You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Have Mastodon Web acquire a "guest token" when loading a page, so that it can issue all further API requests through this token.
Then allow admins (or developers) to set access limitations to this token, such as IP ranges, browser AP, or other markers, to then recognise a user by.
Motivation
After figuring out that someone is specifically scraping /accounts/:id/statuses with account IDs they previously got, I want to lock down our server, and/or make it more difficult to make actors "simply" use open API access like this to grab posts.
First I looked to close API access completely unless it had a browser cookie, but API requests dont contain a browser cookie (which could implicitly have contained a browser session)
This approach would at least slow down unbounded and unchecked scraping, and allow admins to build tools to track, check, and block suspicious traffic.
The text was updated successfully, but these errors were encountered:
rate limits for how frequently a new "guest token" can be issued for an ip, or ip ranges. (if the guest token only is valid for, say, 15 mins, then allow more than 1 token per 15 mins, as sometimes legitimate users may clear browser cookies and re-request a page, only to be blocked)
allow admins to disable the guest token all-together, if they do not want unauthenticaed users to view posts
limitations to frequency of requests even when you have a guest token
Pitch
Have Mastodon Web acquire a "guest token" when loading a page, so that it can issue all further API requests through this token.
Then allow admins (or developers) to set access limitations to this token, such as IP ranges, browser AP, or other markers, to then recognise a user by.
Motivation
After figuring out that someone is specifically scraping
/accounts/:id/statuses
with account IDs they previously got, I want to lock down our server, and/or make it more difficult to make actors "simply" use open API access like this to grab posts.First I looked to close API access completely unless it had a browser cookie, but API requests dont contain a browser cookie (which could implicitly have contained a browser session)
This approach would at least slow down unbounded and unchecked scraping, and allow admins to build tools to track, check, and block suspicious traffic.
The text was updated successfully, but these errors were encountered: