Comments (10)
@evandrocoan That url is the url that is called behind the scenes by Backstroke (ie, the github webhook). As explained on the dashboard, running curl -X POST https://backstroke.us/_XXX...
kicks off Backstroke at any arbitrary time if you'd like to run the check external to Backstroke for some reason.
from server.
But if I understand correctly, backstroke is kicking off automatically. Why would I need the URL?
If some one take my URL on the git repository they can start kicking it like ddos, is there a problem? Should the URL be a secret or they can be public?
from server.
@evandrocoan In 99% of cases, the url is not required. I've run into cases (and others have as well) where they've wanted to integrate backstroke into a different system and wanted to kick off Backstroke on their own from a system they've written (100% not required, an edge case). That's the only reason why the url is user facing (it's hidden in the dashboard to try and emphasize this too).
As fas as any denial of service concerns: the url can be public. Since nothing will happen if the repo is already up-to-date, the worst thing that could happen is that your repository is checked more often for changes. Also, backstroke.us is behind cloudflare, which should take care of any abuse.
from server.
the url can be public
I got this response from GitHub while running my pull algorithm:
API rate limit exceeded for evandrocoan.
How does it does my name? Does it know my name from the consecutive calls to the backstroke URL https://backstroke.us/_dfasdf1asd1f3dsf32df...
?
If so, could someone be using my URL to kick off GitHub, then when I actually need to kick some repository, I cannot because they exhausted/kick off all my daily GitHub API quota?
...
[DEBUG] 13:14:24:617565 -5069 Index: 28/54, submodule "Packages/Indent and braces"
b'{"status":"ok","output":{"status":"ok","pullRequest":{"msg":"There\'s already a pull request for this repo, no need to create another."},"isEnabled":true,"many":false,"forkCount":1}}'
[DEBUG] 13:14:25:753405 135840 Index: 29/55, submodule "Packages/Invert Selection"
b'{"status":"ok","output":{"status":"ok","pullRequest":{"msg":"There\'s already a pull request for this repo, no need to create another."},"isEnabled":true,"many":false,"forkCount":1}}'
[DEBUG] 13:14:26:907257 153852 Index: 30/56, submodule "Packages/LaTeXTools"
ERROR! b'{"error":{"code":403,"status":"Forbidden","message":"{\\"message\\":\\"API rate limit exceeded for evandrocoan.\\",\\"documentation_url\\":\\"https://developer.github.com/v3/#rate-limiting\\"}"}}'
from server.
@evandrocoan Backstroke uses your Github access token to make requests, and Github rate limits users with tokens to 6000 requests per hour. At worst, someone would prevent Backstroke from working on your repositories for an hour, and then once the rate limit expired, Backstroke would work again. This is a Github limitation and something that cannot be easily circumvented.
from server.
On the example above, I did not hit the 6000 request limit, I only had make about 50 sequential requests to the URL. GitHub seems to block repeated requests, on the 6000 hit limit.
So, by the fact that someone has my URLs they can be popping the GitHub API under my name, therefore run dry all my 6000 requests?
from server.
Backstroke makes many calls to Github for a given request. If someone were to hit a link's webhook url repeatedly over an over, yes, they would "run dry" all of your requests. At worst, this means that your repository would be out of date for an hour until the Github rate limit reset.
from server.
Thanks for the patience. Seeing now how it works, I would like to ask if it is possible to block repeated requests to the same URL, as the GitHub does their rate limit.
So as my URLs are public, anyone can create a simple script which start pinging repeatedly the same URL, over and over again for ever. This would cause GitHub to exhaust all my 6000 requests just for on repository URL, and can keep me blocking for ever from ping other repositories, as they are kicking off all my requests limit with the same repository.
Basically limiting the kicking off of a URL as only one request is acceptable for 6000 seconds. So it would block any one from exhausting my GitHub rate limit using one or just a few URLs from my account.
This should not affect the system, as it is only a tool to help integrate changes from the upstream, when they are available, which means, I do not need to see them immediately, so it should delay a few hours.
from server.
Currently, this doesn't exist. If you'd like to try to implement it, here's the most up-to-date branch. I can review any submitted pull requests.
from server.
Thanks, for now I cannot engage on it, but I added it on my issue tracker. So the simplest solution today is to be removing all the URLs from public. Perhaps could you place a warning on the page stating to not publish the URL.
But now I we can discuss the algorithm to accomplish so, I can think about one, do you approve it for implementation?
-
Implement a hash table with the repositories as the key, so when performing check to the URL
https://backstroke.us/_dfasdf1asd1f3dsf32df
, the repository table key would bedfasdf1asd1f3dsf32df
, which is accessed and compared against the current time in EPOCH as 1501635118.If there is the minimum time of 6000 seconds passed since the last input, the call is approved and the time updated on the hashtable. Otherwise the call is just rejected. But when there is no entry, a entry is added and the call is performed.
This algorithm can be improved, so the hashtable is restarted every 24h, to clean/free up some memory, and also when its size passes some limit to avoid staving the server memory.
Update
I think it is just better not publish the URL anywhere, so you do not have to care about anything. When I got time I can look into implement it, but probably I will end up not to.
from server.
Related Issues (20)
- Website down HOT 2
- Stopped working a few days ago with Recived an error: undefined HOT 11
- Could you use some free service to keep the project running? HOT 1
- Backstroke alternative: Pull HOT 1
- Forks do not get updates from bot. Manual shows error response HOT 1
- Taking over as maintainer HOT 1
- Backstroke-bot has been flagged. HOT 9
- Replacement for upstream -> forks links creation HOT 2
- Error in syncing link. HOT 3
- Opt-out not working HOT 2
- Automatically put label `backstroke` and assign to me the pull request HOT 1
- Several (if not all) of my repositories are not receiving the Pull Requests anymore HOT 3
- Open an issue on my repository if cannot create a pull request from the upstream HOT 3
- Backstroke creates a huge pull-request HOT 5
- Allow to set weekly or monthly pull requests minimum time HOT 1
- Failing to create pull requests if I transferred my fork HOT 3
- README.md badges showing invalid HOT 1
- Issue with Sync (Recived an error: undefined) HOT 5
- Not appearing to sync automatically HOT 2
- Not syncing automatically HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from server.