Limit node refreshes to node authors and admins #35
Description
Following last night's request storm from @echoix we need to look at how best to throttle/limit the refreshes.
We cannot afford for a potentially well-intentioned user from clicking request refresh on every node again. Last night's 240 refresh storm almost caused an outage. Any mass update has to be done in a much more controlled manner.
This morning I added csrf protection to the refresh endpoint to make it harder for someone to script a mass update.
One option to consider is to limit the ability to refresh a node to users who have some association with the module. We do let users link their GitHub and npm accounts already, but that does add more steps for a node author to get their node refreshed.
Another option is to add a background task that slowly checks each node for any update - doing it at a slow pace to ensure we don't abuse the npm API and end up getting blocked. Although this wouldn't stop someone from clicking the refresh request on lots of pages, it would avoid things getting out of date.
(@echoix just to be clear, please stop clicking refresh)