Comment

Comment on Admins: Instnace randomly running extremely slowly? Check for this

OpenStars@piefed.social ⁨6⁩ ⁨months⁩ ago

This is for Lemmy I presume (or also for Piefed or Mbin)? You’ve modified yours heavily though, I thought, which could complicate matters. I wonder if you are having those bot scraping issues that semi-recently (a month or so ago?) started increasing in frequency. So many instances now have a human detector before letting you in whereas before it was not necessary.

source

Sort:hotnew top

freamon@preferred.social ⁨6⁩ ⁨months⁩ ago
PieFed has a similar API endpoint. It used to be scoped, but was changed at the request of app developers. It’s how people browse sites by ’New Comments’, and - for a GET request - it’s not really possible to document and validate that an endpoint needs to have at least one of something (i.e. that none of ‘post_id’ or ‘user_id’ or ‘community_id’ or ‘user_id’ are individually required, but there needs to be one of them).

It’s unlikely that these crawlers will discover PieFed’s API, but I guess it’s no surprise that they’ve moved on from basic HTML crawling to probing APIs. In the meantime, I’ve added some basic protection to the back-end for anonymous, unscoped requests to PieFed’s endpoint.

source
- mapto@feddit.bg ⁨6⁩ ⁨months⁩ ago
  Could you elaborate on this:
  
  it’s not really possible to document and validate that an endpoint needs to have at least one of something
  
  In what sense it is not possible, as I can easily see it done in the code?
  
  source
  - freamon@preferred.social ⁨6⁩ ⁨months⁩ ago
    It’s straight-forward enough to do in back-end code, to just reject a query if parameters are missing, but I don’t think there’s a way to define a schema that then gets used to auto-generate the documentation and validate the requests. If the request isn’t validated, then the back-end never sees it.
    
    For something like https://freamon.github.io/piefed-api/#/Misc/get_api_alpha_search, the docs show that ‘q’ and ‘type_’ are required, and everything else is optional. The schema definition looks like:
    
    /api/alpha/search: get: parameters: - in: query name: q schema: type: string required: true - in: query name: type_ schema: type: string enum: - Communities - Posts - Users - Url required: true - in: query name: limit schema: type: integer required: false
    
    required is a simple boolean for each individual field - you can say every field is required, or no fields are required, but I haven’t come across a way to say that at least one field is required.
    
    source
    mapto@feddit.bg ⁨6⁩ ⁨months⁩ ago
    Ah, I see, so you are talking about this.
    
    Of course it is nice if things get auto-generated, but doing it yourself, both in code and documentation should never be excluded as an option.
    
    source
    -> View More Comments
- OpenStars@piefed.social ⁨6⁩ ⁨months⁩ ago
  Good thinking!:-)
  
  source
admiralpatrick@lemmy.world ⁨6⁩ ⁨months⁩ ago
Lemmy. I added a comment above LW wouldn’t let me edit the post.

Mine’s only extended with some WAF rules and I’ve got a massive laundry list of bot user agents that it blocks, but otherwise it’s pretty bog standard.

If instances have Anubis setup correctly (i.e. not in front of /api/…) then that might not help them since this is calling the API endpoint.

source
- OpenStars@piefed.social ⁨6⁩ ⁨months⁩ ago
  All of a sudden your edits went through - perhaps a delay caused by this same issue?
  
  Also some related posts:
  * another one reporting similar attack-like activities https://lemmy.world/post/36413045
  * a month ago similarly https://lemmy.world/post/34310429
  
  source