I did end up disabling registration due to spam. I can either open them up at a time you’re free to try again or I can manually create an account for you.
It's a known issue - I have been working with @melroy@kbin.melroy.org for a while now to resolve. I think we now understand what is happening under the hood, but not yet why it is happening.
lemmy (running on infosec.pub) does support both post formatting and previews. mbin supports post formatting, but not previews (yet)
There were lots of changes around the same time. I removed fedia.io from the CDN a few days ago though didn't announce it, yet the errors continue.
What works for me on both mastodon and Lemmy is a free text question: why do you want to join?
The user enters whatever they like and it goes into a moderation queue. Both lemmy and mastodon send me an email when a new account is ready to review.
I read the response and choose to whether to approve their account. At the moment, spammers are really bad at answering the “why do you want to join” questions.
Howdy! Mbin (and lemmy) are very different things. It’s sort of like the difference between Twitter and Reddit. You can sort of interact back and forth, but to get the full experience, you have to either be on a lemmy or mbin (or piefed) instance.
it's hard to make a blanket statement, because it depends on the details of the application. CSRF attacks are definitely real and common, but using csrf tokens isn't critical in every application. For example, I think we have CORS headers enabled, I don't think we have functionality that allows embedded iframes, but we do allow links - if we have administrative functions that can be triggered solely with GET parameters, then someone could trick an administrator into doing something that caused damage by clicking on a link in a post. The only one that would obviously work that I can see is "logout", which would be annoying, but not world ending, and would work for everyone, not just administrators.
ok - I just had it happen again while looking at logs. interestingly, there was NOT a CSRF log when that happened. There were a bunch of other errors, but enough that I could look through all of them and see that they were all related to activitypub issues - signaturevalidator and the like
Indeed. I am trying to get it to happen again now that I’ve got the logs filtered down to a manageable level.
I do not have 2fa turned on right now.
Which magazines/communities are you seeing problems with?