Replit db, help me

Idkwhttph · July 26, 2023, 1:16pm

It is not really a code help but.
Is it possible to set the replit db URL so that I can have the Database save among all users is by setting the DB’s URL. But Only I can edit it. ( Basically the owner ). And when the user forks the repl and tries to retrieve data or extract data to another db ( eg. JSON ), return an error instead.
How do I do this? I do not know where to start tbh

element1010 · July 26, 2023, 2:42pm

So, you can use a database proxy. Create one by forking this Repl. Then, do this in your code:

from replit import db

db.db_url = "https://your-proxy-url.idkwhttph.repl.co"

...

Now, everybody who uses the database will have the same database.

Idkwhttph · July 27, 2023, 3:32am

But will other people be able to change the data through forking?

QwertyQwerty88 · July 27, 2023, 3:36am

Not even through forking. Just copying the URL. Maybe in the proxy check if it is really you and then return the actual URL.

Idkwhttph · July 27, 2023, 3:55am

can you give me an example of how 2 do this?

Idkwhttph · July 27, 2023, 3:57am

from os import environ
x = environ['REPL_OWNER']
if x == 'idkwhttph':
  pass

?

QwertyQwerty88 · July 27, 2023, 4:04am

well that’ll always return True

Idkwhttph · July 27, 2023, 4:27am

Can you give me an example of how to yk. Do the proxy check if it is rlly me.

Idkwhttph · July 27, 2023, 4:52am

I tried this:

import os
import flask
import requests

app = flask.Flask(__name__)
sess = requests.Session()

@app.route("/", defaults={"path": ""}, methods=["GET", "POST", "DELETE"])
@app.route("/<path:path>", methods=["GET", "POST", "DELETE"])
def proxy(path):
    owner = os.environ.get('REPL_OWNER')  # Get the owner from environment variable
    if owner and owner != 'Idkwhttph':
        return "Unauthorized", 401  # Return unauthorized status if requester is not the owner

    url = os.environ["REPLIT_DB_URL"]
    if flask.request.path != "/":
        url += flask.request.path

    req = requests.Request(flask.request.method, url, data=flask.request.form, params=flask.request.args).prepare()
    resp = sess.send(req)

    proxy_resp = flask.make_response(resp.text)
    proxy_resp.status_code = resp.status_code
    for k, v in resp.headers.items():
        proxy_resp.headers[k] = v

    return proxy_resp

# uncomment this to run:
app.run("0.0.0.0")

SnakeyKing · July 28, 2023, 10:24am

No it won’t. REPL_OWNER is the name of the user using it.

Firepup650 · July 28, 2023, 3:09pm

Not on website based repls. In that case, it becomes the Creator’s name IIRC.

python660 · July 28, 2023, 3:30pm

You should NEVER use REPL_OWNER as an access control or DRM solution. Instead use (going to find in the docs eait 1 sec)

python660 · July 28, 2023, 3:32pm

Edit: the real repl identity is a signed token, send that to your database proxy and verify it there.

https://blog.replit.com/repl-identity

Firepup650 · July 28, 2023, 4:11pm

Repl Identity (Unless it’s been fixed) is insecure, and is still possible to bypass.

UMARismyname · July 28, 2023, 4:42pm

why? Just use replit db as usual on a website, and create a Flask route which updates the db in a controlled, rate-limited manner as needed (you could rate limit by IP, which you get by X-Forwarded-For, or require users to authorise via replit auth, and rate limit by request.headers["X-Replit-User-Name"])
If you want to have some sort of admin thing and you need authorisation, Replit Auth

system · August 4, 2023, 4:42pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.