FEATURE: Reduce invite key length (#12692)

We used to generate invite keys that were 32-characters long which were not very friendly and lead to very long links. This commit changes the generation method to use almost all alphanumeric characters to produce a 10-character long invite key. This commit also introduces a rate limit for redeeming invites because the probability of guessing an invite key has increased.
2025-03-21 22:16:41 +08:00 · 2021-04-14 19:22:16 +03:00 · 2021-04-14 19:22:16 +03:00 · 8c24a848e0
commit 8c24a848e0
parent 21d1ee1065
2 changed files with 6 additions and 1 deletions
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@ -17,6 +17,8 @@ class InvitesController < ApplicationController
  def show
    expires_now

+    RateLimiter.new(nil, "invites-show-#{request.remote_ip}", 100, 1.minute).performed!
+
    invite = Invite.find_by(invite_key: params[:id])
    if invite.present? && invite.redeemable?
      email = Email.obfuscate(invite.email)
@ -63,6 +65,9 @@ class InvitesController < ApplicationController

      render layout: 'no_ember'
    end
+  rescue RateLimiter::LimitExceeded => e
+    flash.now[:error] = e.description
+    render layout: 'no_ember'
  end

  def create
--- a/app/models/invite.rb
+++ b/app/models/invite.rb
@ -35,7 +35,7 @@ class Invite < ActiveRecord::Base
  validate :user_doesnt_already_exist

  before_create do
-    self.invite_key ||= SecureRandom.hex
+    self.invite_key ||= SecureRandom.base58(10)
    self.expires_at ||= SiteSetting.invite_expiry_days.days.from_now
  end