Hey there, mirroring a forum topic a bit:
https://e621.net/forum_topics/38076

But .. why do we have cloudflare human verification on the API? That somewhat defeats the point, right?

I honestly don't know cloudflare configuration at all, but I guess you must be able to allow only certain endpoints? I mean, one could argue that's then the new DDoS target, but can you limit to only requests with a bot token? Then you can just ban any that are acting excessively? In fact, doesn't the API already have rate limits?

I dunno, maybe it's not possible, but I figured it would be wise to raise this as a github issue for search-ability at least

Give an inch and the people attacking e621 take a mile. Nothing can be left open.

To quote Kira,

The API is offered as a best effort service, the site staff are focused on ensuring that the primary site interface is accessible for everyone, so efforts go towards that, and not API access.

Well just turn it off then.

I mean, I get that it's best effort, I'm not expecting any SLA, but it seems odd for API endpoints to go behind anti-bot protection, rather than just being unavailable

This does mirror #483 a bit too, but seems sufficiently different too

"turning them off" would still require them to hit some server, which is the opposite of what you want in a ddos attack
beyond that they can't just block all json endpoints, various endpoints that are used on the site are json related, like adding notes

I think the user meant to turn the API off.

I think the user meant to turn the API off.

I'm.. aware of what they meant
my point still stands

Adding a note makes a request to /notes.json on the front end, "disabling the api" would disable this
Adding favorites uses the api
Adding posts to sets uses the api
Adding posts to pools uses the api

The API is REQUIRED for basic site functionality

Adding any exception to any resource while the site is experiencing a DDoS is entirely against the point of the protection. I understand that this is a frustrating experience but the alternative is that the whole site is not available. Theoretically you can enable protection only for certain parts of the site but checking for an api token is useless since cloudflare has no way of knowing if it is a real one or not.

It seems that for the moment the protection has been scaled back, however I can't guarantee that it will stay that way.

I think the user meant to turn the API off.

I'm.. aware of what they meant my point still stands

That wasn't so clear from ""turning them off" would still require them to hit some server, which is the opposite of what you want in a ddos attack". Thank you for clarifying.

Adding a note makes a request to /notes.json on the front end, "disabling the api" would disable this Adding favorites uses the api Adding posts to sets uses the api Adding posts to pools uses the api

Ah, the frontend uses the API, that's basically the answer then.

Adding any exception to any resource while the site is experiencing a DDoS is entirely against the point of the protection. I understand that this is a frustrating experience but the alternative is that the whole site is not available. Theoretically you can enable protection only for certain parts of the site but checking for an api token is useless since cloudflare has no way of knowing if it is a real one or not.

Yeah, I figured leaving a gap open would not be ideal, wasn't sure if cloudflare had any handy functionality for dealing with that. Makes sense that cloudflare could only check for presence of an API token, but not check validity, and passing those validity checks to the server just opens a hole in the DDoS protection.

Thank you for clarifying there @Earlopain, I wasn't meaning to complain or anything. I understand the API is best effort basis, and I'm generally an advocate for downtime not being as serious as people make out.
I just wanted to have things clarified somewhere a bit better than all the random whispers and word of mouth scattered through a thousand forum topics!

Many thanks ^_^