Add Invidious check ID for storyboards (used for video storyboards in the video timeline)#5600
Add Invidious check ID for storyboards (used for video storyboards in the video timeline)#5600Fijxu wants to merge 2 commits intoiv-org:masterfrom
Conversation
… the video timeline) The storyboards API endpoint is unprotected and it allows anyone, including bots and abusers to spam that endpoint without having to enter the `/watch` endpoint (most of the time, is protected by some sort of bot protection by current instance owners to prevent abuse) I wonder if there is a better way to do this, but this works fine
|
I don't fully like the fact that we are reusing a token for companion in Invidious itself for encrypting/decrypting an endpoint that is not in companion. This is odd. verify_requests was introduced as a way to reduce the possibility of getting blocked by youtube on the endpoints that request /player on the youtube side. Here it's the storyboard endpoint, I don't think doing too many storyboard requests will increase the chance of getting blocked by youtube. And if we were to do this on the storyboard, we might as well do it on the other endpoints like comments. IMO this problem can be instead solved by introducing some rate limits on the reverse proxy side on the storyboard endpoint. |
|
Also in #5588, I'm going to make companion optional. What would happen if one wants to use verify_requests for storyboard but without using companion? I feel like in such case we should instead introduce a new verify token. |
2 participants
The storyboards API endpoint is unprotected and it allows anyone,
including bots and abusers to spam that endpoint without having to
enter the
/watchendpoint (most of the time, is protected by somesort of bot protection by current instance owners to prevent abuse)
I wonder if there is a better way to do this, but this works fine