Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace user_agent_string with a random string #46

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Replace user_agent_string with a random string #46

wants to merge 1 commit into from

Conversation

tobiasknudsen
Copy link

@tobiasknudsen tobiasknudsen commented Aug 21, 2023
edited
Loading

Fixes #44

It looks like Medtronic has added some rate limiting based on the User-Agent on the login endpoints, since they return 502 Too Many Connections Requests in 10 minutes. Hardcoding the User-Agent to a real User-Agent fixes it, but also just sending a random string seems to work for me.

Not sure how ideal this fix is

@tobiasknudsen tobiasknudsen mentioned this pull request Aug 21, 2023
Open
@bewest
Copy link
Member

bewest commented Aug 21, 2023

Thanks for the experimentation and this insight. I wonder if it would help to use another header, purely to provide a random number for traceability. For example, if we also send x-traceable-req: uuid4 or similar. This way, if they perform rate limiting against a serialized form of the request, they can correctly trace user agents while essentially deduping our requests?

bewest added a commit to nightscout/nightscout-connect that referenced this pull request Aug 21, 2023
@bewest
force new UUID, force UA attribution
94f6436 
Force Medtronic to log requests from nightscout-connect.
Do not allow plausible deniability.
Per nightscout/minimed-connect-to-nightscout#46, force
putting a second UUID in a header.  x-axios-tracing already sets a UUID.
This patch correctly uses browser based headers for processing and requesting
HTML Forms.
@bewest bewest mentioned this pull request Aug 21, 2023
Merged
1 task
@bewest
Copy link
Member

bewest commented Aug 21, 2023
edited
Loading

FWIW, there's a new module, nightscout-connect, with a similar feature discussed here: nightscout/nightscout-connect#19. Nightscout Connect is a bit easier to maintain because 7 vendor libraries can share a single HTTP dependency for Nightscout. It would be great to experiment to see if just 6 - 8 random characters is enough, in addition to strings to correctly attribute the software to our open source projects.

@tobiasknudsen
Copy link
Author

Looks like they are targetting "nightscout" in the User agent, just removing it also works...
[software.name, software.version, software.bugs.url].join(' // ').replaceAll("nightscout", "")

@bewest
Copy link
Member

bewest commented Aug 23, 2023

Thanks for testing @tobiasknudsen. I can confirm any trace of nightscout on European servers will result in a rejected request. However, it works fine for patients in the United States. I think it's critical to contact regulators to let them know of these digital rights abuses and attempts to generate plausible deniability. Is legal for Medtronic to block patients from accessing factual information about themselves?

Perhaps we can stick some attribution for NS in another header.

@bewest bewest mentioned this pull request Aug 23, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tobiasknudsen @bewest