> We have discontinued the publicly hosted version of RequestBin due to ongoing abuse that made it very difficult to keep the site up reliably. Please see instructions below for setting up your own self-hosted instance.
(note, that message is old, requestbin did live on despite it, iiuc)
That's the problem, we can't have nice things on the internet anymore.
Either you could try adding limitations that would make it less appealing to shady folks, e.g. amount of storage in the value.
Or most likely adding user accounts and depending on how far you need to go captchas or offload it by e.g. using GitHub oauth (and coupling yourself and your users to a 3P).
Neither of them are great. While the tool is fairly unpopular there probably isn't an issue.
I mean, there's a whole industry dedicated to preventing abuse of computing resources exposed to the internet. You basically opened your MongoDB instance to the world - you are lucky they haven't already stored anything horribly illegal in there.
Anything is certainly possible on the internet, if or when that happens I'll intervene.
Implementing authentication and or authorization is not beyond my ability, and could have been setup, but it would have severely tarnished ease of access to the platform, and hindered the amount of people who already tried out the service.
The hubris of software engineers never ceases to amaze me. I'm not trying to scare you here, I am just gently suggesting that you might not have the capacity to provide this as a public service. Keep using it for your projects if it works for you, maybe wrap it in a docker container for other people to deploy on their own if they so want.
Side note, I just tested a curl command with
-d '{"key": {"$regex": ".*"}, "value": "..."}'
and it went through, updating the already existing first key in the collection, so you're not even sanitizing your inputs - there's likely some Mongo lookup code that will enumerate the existing collections, or overwrite someone else's data, or possibly read all of it, I am not going to continue with the probing (are you sanitizing the api key?). You can either assume good faith from all your users, or open the API to the internet, but definitely not both.
As a one-off there are many ways, but if you want to scale things up then you run out of options pretty fast. OP potentially just made themselves the new lowest hanging fruit.
Services like requestbin have had a lot of trouble with this sort of thing, historically https://web.archive.org/web/20190711192140/https://github.co...
> We have discontinued the publicly hosted version of RequestBin due to ongoing abuse that made it very difficult to keep the site up reliably. Please see instructions below for setting up your own self-hosted instance.
(note, that message is old, requestbin did live on despite it, iiuc)