NATION

PASSWORD

Script: "Reliant" + HTML Script Legality Discussion

Bug reports, general help, ideas for improvements, and questions about how things are meant to work.

Advertisement

Remove ads

User avatar
[violet]
Site Admin
 
Posts: 15716
Founded: Antiquity

Postby [violet] » Sun Jun 26, 2022 4:24 pm

Racoda wrote:To be honest, I have no experience with CORS -- hence the suggestion to authenticate differently than in headers. I've had a discussion with Sherp after posting and I agree that exempting OPTIONS from the rate-limit (and preventing it from sending an API response) is the best solution, especially since a CORS request will be needed anyway to authorize sending a custom user-agent header.

The API hasn't sent a full response (i.e. with data) to OPTIONS requests since 2015 as far as I can tell, but anyway, I tweaked the config to avoid hitting the API altogether, which should mean the rate limit isn't triggered. How does it look now?

User avatar
Racoda
Spokesperson
 
Posts: 171
Founded: Aug 12, 2014
New York Times Democracy

Postby Racoda » Sun Jun 26, 2022 5:56 pm

[violet] wrote:The API hasn't sent a full response (i.e. with data) to OPTIONS requests since 2015 as far as I can tell, but anyway, I tweaked the config to avoid hitting the API altogether, which should mean the rate limit isn't triggered. How does it look now?

Looks great! I haven't run into rate-limiting issues (Edit: also confirmed with someone living closer to NS servers) and the `x-ratelimit-requests-seen` header sent from the API seems to confirm OPTIONS requests aren't counted to the rate-limit.

I've also noticed you've added `User-Agent` to the allowed CORS headers, thanks!
Last edited by Racoda on Sun Jun 26, 2022 5:59 pm, edited 1 time in total.
RCES - Farming and QoL cards scripts

User avatar
Eluvatar
Site Admin
 
Posts: 2553
Founded: Mar 31, 2006
New York Times Democracy

Postby Eluvatar » Tue Aug 02, 2022 8:16 am

Vincent Drake wrote:We gave Elu access to the Git repo for Reliant. It tells you when someone logs in. He never did. You would think that at least looking at the master source code would be important for such an investigation?


Sorry to drive-by this over a month later but I missed this line in the original discussion. I didn't "log in" because I didn't need to. I used the SSH key I provided the public key for to simply clone the repos over SSH and examine the provided code on my own computer. Rest assured, I examined the provided reliant code, including tracing back the evolution of the simultaneity control code in the source tree and testing hypotheses of how it might be bugged.

We also asked users to submit their copies, which I examined a selection of with great effort and concluded they were probably indeed generated from versions of the provided source code.

The work I ran out of time for finishing to my satisfaction involved further analysis of the server-side logs. (Hundreds of thousands of relevant lines, amidst tens of millions of irrelevant lines.)
To Serve and Protect: UDL

Eluvatar - Taijitu member

Previous

Return to Technical

Who is online

Users browsing this forum: No registered users

Advertisement

Remove ads