-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(nft): exclude spam and phishing, refactored db #1959
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work! Some notes from first review iteration:
let nfts: Vec<Nft> = self.get_nfts_by_token_address(chain, token_address.clone()).await?; | ||
let locked_db = self.lock_db().await?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should lock the db before reading nfts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
UPD if we move lock_db before other db methods which access db it breaks it. well bcz another storage method tries to lock db while it already was locked.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oooh, I see. Hmm, that shouldn't be that way but let's not deal with this issue in this PR. You can revert it to previous state.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
…ashSet, passes filter funcs, lock_db at the beginning
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are my last notes on this PR. Thank you for patience on fixing the previous ones.
As an extra note, if this PR doesn't need to be rushed, I would highly suggest testing and re-designing the usage of db locks if necessary. Right now as far as I understand, almost every function starts with locking, so if caller and callee locks the db, there is very high chance if being end up with deadlocks. Like it happened #1959 (comment) here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some notes starting from 6f33a11
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor notes:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thank you for the fixes!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First review iteration from my side! I will review the rest of the code in the next and last review iteration!
storage | ||
.update_transfer_spam_by_token_address(chain, address_hex, true) | ||
.await?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This call is not needed if possible_spam
was true
before, also can possible_spam
change from true
to false
? meaning that an NFT that was flagged as possible spam passes some criteria and gets reconsidered as not being a spam.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This call is not needed if possible_spam was true before,
oh, yeah agree in refresh_possible_spam
there is no need to send spam request again if possible spam is already true bcz of nft_db.common.possible_spam = moralis_meta.common.possible_spam;
also can possible_spam change from true to false
Well we dont know how moralis marks their nft spam or not spam.
But yeah it could be a situation that they changed possible_spam
from
true to false
But since we use separate db with spamy addresses I suggest to mark nft as spam if contact address has true in our db.
Another but :D I got your idea. lets check in refresh_possible_spam
function whether the spam
value for contract address has changed in our database or not. If moralis returns false and our spam api returns false for contract in refresh
functionality then lets leave this as false
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But yeah it could be a situation that they changed possible_spam from true to false
But since we use separate db with spamy addresses I suggest to mark nft as spam if contact address has true in our db.
I consider this an edge case, but NFT collections can gain traction after sometime and some of the false positive possible spam NFTs due to the criteria used to identify spams can become popular in the future. I see that we don't change true
to false
anywhere, we can keep it this way for now until we get real cases from users feedback.
if let Ok(token_uri_meta) = serde_json::from_value(response_meta) { | ||
uri_meta = token_uri_meta; | ||
} | ||
if let Some(url) = construct_camo_url_with_token(token_uri, url_antispam) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am interested to know how camo will be used for image_url
/animation_url
/etc.. , will the url be constructed from the GUI side? or will it not be used at all?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@smk did /url/decode/{url_hex}
endpoint capable to return you json object or if link returns image type content you will download picture, if request was successful of course(camo doesnt allow redirections). So yeah, GUI also should use camo to download pictures
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So yeah, GUI also should use camo to download pictures
Should we provide them the constructed camo url or will they construct it from their side? It can be an option in NftMetadataReq
, if requested, we would then convert the urls after we retrieve them from database to camo format.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we provide them the constructed camo url or will they construct it from their side?
GUI needs to convert image_url
string to hex format and send get req to /url/decode/{url_hex}
. There is no need to build the whole complex camo url, proxy does it on its side. All you need is to provide hex format. I think GUI can do it on their side.
It can be an option in
NftMetadataReq
, if requested, we would then convert the urls after we retrieve them from database to camo format.
As far as I know they send get nft list req with max
flag to see all nft info and then try to send req to image_url
to download picture for all items. But of course we can speak about it and if they want we can add ready hex format.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔥
@laruh please provide @KomodoPlatform/qa team examples of changes in this PR for docs and testing if needed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
secure code reviewed
@laruh @KomodoPlatform/qa can this PR be merged or are there still some work to be done on the QA/docs side? |
Hi, I think we can merge it. Docs will be updated to match this PR, if we missed something from the current PR we also can add it. |
In this PR
exclude_spam
andexclude_phishing
params were added forget_nft_list
andget_nft_transfers
RPCs.Db in native target was refactored. It doesnt use
details_json
with all rust struct fields anymore. To get nft and transfers from db, there is need to fetch all fields from the table. However update process some specific fields from became easier.If
exclude_spam
is true, then all nfts or transfers wherepossible_spam
istrue
will be excluded from response.If
exclude_phishing
is true, then all nfts or transfers wherepossible_phishing
istrue
will be excluded from response.Link to antispam API docs.
Second sprint iteration from commit 410330a
UriMeta
from json. It protects from phishing and solves cors problem.possible_phishing
(add requests to/api/blocklist/domain/scan
endpoint).contains_disallowed_url
check for possible spam urls during update process, so we will have already checked nfts in db, which can be excluded.Get NFT metadata
response. If we get the error, then return Nft with empty metadata andpossible_spam:true
.