[geeklog-devel] Webservices: Logins and speedlimit

Dirk Haun dirk at haun-online.de
Wed Jan 2 12:22:27 EST 2008

I'm struggling a bit with the logins and the speedlimit for the
webservices here. Let me explain ...

Every Atompub client that I've seen so far tries to do things first
without logging in. So even when you give them the proper login
credentials - they don't use them until the server says "Authentication

I'm not sure where this behavior is coming from (I don't see it in the
RFC), but I guess if they're all doing it, we will have to live with it.

So an Atompub client does a request for, say, all the stories on the
site. Let's assume I'm a (Story) Admin, using an Atompub client. I want
to be able to see stories that haven't been published yet (aka drafts)
or those that are only visible to certain users. But since the client
will do the request without logging in first, it will only get a list of
the public stories.

That's not what I want and so I think we should simply require a login
for any action via the webservices / Atompub.

So far, so good. Now, of course, the client will send every request
twice: Request list of stories, "Authentication required", send request
again with login credentials. And of course those will both count
against the login speedlimit. And the next request (whatever that may be
- let's say to change the story) will do the same thing and again count twice.

A human may already run into the speedlimit easily, but automated
clients (like appfs or the APE) will certainly run into it. So it looks
like our standard approach for speedlimits doesn't work here.

I've come up with the following, somewhat inelegant (IMHO), solution:

- An Atompub request without any login credentials will count as one
failed login attempt.
- An Atompub request with the wrong login credentials will count as
two(!) failed login attempts.
- If the login succeeds and we have only one failed attempt on record,
the speedlimit is reset.

This was done because:

- Resetting the speedlimit after every successful login could be used
for dictionary attacks (try one, login to reset, try another, ...).
- Some Atompub clients (e.g. the APE), when used without any login
credentials, will try over and over and over again. So those need to run
into the speedlimit eventually.

I don't like it too much, but it works. Anyone have a better idea?

bye, Dirk


More information about the geeklog-devel mailing list