Comment by blincoln
3 years ago
Rate-limit the number of different source IPs that the token can be used from within a given period of time, or the number of requests per second that can use that token without having to re-verify?
3 years ago
Rate-limit the number of different source IPs that the token can be used from within a given period of time, or the number of requests per second that can use that token without having to re-verify?
If they can track the token that way, that blows the whole point, the token becomes a persistent unique id.
The idea was to prove that a token exists without disclosing the token itself, nor any sort of 1:1 substitution.
That sort of thing is definitely possible, that's not the conundrum. What they said is one of the conundrums I have to admit. If the server doesn't know who the user is, then the server doesn't know it's a valid user vs a bot.
But I only agree it's a problem. I don't agree it's a problem without a solution.