Hacker News new | ask | show | jobs
by markrickert 4594 days ago
Error:

failed to fetch user profile (status: 403 data: {"message":"Maximum number of login attempts exceeded","documentation_url":"http://developer.github.com/v3"}) at Strategy.userProfile (/opt/gitter/landing-app/node_modules/passport-github/lib/passport-github/strategy.js:90:28) at passBackControl (/opt/gitter/landing-app/node_modules/passport-github/node_modules/passport-oauth/node_modules/oauth/lib/oauth2.js:105:9) at IncomingMessage.exports.OAuth2._executeRequest.request.on.callbackCalled (/opt/gitter/landing-app/node_modules/passport-github/node_modules/passport-oauth/node_modules/oauth/lib/oauth2.js:124:7) at IncomingMessage.EventEmitter.emit (events.js:126:20) at IncomingMessage._emitEnd (http.js:366:10) at HTTPParser.parserOnMessageComplete [as onMessageComplete] (http.js:149:23) at CleartextStream.socketOnData [as ondata] (http.js:1472:20) at CleartextStream.CryptoStream._push (tls.js:544:27) at SecurePair.cycle (tls.js:898:20) at EncryptedStream.CryptoStream.write (tls.js:285:13) at Socket.ondata (stream.js:38:26)

Guess it's built with node ;)

After pressing the button again, it gave me the confirmation message.
1 comments
mydigitalself 4594 days ago
Yes, node node node! :)

Um, thanks for pointing this out, will take a look at it, we may have blown through the rate limit.

link
babby 4594 days ago
Isnt echoing errors like that a security issue? Im not implying it necessarly is, because it's obviously conveniently useful for debugging.
link
elisee 4594 days ago
Yup, they should log / e-mail themselves the error messages when in production rather than displaying them, sensitive info might leak plus stacktrace aren't very friendly.

Looks like they might have left the connect.errorHandler() dev middleware (http://www.senchalabs.org/connect/errorHandler.html) plugged into their app.

link
monokrome 4594 days ago
It's only a security issue if it provides exploitable information. It's more commonly avoided as an issue regarding user confusion, not security.
link
mydigitalself 4594 days ago
We normally don't do this, we put this little preview app together quite quickly using a slightly different infrastructure to our regular stuff.

We normally log these and just display a friendly error message to the end user.

link