Security overhal of Copi

[sydseter]

There are various concerns for copi that should get adressed. E.g: making sure that we maintain availability under an attack. I know a couple of patterns that would work like (CAPEC 212, functionality misuse). This, we should take care of. We won’t be able to remove the threat completely, but we should minimize it. Knowledge og Elixir requiered. The person that fixes this deserves to be mentioned in the OWASP Cornucopia Hall of Fame for sure.

How? We need to put a limit on the numer of users and probably the number of games started from the same ip as well. If it’s still an issue, the solution would be to implement some form of authentication and associate that with the ip address, browser client, etc. but that’s not the first thing we should do.

[immortal71]

@sydseter hey can you assign this to me, If you haven't assign to anyone : I wanna work on this Assap.
Thankyou !!

[sydseter]

You are assigned. Keep in mind that the code is in Elixir.

[sydseter]

I believe we should have a limit on the player creation as well. The two limits should be separatly maintained.

[immortal71]

@sydseter
I've updated the PR to add separate rate limiting for player creation as you requested. The two limits are now maintained separately:

• Game creation: 10 per IP per hour
• Player creation: 20 per IP per hour

Each limit is tracked independently in the RateLimiter GenServer state. Please review when you have a chance!

[immortal71]

@sydseter Copilot suggested including :player_creation in the rate‑limited actions as well.
Right now this PR only affects :game_creation to match issue #1877.
Should rate limiting be applied to player_creation too, or do you prefer to keep that as a separate change?