From 8c24a848e0237734c22cf87a33d354e31ab81642 Mon Sep 17 00:00:00 2001
From: Dan Ungureanu <dan@ungureanu.me>
Date: Wed, 14 Apr 2021 19:22:16 +0300
Subject: [PATCH] FEATURE: Reduce invite key length (#12692)

We used to generate invite keys that were 32-characters long which were
not very friendly and lead to very long links. This commit changes the
generation method to use almost all alphanumeric characters to produce
a 10-character long invite key.

This commit also introduces a rate limit for redeeming invites because
the probability of guessing an invite key has increased.
---
 app/controllers/invites_controller.rb | 5 +++++
 app/models/invite.rb                  | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/controllers/invites_controller.rb b/app/controllers/invites_controller.rb
index 1a86eb63af6..cd1a25ab1b2 100644
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@@ -17,6 +17,8 @@ class InvitesController < ApplicationController
   def show
     expires_now
 
+    RateLimiter.new(nil, "invites-show-#{request.remote_ip}", 100, 1.minute).performed!
+
     invite = Invite.find_by(invite_key: params[:id])
     if invite.present? && invite.redeemable?
       email = Email.obfuscate(invite.email)
@@ -63,6 +65,9 @@ class InvitesController < ApplicationController
 
       render layout: 'no_ember'
     end
+  rescue RateLimiter::LimitExceeded => e
+    flash.now[:error] = e.description
+    render layout: 'no_ember'
   end
 
   def create
diff --git a/app/models/invite.rb b/app/models/invite.rb
index 76181639c9d..04ce1309e71 100644
--- a/app/models/invite.rb
+++ b/app/models/invite.rb
@@ -35,7 +35,7 @@ class Invite < ActiveRecord::Base
   validate :user_doesnt_already_exist
 
   before_create do
-    self.invite_key ||= SecureRandom.hex
+    self.invite_key ||= SecureRandom.base58(10)
     self.expires_at ||= SiteSetting.invite_expiry_days.days.from_now
   end