0.9.5: Server Side IP Duplication Checks and Cosmetics

October 23, 2021 - Reading time: 4 minutes

The new version of Raveberry introduces a tool to make vote manipulation harder. Previously, the check whether a user is able to vote or not happened fully on the client side. Most of the time, this was not an issue. After all, people usually use this software to have fun and not to find out how to game the system. However, if someone does find out that opening a private tab is enough to vote multiple times, sometimes they exploit this knowledge. Depending on your circle of friends this may be less or more likely.

In order to maintain the spirit of Raveberry I added an option to make it a little harder for people to vote multiple times. In /settings, you can now enable "IP vote checking". If enabled, multiple votes from the same IP are not possible. IPs are not stored in the database, only in Redis. The data expires after one day, or at server restart. Of course, this approach is still not perfect, as IPs can be spoofed. However, an exploit is harder to implement and should not be found by chance from a phone. Note that if you use the discord bot, you need to keep this feature disabled. Otherwise, the bot would not be able to vote in lieu of its users.

Since I worked on IP-related stuff anyway, I decided to remove IP logging. Song requests are logged in order to provide suggestions and to allow some local analysis on the database. In order to link different requests to users, the IP address was stored along with the query. Initially, this was not really a problem, since people accessed Raveberry from a local hotspot. The IPs would only be in the local subnet and change across different usages.

However, Raveberry can also be deployed publicly, where storing IPs might be an issue. So instead of IPs, requests are now associated with the session key of a user. This key is randomly generated and carries no further information, unlike IP addresses. If you are using Raveberry like this and want to remove all IPs that were stored with earlier versions, run this command in Raveberry's directory (usually /opt/raveberry):

python manage.py shell -c 'from core.models import RequestLog; RequestLog.objects.all().update(session_key="")'

If you did not yet update to the newer version, change session_key to address. If you want to keep the identifying factor you can extend the script to pseudonymize the IP.

Other than that, there were some cosmetic and other minor changes:

• The page does not scroll after clearing the input field. The problem was that browsers like to move the user to the focused element, in this case it caused erroneous scrolling however.
• After adding a new hashtag, the old one would start scrolling with a lot of whitespace added. This has been part of Raveberry since the very first mock-up and I finally came around to fix it. Opening the keyboard on mobile would resize the page, causing a scroll-recalculation while the old hashtag was invisible, leading to the weird behavior.
• The admin page in the docker image serves static files again, no more plain html. The inclusion of these files got lost during the CI migration.
• /network-info shows the correct QR code for the hotspot wifi. Before, it showed the code of the wifi the Pi was connected to twice.
• Improved documentation on the remote feature in this file, adding example steps for a minimal setup.

Enjoy the new version and have a great day.