-
|
Hi! In the last 12-24 hours, I'm forced to complete an awful lot of captchas to access logged-in pages on npmjs.com while already logged in, after providing 2FA codes many times. can the captcha demand be adjusted to bother users less when they've verified multiple times? (additionally, the "teams" page for an org forces me to enter a 2FA code every single time, even if i just entered one 10 seconds earlier) |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
Can you drop us a line with the IP address that you're using? We start ramping up denial-of-service mitigations automatically, based on the recent and historic activity from your IP address and ASN. So if somebody near you - network-wise - has been naughty and trying to DoS some site (not necessarily just us) then you'll suffer. If you visit https://npmjs.com/support/ and ask about captcha's and provide your IP address, we can take a look at what's going on. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, I submitted a message on that form with my IP. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks. Just a quick follow up now that I've understood the process a little bit better here: as I mentioned, we look at many signals to enable automatic rate limiting and it's definitely possible that we'll add false positives from time to time. This is disappointing, and we're working to improve the signals that we use to make these decisions and will continue to adjust the sensitivity if it looks like we're making too many false positives. In the meantime, if you're seeing captchas on legitimate traffic (any legitimate traffic - our goal is no captchas for normal use) then drop us a line at support with the "ray id", or your IP address, and we should be able to sort you out manually. |
Beta Was this translation helpful? Give feedback.
-
|
Heuristics and occasional false positives are fine, but a logged in maintainer who’s successfully provided one, let alone many, captcha and 2fa prompts seems like it should eliminate the possibility of rate limiting? iow, I’m suggesting that these theoretically ironclad signals be weighted more highly :-) |
Beta Was this translation helpful? Give feedback.
-
|
Yep, agreed. We'll look into how we can improve this. |
Beta Was this translation helpful? Give feedback.
Can you drop us a line with the IP address that you're using? We start ramping up denial-of-service mitigations automatically, based on the recent and historic activity from your IP address and ASN. So if somebody near you - network-wise - has been naughty and trying to DoS some site (not necessarily just us) then you'll suffer. If you visit https://npmjs.com/support/ and ask about captcha's and provide your IP address, we can take a look at what's going on.