GX-Task #70799
Von Hendrik Bahr vor 5 Monaten aktualisiert
_Description_ : Using the EU's VAT ID Check API, the VAT identification number can be checked. The EU blocks the IP address of the shop if the API is misused. It is possible to misuse the API via the shop. _How to reproduce_ If the live check of the VAT ID is activated in the shop, a request is always sent to the EU during creation of a customer account, even if only a "1" is entered as the VAT ID. 1. Register and enter something to the Vat ID field 2. Repeat 10.000 times in a short period of time. (i.e. with a bot that spams registrations) _What should we do now?_ 1. The shop should already check the format of the VAT ID.(Two letters followd by a bunch of numbers) If this is not valid, there shouldn't be a request to the API. Show an error message. 2. Cache the result of the API for one hour. So if the same number is requested several times in a row only one request per hour to the API is made. 3. implement a limit (max 3 registrations per IPadress per minute) to avoid registration form spamming and therefore also too many requests to the VAT ID Check API.