💾 Archived View for bbs.geminispace.org › s › Bubble › 11266 captured on 2023-12-28 at 16:01:27. Gemini links have been rewritten to link to archived content

-=-=-=-=-=-=-

Bubble v6.14

BBS has been updated to Bubble v6.14 with a number of bug fixes and minor improvements:

Fixed publishing a draft comment in an issue tracker.
Fixed error message when trying to create a subspace but the name is already in use.
Fixed post summary if the content starts with a hash (accidental Gemtext heading).
A subspace moderator can delete their subspace if it's empty.
Poll author sees the results even if they haven't voted.
Strip file/image attachment URL or link from the caption label if it is accidentally included by the user.
Polls in subspaces and posts that have been omitted from All Posts do not trigger site-wide notifications.
The comment prompt mentions that it is possible to end with a backslash to make a draft.
Post-registration welcome page links directly to Settings for convenience.
New users default to Oldest First comment order.
Improved clarity of comment pages.

Security improvements:

Rate limit for user registrations (site-wide).
Rate limit for making posts (per IP).
Added a random token in user registration and profile editing URLs to hinder scripted attacks.
Added a random token in posting URLs for limited accounts.

Posted in: s/Bubble

🚀 skyjake

Oct 29 · 2 months ago · 👍 innerteapot, clseibold, Nono

5 Comments ↓

🚀 clseibold · Oct 29 at 06:11:

The random token thing is actually a pretty good idea that I might have to steal for AuraGem :D

As always, great update!

🚀 clseibold · Oct 29 at 19:42:

@skyjake For rate limiting, how do you keep track of the last time an IP connected to the server/route? And how do you keep the data from growing too big? Do you have a separate thread that every so often goes through the list and deletes the data of IPs that haven't connected after a certain period of time? Just wondering, because I'm going to be trying to implement Rate Limiting, and I'm not sure what the best way is to implement it. I'm mostly concerned with cleanup so I don't have a constantly growing map/list.

🚀 skyjake · Oct 30 at 10:26:

I only keep track of registration attempts and when unapproved ("limited") users create a post, so there isn't a lot of logged actions happening. There's a database table where SHA-256 hashes of the IP addresses are stored together with a timestamp. (I don't want to keep a record of actual IP addresses.) My rate calculations are based on activity during the last hour. When checking the current rate (i.e., number of entries in the log), it also deletes entries older than one hour so the table doesn't keep growing. That's pretty much it, quite basic.

🚀 clseibold · Oct 30 at 14:56:

@skyjake Ah, you're using a database. I see. I was thinking of doing a hashmap in memory, or maybe some trie structure, or something along those lines.

🚀 skyjake · Oct 30 at 15:50:

I did consider an in-memory log as well, but I prefer having a way to inspect the log manually (for potential IP blocking) and have it persist over restarts. Also importantly, the rate limiting is done by the CGI application, so it is being handled by multiple separate Python processes, which complicates shared memory access quite a bit.