Way to verify request is from nightbot

I have an api that helps clipping things in a stream. Issue is there is no way I can verify that the request is actually from nightbot and not just someone adding headers.
which is kind of a security issue. one can easily flood my database by spamming the API.

is there a way to verify that its an actual nightbot urlfetch request?
the closest I can think is by Nightbot-Response-Url, but am still unsure how can I ?

On sensative commands that are only used by trusted people I use a URL something like


Then if the code is not correct, do not execute.
Only people who can actually see the raw command would be able to get the code.
You could also have a separate code per authorised user if you wanted.

Another way that I just remembered is to do an rDNS lookup on the IP and check that it’s “nightbot.net” IIRC. I THINK that would work but if someone wants to correct me, please feel free !

The method in my 1st comment would be quicker though.

the 1st method will not work as the command remain same for all the users. and the link to the command API is on an open-source repo.
and going back to edit command for 20 streamers that am not even a mod for is a challenge in itself.

2nd method may work. but the fact that nightbot only wait for certain amount before erroring out. I just can’t use it.

I think if there was an open api endpoint that shows IP’s of all the nightbot instance. that i could refetch now and then to compare against would solve this issue.

AH but Nightbot can accept messages and return them to the chat for the next 5 mins. I have an API that does just that. I’ll look for the details after my stream.

I think you mean nightbot-response-url.

yeah its possible. but create confusion if the bot doesn’t respond right away.

would be best if there was a way i can verify that response-url is an actual real url without sending anything to the chat.
will look into it.

Well rDNS lookups don’t take THAT long tbh.

I really have veryyyyyyyyy tiny margin to spare. that i am even taking location in my own hand - Location where nighbot is hosted - Nightbot - NightDev Community Forums

i guess i’ll try to store the known ip and only rDNS query when i get new ip.

When you say “veryyyyyyyyy tiny margin” do you mean before NB says server isn’t responding ?

yes. I had to disable a few features.
I know you can use nightbot-response-url to respond to it. but I code in python. and I can’t really get it to work. and its not like I haven’t tried. but now I can’t put more time into it not right now at least.

Ok so what you do is send an initial response to NB of just a full stop. Nothing more. Just “.”. This will cause NB to see the response and know that the command has worked, but it will not send it to chat. I can’t remember the minimum bytes NB needs to send it to chat. IIRC it’s 4 or 8, but sending just the full stop will definitely not put anything in chat.

THEN do your processing, and then use the reply url to send the actual response. Then you are only limited to the 5 minute timeout. :slight_smile:

Don’t know how helpful this will be but here’s the necessary bits to send the message to the response url in PHP…

$options = array(
    'http' => array(
        'header'  => "Content-type: application/x-www-form-urlencoded",
        'method'  => 'POST',
        'content' => $message
$context = stream_context_create($options);
$resp = file_get_contents($responseurl, false, $context);

Afraid I don’t know Python.

Instead of a full stop, why not just a space? Spaces alone don’t get sent in chat.

TBH I can’t remember :thinking: but off the top of my head I think it was keep the API compatible with certain other bots if needed.

I see, interesting :thinking: thanks!

To further clarify, the intended way to verify a request is from Nightbot is to compare its reverse DNS in both directions:

$ dig A z.y.x.w.tun.nightbot.net
z.y.x.w.tun.nightbot.net.	300 IN	A	w.x.y.z

$ dig -x w.x.y.z
w.x.y.z.in-addr.arpa. 86400 IN	PTR	z.y.x.w.tun.nightbot.net.

The IPs don’t matter in question, but you want to ensure that on both sides it ends with nightbot.net


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.