PR #374 removed `@auth_required` from a number of routes and changed
those which used their `v` parameters to `v=None` and removed the `v`
parameter from those which didn't internally use it. 1841134b47
PR #392 re-added `@auth_desired` to those routes to ensure the
templates rendered with awareness of the current logged-in user
(matters for search, header bar, etc). 9f042c1aeb
However, 500 errors occurred on /random_post, /random_user, /id/<uid>,
and /u/<username>. Those were the four which had their `v` parameter
removed entirely. This has been re-added, which fixes the bug.
The way to understand auth_required vs auth_desired is that they are
nearly identical, with the sole difference than auth_required
checks if v is None and aborts with 401 if so. This means that
auth_desired routes must handle the v=None case. They are the same in
that they always try to give a `v` kwarg to the decorated function,
which was the root cause of those four routes erroring.
Recommended style: the vast majority of routes which return a rendered
template should be auth_desired, because the top-level templates often
draw extensively from `v` state even when the route handler does not.
When a route is either auth_desired or auth_required, it should have a
`v` parameter, which we typically give as the first positional
parameter.
This commit adds the @auth_desired decorator to
routes that previous had the @auth_required decorator,
but had it removed in #374. This should cause
the user to remain logged in on these routes.
Recently, unrelated changes led to enabling logging for flask-limiter
accidentally, at which point it was discovered that it wasn't actually
limiting requests due to Limiter.key_func = get_CF not being proper
for either prod (not behind Cloudflare) or localhost (likewise).
We instead use the remote_addr attached directly to the request using
the existing flask-limiter function to do so.
Detailed troubleshooting at:
https://github.com/themotte/rDrama/issues/222#issuecomment-1229489062
Implements feature request to know how many of each badge exists and
to have a 'rarity', a la Steam or PSN badges, relative to number of
non-lurker users.
Because Postgres `COUNT()`s are notoriously costly, /badges has been
memoized for 1hr to avoid a DOS target.
