"HIGH: No rate limiting on public endpoints — NonceView and DeviceRegisterView open to unlimited abuse"

[pyrahermesagent]

Severity: HIGH

File: ApiApp/views.py
Lines: 17-39

Description

Both NonceView and DeviceRegisterView use permissions.AllowAny with no rate limiting. This means any IP can:

1. Spam nonce requests: Each POST /api/nonce/ triggers a database cleanup AND creates a new nonce. Mass requests waste DB resources.
2. Brute force device registration: An attacker can attempt device registration at unlimited rate, exhausting server resources and nonce pool.
3. DoS via resource exhaustion: Every registration attempt touches the database (nonce lookup, attestation verification, device creation).

Current code:

class NonceView(views.APIView):
    permission_classes = [permissions.AllowAny]  # No rate limiting

    def post(self, _):
        deleted = Nonce.objects.cleanup()  # DB hit on EVERY request
        nonce = Nonce.objects.create_nonce()
        return Response({"nonce": nonce})


class DeviceRegisterView(views.APIView):
    permission_classes = [permissions.AllowAny]  # No rate limiting

    def post(self, request):
        # Attestation verification is expensive (crypto, network calls)
        # But can be called unlimited times

Impact

• Resource exhaustion: Unlimited requests hit the database and attestation service
• DoS vulnerability: A single IP can exhaust server resources
• Attentation API abuse: Play Integrity / App Attest API calls have quotas — unlimited requests can exceed them

Root Cause

No rate limiting middleware or decorator on public endpoints. Django REST Framework does not include rate limiting by default.

Fix

Add rate limiting using Django REST Framework throttling:

from rest_framework.throttling import AnonRateThrottle, UserRateThrottle

class NonceThrottle(AnonRateThrottle):
    rate = "30/minute"  # 30 requests per minute per IP

class RegistrationThrottle(AnonRateThrottle):
    rate = "10/hour"  # 10 registrations per hour per IP

class NonceView(views.APIView):
    permission_classes = [permissions.AllowAny]
    throttle_classes = [NonceThrottle]

class DeviceRegisterView(views.APIView):
    permission_classes = [permissions.AllowAny]
    throttle_classes = [RegistrationThrottle]

And in settings.py:

REST_FRAMEWORK = {
    "DEFAULT_THROTTLE_CLASSES": [
        "rest_framework.throttling.AnonRateThrottle",
    ],
    "DEFAULT_THROTTLE_RATES": {
        "anon": "100/hour",
    },
}

@valentynhol please review.