[LB-791] If you request a public url with an invalid token, it succeeds

Type: Bug
Resolution: Fixed
Priority: Normal
Fix Version/s: None
Component/s: None
Labels:
None

If you request a url that doesn't require authentication (for example /1/user/(user_name)/listens), but you also provide an Authorization header with invalid data, you get the information that you requested.

I'm not sure if it makes sense to validate this data on public endpoints or not. Thoughts?

One potential reason to verify on all requests is if we have a separate rate limit rate for authorised clients...

amCap1712 added a comment - 2021-12-24 18:29

We don't do authorised rate limits currently. This came up recently when we wanted to bump up troi-bot's ratelimit. We hardcoded it to use a config value to avoid an extra db lookup on each call.

amCap1712 added a comment - 2021-12-24 18:29 We don't do authorised rate limits currently. This came up recently when we wanted to bump up troi-bot's ratelimit. We hardcoded it to use a config value to avoid an extra db lookup on each call.

Assignee:: amCap1712

Reporter:: Alastair Porter

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2021-01-12 17:27

Updated:: 2024-12-28 17:46

Resolved:: 2024-12-28 17:46

Version	Package

Details

Description

Attachments

Activity

Collapse comment: amCap1712 added a comment - 2021-12-24 18:29

Expand comment: amCap1712 added a comment - 2021-12-24 18:29

People

Dates

Packages