NATION

PASSWORD

Script: "Reliant" + HTML Script Legality Discussion

Bug reports, general help, ideas for improvements, and questions about how things are meant to work.

Advertisement

Remove ads

Post a reply
User avatar
[violet]
Executive Director
 
Posts: 16205
Founded: Antiquity

Postby [violet] » Sun Jun 26, 2022 4:24 pm

Racoda wrote:To be honest, I have no experience with CORS -- hence the suggestion to authenticate differently than in headers. I've had a discussion with Sherp after posting and I agree that exempting OPTIONS from the rate-limit (and preventing it from sending an API response) is the best solution, especially since a CORS request will be needed anyway to authorize sending a custom user-agent header.

The API hasn't sent a full response (i.e. with data) to OPTIONS requests since 2015 as far as I can tell, but anyway, I tweaked the config to avoid hitting the API altogether, which should mean the rate limit isn't triggered. How does it look now?
Top
User avatar
Racoda
Technical Moderator
 
Posts: 579
Founded: Aug 12, 2014
Democratic Socialists

Postby Racoda » Sun Jun 26, 2022 5:56 pm

[violet] wrote:The API hasn't sent a full response (i.e. with data) to OPTIONS requests since 2015 as far as I can tell, but anyway, I tweaked the config to avoid hitting the API altogether, which should mean the rate limit isn't triggered. How does it look now?

Looks great! I haven't run into rate-limiting issues (Edit: also confirmed with someone living closer to NS servers) and the `x-ratelimit-requests-seen` header sent from the API seems to confirm OPTIONS requests aren't counted to the rate-limit.

I've also noticed you've added `User-Agent` to the allowed CORS headers, thanks!
Last edited by Racoda on Sun Jun 26, 2022 5:59 pm, edited 1 time in total.

Acting as a player unless accompagnied by mod action or reddish text
Any pronouns
Top
User avatar
Eluvatar
Director of Technology
 
Posts: 3086
Founded: Mar 31, 2006
New York Times Democracy

Postby Eluvatar » Tue Aug 02, 2022 8:16 am

Vincent Drake wrote:We gave Elu access to the Git repo for Reliant. It tells you when someone logs in. He never did. You would think that at least looking at the master source code would be important for such an investigation?


Sorry to drive-by this over a month later but I missed this line in the original discussion. I didn't "log in" because I didn't need to. I used the SSH key I provided the public key for to simply clone the repos over SSH and examine the provided code on my own computer. Rest assured, I examined the provided reliant code, including tracing back the evolution of the simultaneity control code in the source tree and testing hypotheses of how it might be bugged.

We also asked users to submit their copies, which I examined a selection of with great effort and concluded they were probably indeed generated from versions of the provided source code.

The work I ran out of time for finishing to my satisfaction involved further analysis of the server-side logs. (Hundreds of thousands of relevant lines, amidst tens of millions of irrelevant lines.)
To Serve and Protect: UDL

Eluvatar - Taijitu member
Top
Previous
Post a reply

Return to Technical

Who is online

Users browsing this forum: Aadhiris, Atrito, Capitolism Republic, Chenzorian Viatrok, Corindia, Dimetrodon Empire, Giandan, Google [Bot], Greater Cuba, Improper Classifications, MLGDogeland, Narvatus, Reyo, Rodmenia, Siptalisia, Sorcery, Teffland, TescoPepsi, The Hurricane, Tiami

Powered by phpBB® Forum Software © phpBB Group

Advertisement

Remove ads