Uploaded image for project: 'ListenBrainz'
  1. ListenBrainz
  2. LB-791

If you request a public url with an invalid token, it succeeds

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Normal Normal
    • None
    • None
    • None

      If you request a url that doesn't require authentication (for example /1/user/(user_name)/listens), but you also provide an Authorization header with invalid data, you get the information that you requested.

      I'm not sure if it makes sense to validate this data on public endpoints or not. Thoughts?

      One potential reason to verify on all requests is if we have a separate rate limit rate for authorised clients...

          [LB-791] If you request a public url with an invalid token, it succeeds

          amCap1712 added a comment -

          We don't do authorised rate limits currently. This came up recently when we wanted to bump up troi-bot's ratelimit. We hardcoded it to use a config value to avoid an extra db lookup on each call.

          amCap1712 added a comment - We don't do authorised rate limits currently. This came up recently when we wanted to bump up troi-bot's ratelimit. We hardcoded it to use a config value to avoid an extra db lookup on each call.

            kartik1712 amCap1712
            alastairp Alastair Porter
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:

                Version Package