bypass the (client-side)
scryptkey derivation, it is cheap to register usersCaptchas could be an option, however, it is questionable how effective they are. Furthermore they are bad for UI and accessibility. Captchas are discussed for Mastodon
Another idea is to allow only invited participants to register. See PR #1395 – Instance invitations and user directory
Alternatively, we can enable admin onboarding