geeksforsocialchange / PlaceCal

Bring your community together
https://placecal.org
GNU Affero General Public License v3.0
17 stars 8 forks source link

[Bug]: API requests can take down whole site #2607

Open kimadactyl opened 2 months ago

kimadactyl commented 2 months ago

Description

I was messing around with the TransDim repo and noticed that the PlaceCal.org main site was down due to our AppSignal monitoring. On further investigation the requests being sent by TransDim locally effectivly denial-of-service'd the whole PlaceCal site. I'm not 100% on cause here but it looks like a very likely suspect.

It should not be this easy to take down the whole PlaceCal site and this needs mitigating somehow.

Steps to reproduce

  1. Load up TransDim repo
  2. Set PLACECAL_API=https://placecal.org/api/v1/graphql in .env
  3. Muck about a bit
  4. Note downtime from PlaceCal.org

What you expected to happen

What would you like to happen instead?

Platform (if relevant)

What device and browser were you using?

Possible fixes

kimadactyl commented 2 months ago

@katjam - unsure best way to address this? API authentication and/or some kind of rate limiting?