search

discord / discord-api-docs

Official Discord API Documentation
https://discord.com/developers/docs/intro
Other
5.93k stars 1.26k forks source link

Critical API Bug, /vanity-url endpoint rate limit rules are broken and bad #6278

Closed Unconscionable closed 1 year ago

Unconscionable commented 1 year ago

Description

Current vanity-url rate limit rule:= You are being ratelimited (Authorization User Based)

I want, please update set to Guild Based Rate limit:= (The resource is being ratelimited.) Server ID Based , Not bypassable

When more than 50 50+1 requests are sent with the same Authorization Header (Same Token), the user is given a ratelimit, that is, the Authorization token, and the user receives a ratelimit. vanity-url endpoint ratelimit = Self-Authorization (User) Please switch to rate limit based on guild ID arrogant bastards curse discord api here Malicious people are creating multiple accounts and spamming using different tokens and sending too many requests to the API. As before, when 50 requests are made, a rate limit of 86400 seconds should be set to the server ID. (api/guilds/id/vanity-url) that is, limiting the user id or token as a server id instead of blocking it would be more logical and a better solution to give the server's ratelimit instead of limiting the user, that is, malicious people cannot send unnecessary requests to the API with more than one account.

Steps to Reproduce

curl -X PATCH https://discord.com/api/guilds/01234567890/vanity-url -H "Authorization: RateLimited" -H "Content-Type: application/json" -d '{"code":"code"}'

please update ratelimit rules no authorization (is easy to bypass) set to guild server id based 01234567890

When more than 50 50+1 requests are sent with the same Authorization Header (Same Token), the user is given a ratelimit, that is, the Authorization token, and the user receives a ratelimit. vanity-url endpoint ratelimit = Self-Authorization (User) Please switch to rate limit based on guild ID arrogant bastards curse discord api here Malicious people are creating multiple accounts and spamming using different tokens and sending too many requests to the API. As before, when 50 requests are made, a rate limit of 86400 seconds should be set to the server ID. (api/guilds/id/vanity-url) that is, limiting the user id or token as a server id instead of blocking it would be more logical and a better solution to give the server's ratelimit instead of limiting the user, that is, malicious people cannot send unnecessary requests to the API with more than one account.

Expected Behavior

current vanity-url endpoint ratelimit = Self-Authorization (User) Please switch to rate limit based on guild ID

Current Behavior

vanity-url endpoint ratelimit = Self-Authorization (User) Based

Screenshots/Videos

No response

Client and System Information

Discord API discord.com discordapp.com /api/ vanity-url endpoint

broman commented 1 year ago

Respectfully what are you talking about?

Unconscionable commented 1 year ago

Current vanity-url rate limit rule:= You are being ratelimited (Authorization User Based)

I want, please update set to Guild Based Rate limit:= (The resource is being ratelimited.) Server ID Based , Not bypassable

Unconscionable commented 1 year ago

Current vanity-url rate limit rule:= You are being ratelimited (Authorization User Based)

I want, please update set to Guild Based Rate limit:= (The resource is being ratelimited.) Server ID Based , Not bypassable

8 Temmuz 2023 Cumartesi tarihinde Ryan Broman @.***> yazdı:

Respectfully what are you talking about?

— Reply to this email directly, view it on GitHub https://github.com/discord/discord-api-docs/issues/6278#issuecomment-1626376856, or unsubscribe https://github.com/notifications/unsubscribe-auth/BBECK3E4UEGXX6NRVBGAYE3XPCQGNANCNFSM6AAAAAA2CMZKJQ . You are receiving this because you authored the thread.Message ID: @.***>

DV8FromTheWorld commented 1 year ago

I just tested using your example case and a real token. After 50 attempts receiving a 403 + "Missing Permission", the 51st attempt received a ratelimit.

However, when using a different account that did have permissions to modify the vanity-url, I was able to modify the url. The bad actor account was unable to restrict a good-actor account from using the endpoint.

The endpoint already takes into account both user and guild for ratelimiting, so I think everything here is working as intended. Feel free to reopen if there are additional details that I'm not understanding.

Unconscionable commented 1 year ago

Problem and you didn't understand what I asked. Yes, RateLimit works, but (You are being ratelimited), so as you said, there is a user-based ratelimit, a transaction can be made to the same server with another account without being affected by the ratelimit (vanity-url) What I want is (The resource is being ratelimited) to limit the yanj ratelimit directly to the server, not to the user, because if that's the case, malicious people (vanity snipers vanity f*ckers) use the same server with other accounts (multiple tokens) but using different accounts. They can't send too many requests. Currently, the limit is user-based and malicious people are sending millions of vanity-url patch requests to the same server using a token generator and multiple accounts, tiring the API. If the ratelimit is thrown to the server, not to the user, but to the server ID, malicious people cannot spam the vanity-url using another account and cannot tire the API.

A few months ago, ratelimit was like what I wanted, but it's broken and now it's thrown to the user, malicious private invitation link thieves are taking advantage of this and using more than one multiple token account, they are tiring the API with the same single server.

But if the server gets a limit directly, malicious people can't do bad things by using the same server with other accounts. This may be more positive in terms of logic and discord security. Please forward this to the API developer team.

Current ratelimit working but ( you are being ratelimited user based)

vanity snipers vanity f*ckers using multiple tokens other tokens with same guild same server and destroying api

i want the resource is being ratelimited (guild server id based) is good and not bypassable

Unconscionable commented 1 year ago

I just tested using your example case and a real token. After 50 attempts receiving a 403 + "Missing Permission", the 51st attempt received a ratelimit.

However, when using a different account that did have permissions to modify the vanity-url, I was able to modify the url. The bad actor account was unable to restrict a good-actor account from using the endpoint.

The endpoint already takes into account both user and guild for ratelimiting, so I think everything here is working as intended. Feel free to reopen if there are additional details that I'm not understanding.

Problem and you didn't understand what I asked. Yes, RateLimit works, but (You are being ratelimited), so as you said, there is a user-based ratelimit, a transaction can be made to the same server with another account without being affected by the ratelimit (vanity-url) What I want is (The resource is being ratelimited) to limit the yanj ratelimit directly to the server, not to the user, because if that's the case, malicious people (vanity snipers vanity f*ckers) use the same server with other accounts (multiple tokens) but using different accounts. They can't send too many requests. Currently, the limit is user-based and malicious people are sending millions of vanity-url patch requests to the same server using a token generator and multiple accounts, tiring the API. If the ratelimit is thrown to the server, not to the user, but to the server ID, malicious people cannot spam the vanity-url using another account and cannot tire the API.

A few months ago, ratelimit was like what I wanted, but it's broken and now it's thrown to the user, malicious private invitation link thieves are taking advantage of this and using more than one multiple token account, they are tiring the API with the same single server.

But if the server gets a limit directly, malicious people can't do bad things by using the same server with other accounts. This may be more positive in terms of logic and discord security. Please forward this to the API developer team.

Current ratelimit working but ( you are being ratelimited user based)

vanity snipers vanity f*ckers using multiple tokens other tokens with same guild same server and destroying api

i want the resource is being ratelimited (guild server id based) is good and not bypassable

Unconscionable commented 1 year ago

Reopen please.

DV8FromTheWorld commented 1 year ago

There are multiple ratelimits on this endpoint. One of them is user specific. The other is a shared ratelimit that takes into account the server being used. The changes you're requesting already exist.