Add metered open signups, per-IP limits, and auth security hardening

Enables public beta signup metering: DAILY_OPEN_SIGNUPS env var controls how many users can register without an invite code per day (0=disabled, -1=unlimited, N=daily cap). Invite codes always bypass the limit. Also adds per-IP signup throttling (DAILY_SIGNUPS_PER_IP, default 3/day) and fail-closed rate limiting on auth endpoints when Redis is down. Client dynamically fetches /api/auth/signup-info to show invite field as optional with remaining slots when open signups are enabled. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 14:28:28 -05:00
parent 3d02d739e5
commit 6461a7f0c7
9 changed files with 320 additions and 14 deletions
--- a/client/index.html
+++ b/client/index.html
@@ -893,8 +893,9 @@ TOTAL: 0 + 8 + 16 = 24 points</pre>
            <div id="signup-form-container" class="hidden">
                <h3>Sign Up</h3>
                <form id="signup-form">
-                    <div class="form-group">
-                        <input type="text" id="signup-invite-code" placeholder="Invite Code" required>
+                    <div class="form-group" id="invite-code-group">
+                        <input type="text" id="signup-invite-code" placeholder="Invite Code">
+                        <small id="invite-code-hint" class="form-hint"></small>
                    </div>
                    <div class="form-group">
                        <input type="text" id="signup-username" placeholder="Username" required minlength="3" maxlength="20">