Circuit-Forge/snipe
3
0
Fork 0
Code Issues 11 Pull requests 1 Projects Releases 2 Packages Wiki Activity Actions

Allow unauthenticated search and scoring (anonymous free-tier access) #34

New issue
Closed
opened 2026-04-13 12:07:20 -07:00 by pyr0ball · 0 comments
pyr0ball commented 2026-04-13 12:07:20 -07:00
Owner
Copy link

Problem

In cloud mode, get_session() raises 401 when no session header is present. This blocks all API endpoints including /api/search from unauthenticated visitors.

Goal

Public users should be able to search and score eBay listings without creating an account. This:

  • Lowers friction for the news-hook launch (eBay cancellation policy change, May 13)
  • Feeds the shared anti-scammer database from every anonymous search
  • Drives affiliate link traffic

Changes

api/cloud_session.py

  • When no session header is present in cloud mode, return a free-tier CloudUser(user_id="anonymous", tier="free") instead of raising 401
  • Add _anon_db_path() pointing to CLOUD_DATA_ROOT/anonymous/snipe/user.db
  • Anonymous users: shared_db=_shared_db_path(), user_db=_anon_db_path()
  • Seller and market comp data accumulates in shared_db (anti-scammer corpus)

api/main.py

  • Gate POST /api/blocklist against anonymous users (abuse vector) — return 403 with a "sign in to report sellers" message
  • GET /api/blocklist, POST /api/community/signal, and all search endpoints remain open

Tier behavior for anon

  • 1 page of results (free tier cap)
  • No saved searches
  • No background monitoring
  • Community signals: allowed (contributes to shared DB)
  • Blocklist reads: allowed
  • Blocklist writes: blocked (requires account)
## Problem In cloud mode, `get_session()` raises 401 when no session header is present. This blocks all API endpoints including `/api/search` from unauthenticated visitors. ## Goal Public users should be able to search and score eBay listings without creating an account. This: - Lowers friction for the news-hook launch (eBay cancellation policy change, May 13) - Feeds the shared anti-scammer database from every anonymous search - Drives affiliate link traffic ## Changes ### `api/cloud_session.py` - When no session header is present in cloud mode, return a free-tier `CloudUser(user_id="anonymous", tier="free")` instead of raising 401 - Add `_anon_db_path()` pointing to `CLOUD_DATA_ROOT/anonymous/snipe/user.db` - Anonymous users: `shared_db=_shared_db_path()`, `user_db=_anon_db_path()` - Seller and market comp data accumulates in shared_db (anti-scammer corpus) ### `api/main.py` - Gate `POST /api/blocklist` against anonymous users (abuse vector) — return 403 with a "sign in to report sellers" message - `GET /api/blocklist`, `POST /api/community/signal`, and all search endpoints remain open ## Tier behavior for anon - 1 page of results (free tier cap) - No saved searches - No background monitoring - Community signals: allowed (contributes to shared DB) - Blocklist reads: allowed - Blocklist writes: blocked (requires account)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feat/ci-workflows
feature/affiliate-links
feature/feedback-button
feature/shared-task-scheduler
v0.5.1
v0.5.2
v0.5.0
v0.4.0
v0.3.0
v0.2.0
Labels
Clear labels   
accessibility

   
backlog

   
bug

   
cloud

   
enhancement

   
feature

   
infra

   
paid-tier

   
ux
No labels
accessibility
backlog
bug
cloud
enhancement
feature
infra
paid-tier
ux
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Circuit-Forge/snipe#34
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?