[Rack] a noisebridge API question, or oracles a-go-go
danny at spesh.com
Mon Oct 22 06:10:41 UTC 2012
So I'm trying to make it easier for people to be able to get a new
door code, and also let us track when codes are descendants of other
codes (So for instance, if somebody ends up giving out lots of codes
that bring all the bad milkshakes to the yard, we can cancel all of
the codes they handed out, as well as their own).
The simplest way seemed to be to add a new API call -- something where
you can do a POST like this
% curl -X POST -d create http://api.noisebridge.net/gate/key/12345
where '12345' is your old key number, and the URL returned is the
address of the new key.
Josh pointed out some problems with this -- firstly you could create
lots of keys really quickly, and secondly you could use it as an
oracle to find out existing valid keys.
The obvious solution to both of these issues is rate-limiting, but I'm
having problems working out good ways to do this that actually solve
the problem. For instance, I could rate-limit so that after a bunch of
non-valid door codes, everyone gets locked out for a few minutes, but
that would enable to people to just block other people from using it
(probably not a big deal). I could also rate-limit so that a
particular key can't get more than a certain number of daughter keys,
but then you could just call again using a daughter key and reset that
Before I go off and do the fingers-crossed minimally intrusive
rate-limiting, does anyone have any better ideas?
For those who know Bottle.py, here's some code for my current strawman
if 'create' in request.forms and request.forms.create:
newcode = add_door_code(oldcode)
if not newcode:
raise HTTPError(output="Code creation failed") # FIXME better errors
redirect('/gate/key/%s' % (newcode))
More information about the Rack