closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5420 Commits
4 Branches
567 MiB
Tree: 0f2fbf7d05
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0f2fbf7d05'
${ noResults }
mastodon/config/initializers/rack_attack.rb

77 lines
2.0 KiB
Raw Normal View History

Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well
7 years ago
Missing require 'authorization_decorator'. (#5947)
6 years ago
Adding letter opener for development and Rack::Attack for future rate limiting implementations
8 years ago
Rate limit by user instead of IP when API user is authenticated (#5923) * Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper
6 years ago
allow localhost to bypass the ratelimit (#2554)
7 years ago
Rate limit by user instead of IP when API user is authenticated (#5923) * Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper
6 years ago
Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well
7 years ago
Apply a 25x rate limit by IP even to authenticated requests (#5948)
6 years ago
Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well
7 years ago
Throttle media post (#7337) The previous rate limit allowed to post media so fast that it is possible to fill up the disk space even before an administrator notices. The new rate limit is configured so that it takes 24 hours to eat 10 gigabytes: 10 * 1024 / 8 / (24 * 60 / 30) = 27 (which rounded to 30) The period is set long so that it does not prevent from attaching several media to one post, which would happen in a short period. For example, if the period is 5 minutes, the rate limit would be: 10 * 1024 / 8 / (24 * 60 / 5) = 4 This long period allows to lift the limit up.
6 years ago
Add a missing question mark in rack_attack.rb (#7338)
6 years ago
Throttle media post (#7337) The previous rate limit allowed to post media so fast that it is possible to fill up the disk space even before an administrator notices. The new rate limit is configured so that it takes 24 hours to eat 10 gigabytes: 10 * 1024 / 8 / (24 * 60 / 30) = 27 (which rounded to 30) The period is set long so that it does not prevent from attaching several media to one post, which would happen in a short period. For example, if the period is 5 minutes, the rate limit would be: 10 * 1024 / 8 / (24 * 60 / 5) = 4 This long period allows to lift the limit up.
6 years ago
Increase rate limit on protected paths (#6229) Previously each protected path had a separate rate limit. Now they're all in the same bucket, so people are more likely to hit one with register->login. Increasing to 25 per 5 minutes should be fine.
6 years ago
Rate limit by user instead of IP when API user is authenticated (#5923) * Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper
6 years ago
Fix #6 - Rate limit GET reqs to 300/5min, POST to 100/5min
8 years ago
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API
8 years ago
Add Content-Type header on throttled response to fix mojibake (#4558) application/json only allows Unicode, so this prevents from wrong charset detection.
7 years ago
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API
8 years ago
Obfuscate filenames better, double rate limits
7 years ago
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API
8 years ago
Localize 'throttled' (#2755)
7 years ago
Fixing FanOutOnWriteService, fixing Sidekiq not having enough DB connections in the pool, adding a throttle of 60rpm per IP, adding mini profiler, adding admin status to users
8 years ago
Adding letter opener for development and Rack::Attack for future rate limiting implementations
8 years ago
 
  1. # frozen_string_literal: true
  2. 

  3. require 'doorkeeper/grape/authorization_decorator'
  4. 

  5. class Rack::Attack
  6.   class Request
  7.     def authenticated_token
  8.       return @token if defined?(@token)
  9. 

  10.       @token = Doorkeeper::OAuth::Token.authenticate(
  11.         Doorkeeper::Grape::AuthorizationDecorator.new(self),
  12.         *Doorkeeper.configuration.access_token_methods
  13.       )
  14.     end
  15. 

  16.     def authenticated_user_id
  17.       authenticated_token&.resource_owner_id
  18.     end
  19. 

  20.     def unauthenticated?
  21.       !authenticated_user_id
  22.     end
  23. 

  24.     def api_request?
  25.       path.start_with?('/api')
  26.     end
  27. 

  28.     def web_request?
  29.       !api_request?
  30.     end
  31.   end
  32. 

  33.   PROTECTED_PATHS = %w(

  34.     /auth/sign_in
  35.     /auth

  36.     /auth/password
  37.   ).freeze
  38. 

  39.   PROTECTED_PATHS_REGEX = Regexp.union(PROTECTED_PATHS.map { |path| /\A#{Regexp.escape(path)}/ })
  40. 

  41.   # Always allow requests from localhost
  42.   # (blocklist & throttles are skipped)
  43.   Rack::Attack.safelist('allow from localhost') do |req|
  44.     # Requests are allowed if the return value is truthy
  45.     '127.0.0.1' == req.ip || '::1' == req.ip
  46.   end
  47. 

  48.   throttle('throttle_authenticated_api', limit: 300, period: 5.minutes) do |req|
  49.     req.api_request? && req.authenticated_user_id
  50.   end
  51. 

  52.   throttle('throttle_unauthenticated_api', limit: 7_500, period: 5.minutes) do |req|
  53.     req.ip if req.api_request?
  54.   end
  55. 

  56.   throttle('throttle_media', limit: 30, period: 30.minutes) do |req|
  57.     req.authenticated_user_id if req.post? && req.path.start_with?('/api/v1/media')
  58.   end
  59. 

  60.   throttle('protected_paths', limit: 25, period: 5.minutes) do |req|
  61.     req.ip if req.post? && req.path =~ PROTECTED_PATHS_REGEX
  62.   end
  63. 

  64.   self.throttled_response = lambda do |env|
  65.     now        = Time.now.utc
  66.     match_data = env['rack.attack.match_data']
  67. 

  68.     headers = {
  69.       'Content-Type'          => 'application/json',
  70.       'X-RateLimit-Limit'     => match_data[:limit].to_s,
  71.       'X-RateLimit-Remaining' => '0',
  72.       'X-RateLimit-Reset'     => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6),
  73.     }
  74. 

  75.     [429, headers, [{ error: I18n.t('errors.429') }.to_json]]
  76.   end
  77. end