Hi All,

With the addition of a default link to Altmetric prior to any _javascript_ firing, I think that checking the referrer will work.

We could:

- simply check referrer is set, and matches [host]/id/eprint/\d+$ or [host]/\d+/$

--- if it doesn't a 403 response could be returned

--- in the scenario that a legitimate browser doesn't send a referrer, the _javascript_ could catch the 403 and leave the default link to Altmetric in-situ.

- extract EPrintID from referrer and double-check the identifier passed to the cgi script exists on that record*

--- same outcomes as above?

*double-checking the eprintid + identifier would increase load on the server. Every page that calls the Altmetric cgi script would have a requirement on the database. I've got mixed feelings about this.

My initial thoughtswere WAF type things. If someone is abusing cgi/altmetric it would possibly be visible (and blockable) at that level - but then we haven't all got WAFs.

I could see if Altmetric have any thoughts on this?

I feel like we're asking questions that are similar to why the libwww-perl user-agent got blocked.

Cheers,

John

Hi Will and John

We could just use the referrer, which is the URL for the abstract page, to extract the EPrint ID and save having to pass another parameter.  Although anyone could set the referrer this is a little trickier than sending the EPrint ID.  I agree with Will that limiting lookups to DOIs/ISSNs are in eprint records in the repository is probably sufficient to deal with the bulk of abuse that the proxy to the Almetric API could be exposed.

Regards

David Newman

CAUTION: This e-mail originated outside the University of Southampton.

As a quick follow up to my previous email.... I suppose this just limits the script to being used to lookup Altmetrics for items in the repository only, but wouldn't stop it from being used by others to do that also... but may be better than nothing?

 

Many thanks,

 

Will

 

 

Will Fyson

Development & Support Analyst, Research Technologies

CoSector, University of London

Senate House

Malet Street

London

WC1E 7HU

 

t: +44 (0)20 7863 1341

e: will.fyson@cosector.com

w: https://cosector.com/digital-research/

 

The University of London is an exempt charity in England and Wales.

 

---

From: Will Fyson <will.fyson@cosector.com>
Sent: 12 August 2022 12:55
To: eprints-tech@ecs.soton.ac.uk <eprints-tech@ecs.soton.ac.uk>; John Salter <J.Salter@leeds.ac.uk>
Subject: Re: [EP-tech] Altmetric badge plugin

 

Hi John,

 

If the altmetric cgi script was passed the eprint id along with the DOI, could we then do a very quick check to make sure that DOI is on the eprint's record in the database and if not we then don't query the altmetric api? That should hopefully stop it from being abused by others (or have I missed a very simple way of getting around that?).

 

Many thanks,

 

Will

 

Will Fyson

Development & Support Analyst, Research Technologies

CoSector, University of London

Senate House

Malet Street

London

WC1E 7HU

 

t: +44 (0)20 7863 1341

e: will.fyson@cosector.com

w: https://cosector.com/digital-research/

 

The University of London is an exempt charity in England and Wales.

 

---

From: eprints-tech-bounces@ecs.soton.ac.uk <eprints-tech-bounces@ecs.soton.ac.uk> on behalf of John Salter via Eprints-tech <eprints-tech@ecs.soton.ac.uk>
Sent: 11 August 2022 09:34
To: eprints-tech@ecs.soton.ac.uk <eprints-tech@ecs.soton.ac.uk>; Yuri <yurj@alfa.it>
Subject: Re: [EP-tech] Altmetric badge plugin

 

CAUTION: This e-mail originated outside the University of Southampton.

Thanks Yuri,

I've updated the screenshot and some details about installation.

 

You are right - the cgi script can be called from anywhere.

I'm not sure what we could do about this, if we thought we did need to do something.

 

Normally some form of cookie / session variable would be used to lock-down this sort of thing, but as EPrints only uses sessions for authenticated users, that feels like a lot of work for this.

What are other people's thoughts on this?

Cheers,
John
PS I haven't had a response from Altmetric about the user-agent fix yet.

