Add some simple defence against spammers
Opened this issue · 6 comments
Just have a "can't submit 2 runs within X seconds" restriction for now. The free quota on GAE could get exhausted if one user spams the site with a ton of runs.
We should heavily consider a GAE alt. There are so many issues based on these limitations alone.
True, but I'm not sure if switching will fix the issue. I imagine an alternative like Heroku also has similar free quota resource limits, though I haven't checked to see if they are better.
I think it's best we start looking into GAE alts. I'll pull up a list on AlternativeTo and see what there is
Limiting users for certain requests is also important to defend against brute force attacks on the /asup protocol, for example.
Might I recommend, in addition to hard limits, adding an API key? It would allow you to identify the PBT account accessing the API. You can accept it as a URL param. See https://github.com/peppy/osu-api/wiki for an example.