-
Notifications
You must be signed in to change notification settings - Fork 223
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add getRequestFingerprint
util
#548
Conversation
getFingerprint
utilgetRequestFingerprint
util
Codecov Report
@@ Coverage Diff @@
## main #548 +/- ##
==========================================
+ Coverage 83.83% 84.23% +0.40%
==========================================
Files 31 31
Lines 3563 3629 +66
Branches 543 550 +7
==========================================
+ Hits 2987 3057 +70
+ Misses 576 572 -4
|
Thanks for working on this. It seems a useful utility for security / rate-limiting purposes. (/cc @danielroe mentioned you if have any concerns to avoid introducing this utility as-is) Considering this usage, i have market it as experimental for now and only enabled IP hashing by default (without trust on X-Forwarded-For). Features (xfowarded/path/method/userAgent) can be enabled opt-in by default. PR welcome for more improvements. |
This seems good to me. I don't get why have the path and method opt in. Unlike userAgent, they cannot be spoofed? Side note, perhaps this or another utility can account for the whole request as is, including the query string, body and headers. Such a thing would be useful if someone had to de-duplicate requests (if that is even a thing) or perhaps some anonymised server side analytics. |
src/utils/request.ts
Outdated
const fingerprintString = | ||
fingerprint.filter(Boolean).join("|") || | ||
Math.random().toString(36).slice(2); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const fingerprintString = | |
fingerprint.filter(Boolean).join("|") || | |
Math.random().toString(36).slice(2); | |
if (!fingerprint.length) { | |
throw new RangeError('At least one fingerprinting factor must be enabled.') | |
} | |
const fingerprintString = fingerprint.filter(Boolean).join("|"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would rather have an error thrown here, warning the developer. Otherwise, they might end up with different fingerprint for the same request.
(Range error is somewhat applicable, but it can be an error too)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We might instead disable random behavior and return null allowing usage to handle it for custom error wdty? (usually h3 utils are errorless)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's better too than a random string. In this case, the return value should be dependent on the options' argument type. Just so the user doesn't have to assert that the fingerprint is in fact a string.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shall I make this change?
For an analytics usecase, uniqueness of visitors is important yes, but i guess it might need to keep path unhashed otherwise it would be useless. Mainly enabling these is dangerous for main purpose i could assume (security) because for example someone can change identity by iterating user agent or appending a query param to the end of url. Once we had better vision (util is still in experimental state) we might improve defaults or have an option that enables all/group of defaults |
613d281
to
b7aca96
Compare
Opened a new PR from a branch that isn't named main as pull bot keeps nullifying the work. |
closes #536