Loading the /livechat/getcart/ every 30 seconds could DDoS site
Closed this issue · 16 comments
I manage a Magento 2 site that has the latest version of this extension installed (2.3.1). Last night the Magento server was overwhelmed with traffic, to the point that we had to dramatically increase the virtual machine CPU/memory.
When reviewing the server access logs, we noticed that 58K of the 182K urls were /livechat/getcart/:
This extension loads the /livechat/getcart/ url every 30 seconds: https://github.com/livechat/magento-livechat/blob/master/view/frontend/templates/snippetblock.phtml#L21..L23
If thousands of users of the website leave the browser open in a tab (which people are inclined to do), this could result in thousands of superfluous requests. I'd recommend implementing an exponential backoff to the JS that polls the /livechat/getcart/ API. Or even better, only hit that API when a user interacts with the Live Chat widget.
Can you work out a solution to this and provide it in a new version of the extension?
I just discussed this with the M2 merchant using this extension, and they said that if the website could only load the cart once a user has initiated chat, that would be ideal. They asked for this to be a toggle in the extension settings, so they could proactively watch carts if they wanted to, but then turn that off and only see cart details if a user initiated a chat.
Can you make this change?
@MichalPaszowski Is the LiveChat development team able to implement the requested changes above in the next few weeks?
Hey,
I will take a look, but can't offer ETA.
@MichalPaszowski Any update on this? We're still experiencing this issue and I'm concerned about an unintentional DDoS.
I will try to tackle it next week.
@MichalPaszowski Think you'll be able to get to this issue this week?
I began to work on this, for some reason I can't catch all events related to the cart.
@MichalPaszowski Hopefully you're able to figure it out?
To underscore the importance of this: New Relic is showing that the livechat/getcart/index controller is taking 29.5% of the total transaction time on an M2 site using this extension (we have since turned all of these settings to "No" to prevent the controller from getting hit):
@MichalPaszowski Any update for me on this?
I think I have got all the cases except for one:
- adding product via the widget on site
- adding product via the product page
- modifying amount of items in the cart
but, if you remove the last item from the cart its state is not updated on the LiveChat side - I will look into it next week.
the update is currently available on the different branch you can install it with
composer require livechat/module-magento-livechat:dev-feature/cart-handling
I would not do it before the weekend though - unless you feel adventurous ( we have tested it for Magento 2.3 - further tests for 2.1, 2.2 and 2.4 incoming ) ;)
@MichalPaszowski Thanks for the update. Any progress on getting the remaining cases working?
Yes, tested on 2.2, 2.3 and 2.4 - it works well.
Please disable the old version and install the new with the command above.
@erikhansen have you successfully implemented it on your website? Care to share the feedback?
@MichalPaszowski - We have finally implemented this, and we will let you know the results in a couple of business days. Thanks for your help with this.
@MichalPaszowski - This appears to be working fine. I have also verified with the client that the cart info continues to come through properly. Thank you so much.
Thank you for your feedback.
If anything new comes up please let me know.