BoarAvoir [they/them]

  • 3 Posts
  • 17 Comments
Joined 3 years ago
cake
Cake day: December 29th, 2022

help-circle


  • Hi, thank you for reporting this issue! sorry it’s taken a bit to work its way to the relevant people. It should be working now, assuming you are not currently rate limited and you don’t require multiple retries to get the 2fa code right.

    a little inside baseball

    So the issue is, lemmy doesn’t have super granular controls on various API rate limits, there are only like 7 categories but there are many more API endpoints than that. For reasons I cannot fathom, the /login endpoint uses the same rate limit as the /register endpoint (for applying for a new account), which we keep pretty low to prevent registration spam, etc.

    In addition, 2FA logins require 2 calls to /login, since the first one has to come back with a response telling the page to display the 2fa prompt, and then a second request is sent with the 2FA code.

    Long story short, there was recently an attempted “raid” of the site by some trolls, and in preparation the /register rate limit was lowered further than normal, to only 1 per hour. This had the unintended effect of making 2FA logins impossible, and has now been increased. In future our devs may change the login rate limit to not track /register, but for now 2FA should be working again, though if you mis-type the code you may get rate-limited for an hour until a more permanent fix is in place.









  • As others have mentioned, that was implemented in a hurry due to tightening up security and safety around embedded images. I’ve brought it up to the devs to hopefully rectify, as if an instance is trustworthy enough to federate with (aka, not actively malicious) then it is probably safe to show their embeds (behind a blur).

    At the latest, this restriction will go away when lemmy upgrades to pictrs 0.5 which will support proxying image requests, but unless there are objections from the rest of the team we will likely add all federated instances to the image allowlist before then.








  • Yes, you are on the right track.

    What actually happened is, for the migration back to upstream lemmy, our devs developed and contributed the custom emoji feature, so that we could keep them, but since we were uploading them through the UI not baking them into the app when it was built as static assets, they had to go into pictrs (the image backend), which doesn’t support SVGs yet. So as part of our migration we converted all SVG emotes back to PNG (apparently at a pretty substantial resolution).

    They render correctly on our side because the UI recognizes that they are a local custom emoji and applies different CSS than we do for other embedded images, but as currently written, there is no simple way to differentiate a federated emoji from any other embedded image, so when federated, our emoji get rendered as just any image, at whatever size the file is. We will likely contribute a fix for this upstream, though resizing all of our emotes to a consistent size would also do the trick, and may be undertaken as a stopgap in the mean time.