NationStates

Racoda wrote:To be honest, I have no experience with CORS -- hence the suggestion to authenticate differently than in headers. I've had a discussion with Sherp after posting and I agree that exempting OPTIONS from the rate-limit (and preventing it from sending an API response) is the best solution, especially since a CORS request will be needed anyway to authorize sending a custom user-agent header.

The API hasn't sent a full response (i.e. with data) to OPTIONS requests since 2015 as far as I can tell, but anyway, I tweaked the config to avoid hitting the API altogether, which should mean the rate limit isn't triggered. How does it look now?

[violet] wrote:The API hasn't sent a full response (i.e. with data) to OPTIONS requests since 2015 as far as I can tell, but anyway, I tweaked the config to avoid hitting the API altogether, which should mean the rate limit isn't triggered. How does it look now?

Looks great! I haven't run into rate-limiting issues (Edit: also confirmed with someone living closer to NS servers) and the `x-ratelimit-requests-seen` header sent from the API seems to confirm OPTIONS requests aren't counted to the rate-limit.

I've also noticed you've added `User-Agent` to the allowed CORS headers, thanks!

Vincent Drake wrote:We gave Elu access to the Git repo for Reliant. It tells you when someone logs in. He never did. You would think that at least looking at the master source code would be important for such an investigation?

Sorry to drive-by this over a month later but I missed this line in the original discussion. I didn't "log in" because I didn't need to. I used the SSH key I provided the public key for to simply clone the repos over SSH and examine the provided code on my own computer. Rest assured, I examined the provided reliant code, including tracing back the evolution of the simultaneity control code in the source tree and testing hypotheses of how it might be bugged.

We also asked users to submit their copies, which I examined a selection of with great effort and concluded they were probably indeed generated from versions of the provided source code.

The work I ran out of time for finishing to my satisfaction involved further analysis of the server-side logs. (Hundreds of thousands of relevant lines, amidst tens of millions of irrelevant lines.)