I have an api that helps clipping things in a stream. Issue is there is no way I can verify that the request is actually from nightbot and not just someone adding headers.
which is kind of a security issue. one can easily flood my database by spamming the API.
is there a way to verify that its an actual nightbot urlfetch request?
the closest I can think is by Nightbot-Response-Url, but am still unsure how can I ?
Then if the code is not correct, do not execute.
Only people who can actually see the raw command would be able to get the code.
You could also have a separate code per authorised user if you wanted.
Another way that I just remembered is to do an rDNS lookup on the IP and check that it’s “nightbot.net” IIRC. I THINK that would work but if someone wants to correct me, please feel free !
The method in my 1st comment would be quicker though.
the 1st method will not work as the command remain same for all the users. and the link to the command API is on an open-source repo.
and going back to edit command for 20 streamers that am not even a mod for is a challenge in itself.
2nd method may work. but the fact that nightbot only wait for certain amount before erroring out. I just can’t use it.
I think if there was an open api endpoint that shows IP’s of all the nightbot instance. that i could refetch now and then to compare against would solve this issue.
AH but Nightbot can accept messages and return them to the chat for the next 5 mins. I have an API that does just that. I’ll look for the details after my stream.
yes. I had to disable a few features.
I know you can use nightbot-response-url to respond to it. but I code in python. and I can’t really get it to work. and its not like I haven’t tried. but now I can’t put more time into it not right now at least.
Ok so what you do is send an initial response to NB of just a full stop. Nothing more. Just “.”. This will cause NB to see the response and know that the command has worked, but it will not send it to chat. I can’t remember the minimum bytes NB needs to send it to chat. IIRC it’s 4 or 8, but sending just the full stop will definitely not put anything in chat.
THEN do your processing, and then use the reply url to send the actual response. Then you are only limited to the 5 minute timeout.
To further clarify, the intended way to verify a request is from Nightbot is to compare its reverse DNS in both directions:
$ dig A z.y.x.w.tun.nightbot.net
...
z.y.x.w.tun.nightbot.net. 300 IN A w.x.y.z
$ dig -x w.x.y.z
...
w.x.y.z.in-addr.arpa. 86400 IN PTR z.y.x.w.tun.nightbot.net.
The IPs don’t matter in question, but you want to ensure that on both sides it ends with nightbot.net