Option to send new spots up to DX Cluster #39
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This should be user toggleable (and persisted to local storage). It should replace spotting into the local database when used, so we don't get a duplicate spot back from the cluster.
Cluster will require a new connection to spot as the DE user. Syntax is here: https://wiki.dxcluster.org/wiki/Getting_and_posting_DX
User will need to provide an SSID for logging into the cluster.
Add CAPTCHA or similar to prevent bot abuse from the web UI.
ian referenced this issue from ian/field-spotter2025-10-19 14:06:28 +00:00
Need to figure out how to do authentication against a cluster node. There are several options, but to best prevent abuse/botting I think we need to ask the user for a password and only post to cluster if we can positively identify them.
Ideally I'd like to avoid storing usernames & passwords in Spothole, having to implement our own auth flow, user account creation/deletion, setting & changing passwords etc. But we will have to see how feasible it is to avoid that.
As a basic implementation we could require that the user already has set up a password on the cluster, then prompt them for that password during spotting, and obviously we can only post to cluster if that password matches. This would mean quite a lot of initial setup hassle for the user, as they would have to set this up in advance via their logging software or via telnet, but would mean Spothole doesn't have to store any user data, and it does protect the system from abuse.
Maybe we can do that as a first step, then later provide UI for managing your password on a cluster (still telnet commands mediated by the server). Or maybe we will end up having to store something within Spothole.
One weakness of this is that the user will need to have set a password on the cluster(s) that Spothole uses; I don't believe passwords are synced around the cluster at all. If the user's "home" node that they use from a traditional logger is not one Spothole connects to, they will have to set their password again on the other node. Spothole also doesn't currently make it particularly obvious which cluster node it's using.
Maybe the outcome of this is that I should run my own cluster node for Spothole. That's not ideal in terms of extra admin overhead for me but does mean that we have one consistent place to manage password auth. It also means that if other cluster sysops don't like the idea of being able to post from a website, or an abuse/botting problem arises via Spothole, other sysops could filter out stuff coming from Spothole and it wouldn't taint another innocent node.
So it looks like users generally can't set up a password on a cluster node themselves - they have to email their desired password in plaintext to the sysop who sets it for them. A design choice from a different era of the internet for sure.
As far as I can tell the vast majority of cluster nodes allow posting spots without needing a password.
Option to send new spots upwardsto Option to send new spots up to DX ClusterI think we have a couple of fundamental decisions to make here.
Cluster password required to spot:
Run a DXSpider node for Spothole:
Fun to be debating this while the cluster network is seeing multiple abusive bot posts per minute anyway.
Setting this to "blocked" for now as I have no clear decision on either of these questions. Advice welcome!