 

---

From: eprints-tech-bounces@ecs.soton.ac.uk <eprints-tech-bounces@ecs.soton.ac.uk> on behalf of Yuri via Eprints-tech <eprints-tech@ecs.soton.ac.uk>
Sent: 10 August 2022 13:40
To: eprints-tech@ecs.soton.ac.uk <eprints-tech@ecs.soton.ac.uk>
Subject: Re: [EP-tech] Altmetric badge plugin

 

CAUTION: This e-mail originated outside the University of Southampton.

You can update the screenshot in the github repo (still mention Google+). Also mention that the plugin works OOTB without any config can help.

 

Note: am I wrong or the /cgi/altimetrics cgi can be called from everywhere? So others could use your installed cgi as proxy to get the data from altimetrics.

 

 

 

 

Il 10/08/22 14:14, John Salter via Eprints-tech ha scritto:

CAUTION: This e-mail originated outside the University of Southampton.

Hi Jens,
I was a bit worried by your first message... glad the real fix is a fix! 😉

 

In the new release there will also be a few other small improvements, such as better internationalisation for this 

https://github.com/eprintsug/altmetric/blob/master/lib/static/_javascript_/auto/99_altmetric.js#L90 

 

If anyone has any comments about the plugin, now is the time to tell me (or log them here: https://github.com/eprintsug/altmetric/issues).

 

Cheers,

John

 

---

From: Jens Witzel <jens.witzel@uzh.ch>
Sent: 10 August 2022 13:08
To: eprints-tech@ecs.soton.ac.uk <eprints-tech@ecs.soton.ac.uk>; John Salter <J.Salter@leeds.ac.uk>
Subject: AW: Altmetric badge plugin

 

https://github.com/eprintsug/altmetric/commit/a687fcce74a06312e02af25f275492079e5dc6ed worked for us. 😊

 

Cheers
Jens

 

--
Jens Witzel
Zentrale Informatik
Universität Zürich
Stampfenbachstrasse 73
CH-8006 Zürich

mail:  jens.witzel@uzh.ch
phone: +41 44 63 56777
http://www.zi.uzh.ch

 

Von: Jens Witzel <jens.witzel@uzh.ch>
Gesendet: Mittwoch, 10. August 2022 14:05
An: eprints-tech@ecs.soton.ac.uk; John Salter <J.Salter@leeds.ac.uk>; eprints-uk-user-group@googlegroups.com
Betreff: AW: Altmetric badge plugin

 

Thanks John

 

Nope, we already changed the API URL some months ago from http to https - but still receive this error :-/

 

Cheers
Jens

 

--
Jens Witzel
Zentrale Informatik
Universität Zürich
Stampfenbachstrasse 73
CH-8006 Zürich

mail:  jens.witzel@uzh.ch
phone: +41 44 63 56777
http://www.zi.uzh.ch

 

Von: eprints-tech-bounces@ecs.soton.ac.uk <eprints-tech-bounces@ecs.soton.ac.uk> Im Auftrag von John Salter via Eprints-tech
Gesendet: Mittwoch, 10. August 2022 13:13
An: eprints-tech@ecs.soton.ac.uk; eprints-uk-user-group@googlegroups.com
Betreff: [EP-tech] Altmetric badge plugin

 

CAUTION: This e-mail originated outside the University of Southampton.

Hi All,

Some uses of the Altmetric badge plugin (https://bazaar.eprints.org/id/epm/altmetric) have reported that is has stopped working.

This appears to be a change at the Altmetric end of things (or possibly a threshold being reached), which is now blocking the request from the EPrints server to their API.

 

We have an initial fix for this:

https://github.com/eprintsug/altmetric/commit/a687fcce74a06312e02af25f275492079e5dc6ed

but are waiting for feedback from Altmetric before releasing a new version of the plugin.

 

I'll post here again when the new version has been released into the Bazaar.

Many thanks to David Newman for flagging this, diagnosing it, and suggesting a fix.

 

Cheers,

John

John Salter

https:/! /orcid.org/0000-0002-8611-8266

 

White Rose Libraries Technical Officer

IT - Application Support (Research)

10.23B, IT Services Building

University of Leeds

Leeds

LS2 9JT

*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech

*** Archive: http://www.eprints.org/tech.!

 php/

*** EPrints community wiki: http://wiki.eprints.org/

*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech

*** Archive: http://www.eprints.org/tech.php/

*** EPrints community wiki: http://wiki.eprints.org/