18 Replies
@cfkeef
so how are you fetching this data
if balance x is owned by user y, me looking up balance z as user a shouldn't really be a thing happening
? on prisma
share your query
il use this one as it also applies, since its shorter
This really shouldnt' be happening if your query looks something like
Another user querying for paul shouldn't get this unless you are querying very broadly
in this case token narrows it for you
Does balance have the token on it and you are using it to query?
the problem is if you send 2 requests at this api endpoint you can use a token twice instead of once
but those requests have to happen at the same time
is the token some kind of session token? or csrf? or what
Are you changing it after each request?
its more like a giftcard,
i do
before that query
Is it possible for users to fetch more than one balance at a time?
yes, this exploit applies to almost all of my api endpoints
Yeah this is probably too simple for your use case if you are trying to limit requests to some balance or some limit
What i've done in the past is use redis and you can just claim tokens from there. Its single threaded so atomicity is a given for you.
Before each request claim a token by pulling it out of redis then send it away
on, the createID they both run and check the if at the same time so they pass
You can look at distributed locks if you want which try to solve this over a distributed system which serverless is
there probably is a setting in prisma for this
or next
nope
you can probably do locking in the database you use but i haven't touched that before
Lock the token at the start of the request flow and when you query skip locked rows
you just have to be careful about releasing the lock if the thing fails/succeeds
idk if thats given
yea its given