[Rack] a noisebridge API question, or oracles a-go-go

Danny O'Brien danny at spesh.com
Mon Oct 22 06:10:41 UTC 2012


So I'm trying to make it easier for people to be able to get a new
door code, and also let us track when codes are descendants of other
codes (So for instance, if somebody ends up giving out lots of codes
that bring all the bad milkshakes to the yard, we can cancel all of
the codes they handed out, as well as their own).

The simplest way seemed to be to add a new API call -- something where
you can do a POST like this

% curl -X POST -d create http://api.noisebridge.net/gate/key/12345

where '12345' is your old key number, and the URL returned is the
address of the new key.

Josh pointed out some problems with this -- firstly you could create
lots of keys really quickly, and secondly you could use it as an
oracle to find out existing valid keys.

The obvious solution to both of these issues is rate-limiting, but I'm
having problems working out good ways to do this that actually solve
the problem. For instance, I could rate-limit so that after a bunch of
non-valid door codes, everyone gets locked out for a few minutes, but
that would enable to people to just block other people from using it
(probably not a big deal). I could also rate-limit so that a
particular key can't get more than a certain number of daughter keys,
but then you could just call again using a daughter key and reset that
counter.

Before I go off and do the fingers-crossed minimally intrusive
rate-limiting, does anyone have any better ideas?

For those who know Bottle.py, here's some code for my current strawman
implementation

@api_app.post('/gate/key/<oldcode:int>')
def gate_key_create(oldcode=None):
    if 'create' in request.forms and request.forms.create:
        newcode = add_door_code(oldcode)
        if not newcode:
            raise HTTPError(output="Code creation failed") # FIXME better errors
        else:
            redirect('/gate/key/%s' % (newcode))
    return {}


More information about the Rack mailing list