GX-Task #70799
Von Rico Schreiber vor 6 Monaten aktualisiert
_Description_ : Using the EU's VAT ID Check API, the VAT identification number can be checked. The EU blocks the IP address of the shop if the API is misused. It is possible to misuse the API via the shop. _How to reproduce_ If the live check of the VAT ID is activated in the shop, a request is always sent to the EU during creation of a customer account, even if only a "1" is entered as the VAT ID. 1. Register and enter something to the Vat ID field 2. Repeat 10.000 times in a short period of time. (i.e. with a bot that spams registrations) _What should we do now?_ 1. Refactor VAT ID check to avoid redundancy. There are currently two different mechanisms in use for checking the VAT ID: One legacy class used for registration, one service used for updating existing customers VAT ID from the admin interface. 2. The shop should already check the format of the VAT ID.(Two letters followd by a bunch of numbers) If this is not valid, there shouldn't be a request to the API. Show an error message. 3. 2. Cache the result of the API for one hour. So if the same number is requested several times in a row only one request per hour to the API is made. 4. 3. implement a limit (max 3 vatid-live-check-calls registrations per IPadress per minute) to avoid registration form spamming and therefore also too many requests to the VAT ID Check API.