-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub badges are "unresponsive": rate limiting #529
Comments
Thank you for raising this issue! I have bad news. GitHub's rate limiting has two ceilings:
We are using authenticated requests. Indeed, the headers I receive from GitHub include the following:
However, the rate limit reset timestamp does not seem to be correct, which suggests a bug in GitHub's rate limiting system. I am writing to them for clarification. In the meantime, I will try to adjust the cache to avoid hitting the rate limit. If that is not enough, I will try to cache GitHub badges for a longer span of time. Ideally though, I would find a common ground with GitHub to increase the rate limit. |
I see the issue today as well. Any word back from them? If not, I have an idea to allow additional requests : spin up multtple authenticated "apps" and round robin the requests through them all using the a shared cache on the back end. An additional solution would be to have a backup cache every time the primary cache expired it would replace the entry in the long term cache (1 week?). If a request was made and rejected there would be a high likelyhood that stale info was available unless the package/repo was not very popular. |
GitHub has told me they have opened an internal issue for the API team to investigate and track this. Having multiple apps fails, because they track IPs as well. Switching the server's IP would be wonky. When we hit rate-limiting, we do use our LRU cache (when there is something in it). But the requests are very varied, and the cache gets filled within an hour. (Potentially, we could have a smarter cache than LRU, but tracking popularity sounds like it would require a lot of memory.) |
Same here, i've got |
Removed badge due to github request limit issue badges/shields#529
Removed badge due to github request limit issue badges/shields#529
there are issues providing the images due to the throttle limit badges/shields#529
there are issues providing the images due to the throttle limit badges/shields#529
there are issues providing the images due to the throttle limit badges/shields#529
Hi all, |
1 similar comment
This would be a very good workaround for the time being. And please put some pressure on GitHub, why haven't they come back to you in 2 months' time?! |
This reverts commit adf6505. Apparently not a good idea since the GitHub provider is quite unreliable. see badges/shields#529
I don't even get 'vendor | unresponsive". I get a broken image when I look at shields.io, and when I try and load the badge URL directly, I get a CloudFlare "Error 504 Gateway time-out" page. |
@kballard Hmm. I added the 504 because of this discussion. The hope was to configure CloudFlare to cache everything, but only use that cache if I returned a 504. However, I can't find a way to configure CloudFlare in this way. I didn't think it would cause CloudFlare to return an HTML page instead. |
Any news on this? |
I wish Github provided itself such badges. People obviously like them. |
+1. I've had to remove my latest release shield and replace it with a static svg because GitHub shields were down so often in the last week. |
Yeah, this is a huge bummer. The Github-related badges on my Github-hosted documentation essentially never work. I may have to just give up on them, but they provided nice information in a pretty way when they worked. Is there a forum where raising this issue might help motivate Github to fix things? |
I was wondering if that might be an issue. If we can get enough people to contribute tokens, this should never happen though. |
I am awfully sorry, I substantially misinterpreted how the tokens work. I am working on a fix, don't hesitate to revoke the tokens in the meantime. |
No problem. I'll create a new one once the fix is deployed. |
There's a partial fix up. Shields no longer uses a token if it has reached 1/4th of its rate limit. |
The full fix is up. Shields will only use a user token that has more than 1/4th of its rate limit and is the user token with the most requests left. As a result, it self-balances between all user tokens available. |
That’s a nice, elegant solution. And ¼ is conservative enough that nobody should be afraid to share their tokens. |
Thanks a lot for raising the issue! I can probably raise the "1/4th of the rate limit" restriction. It corresponds to 3125 requests in an hour, which is a bit low (for tinkerers). However, that limit is only there as a safeguard. Currently, with just nine tokens, the lowest a token went in the past hour was 10288 requests, before getting reset to 12500. |
I've added a new token back into the app. |
Hi everyone, I made a mistake. @agboom pointed out to me in private that the GitHub user tokens were publicly accessible at The fundamental problem is that, when I first created the service, there was no sensitive information in it, and I didn't expect to ever have some. So I simply set the repository directory as the fallback location wherein the server could serve files, and forgot that I did. That was a mistake in retrospect, as when I first hit the rate limit problems a year or two later, I simply assumed that files in the main folder would not be publicly accessible. First, correction and mitigation. I set a specific folder to contain public files, so that the server is not allowed to serve files outside of that folder. I set a specific folder to contain sensitive files, in private/. Second, assuming the worst. The two sensitive files that we currently have are .github-user-tokens.json and secret.json. They are both very similar: they contain information that prove that shields.io is the one performing a request, and therefore, that it can be trusted with a higher rate limit. (I am sorry to have been sloppy with that trust.) Malicious actors can have downloaded those files, and benefited from higher rate limits in Bintray, SL Insight and GitHub. For Bintray and SL Insight, anyone can obtain their own tokens to get that same rate limit by registering as a user at those companies, so there is no practical reason for them to use mine: if they wanted to be malicious, they could create fake accounts. For GitHub, it is a bit worse, as about 900 GitHub users registered to help increase the rate limit for GitHub badges, creating a rate limit of 11250000 (~ 11 million) requests per hour: virtually unlimited access to the public GitHub API. For GitHub's sake, I cannot keep using them given that they are potentially compromised, potentially giving some malicious actor a way to circumvent GitHub's rate limit mechanism, so I must revoke them. So here is what I did:
Unfortunately, at peak time, I do need about 200k requests/hour. It is way below the 11 million, but way above the 12.5k that I can get from just me. I need about 20 people to re-activate the Shields app on GitHub, which may not happen in time for Monday 5pm CET, which is a typical peak time. For users, including those that authorized Shields as a GitHub app, there was no security issue, as I originally set the app to require the minimal amount of permissions (it can only see what is already public). There is a potential denial of service issue, as a malicious entity could have used up all of your rate limit capacity, which would have prevented you from using, for instance, GitHub for Windows, up until the end of the hour. For Shields.io, the revocation of GitHub user tokens means that GitHub badges may start failing at the end of every hour at peak time on Monday, unless about 20 people re-activate the Shields app by going to this page. I am awfully sorry for this, and will do my best to be more worthy of your trust in the future. |
@espadrine Thanks for the explanation and actions you've token once you discovered the problem. I have added a new token to the service for use. |
Thank you for letting us know this. Added new token! |
Kudos for being so transparent about this, @espadrine! You have my sword. And my bow. And my token. |
Well mitigated @espadrine. Please accept my token as a token of gratitude. |
Is this why https://img.shields.io/badge/donorbox-donate-blue.svg fails to load |
Could you add a section to the top of the readme about what this is and how to donate your client token (even add it to the top of shields.io? |
@espadrine did you get the 20 required signups? If not I can tweet or something to help. |
There thankfully were enough tokens. However, the volume of requests at peak time gets fairly high now, and I will need to add a server and do some performance tuning. I talk about that here: #868. |
Can this issue be closed? It sounds like everything is going well with the GitHub badges 😃 |
As far as I can tell! |
Great! Let's close it out and reopen if any issues come up 😄 |
Hi, Thank you for having pro-actively revoked our tokens. Just to let you know that the page to (re-)authorize GitHub Shields App no longer works: I assume you currently have enough tokens for the rate limit? |
Just ran into this issue this morning using some new badges for my repo. Tried visiting https://img.shields.io/github-auth but only get |
Thanks, let's address at #1038. Let's open a new issue for related Github problems, so it's not buried in here. |
This is what I see at shields.io now:
github shields seem not to work. I've tried to open them in a separate browser tab - the same result. But the owner/repo URL is correct.
The text was updated successfully, but these errors were encountered: