closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10519 Commits
4 Branches
567 MiB
Tree: d6486c969f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd6486c969f'
${ noResults }
mastodon/config/initializers/rack_attack.rb

129 lines
4.2 KiB
Raw Normal View History

Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well
7 years ago
Missing require 'authorization_decorator'. (#5947)
6 years ago
Adding letter opener for development and Rack::Attack for future rate limiting implementations
8 years ago
Rate limit by user instead of IP when API user is authenticated (#5923) * Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper
6 years ago
Improve rate limiting (#10860) * Rate limit based on remote address IP, not on potential reverse proxy * Limit rate of unauthenticated API requests further * Rate-limit paging requests to one every 3 seconds
5 years ago
Rate limit by user instead of IP when API user is authenticated (#5923) * Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper
6 years ago
Improve rate limiting (#10860) * Rate limit based on remote address IP, not on potential reverse proxy * Limit rate of unauthenticated API requests further * Rate-limit paging requests to one every 3 seconds
5 years ago
Rate limit by user instead of IP when API user is authenticated (#5923) * Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper
6 years ago
allow localhost to bypass the ratelimit (#2554)
7 years ago
Improve rate limiting (#10860) * Rate limit based on remote address IP, not on potential reverse proxy * Limit rate of unauthenticated API requests further * Rate-limit paging requests to one every 3 seconds
5 years ago
allow localhost to bypass the ratelimit (#2554)
7 years ago
Add IP-based rules (#14963)
3 years ago
Rate limit by user instead of IP when API user is authenticated (#5923) * Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper
6 years ago
Add tight rate-limit for API deletions (#10042) Deletions take a lot of resources to execute and cause a lot of federation traffic, so it makes sense to decrease the number someone can queue up through the API. 30 per 30 minutes
5 years ago
Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well
7 years ago
Improve rate limiting (#10860) * Rate limit based on remote address IP, not on potential reverse proxy * Limit rate of unauthenticated API requests further * Rate-limit paging requests to one every 3 seconds
5 years ago
Fix undefined method error. (#10867)
5 years ago
Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well
7 years ago
Add tight rate-limit for API deletions (#10042) Deletions take a lot of resources to execute and cause a lot of federation traffic, so it makes sense to decrease the number someone can queue up through the API. 30 per 30 minutes
5 years ago
Add a missing question mark in rack_attack.rb (#7338)
6 years ago
Throttle media post (#7337) The previous rate limit allowed to post media so fast that it is possible to fill up the disk space even before an administrator notices. The new rate limit is configured so that it takes 24 hours to eat 10 gigabytes: 10 * 1024 / 8 / (24 * 60 / 30) = 27 (which rounded to 30) The period is set long so that it does not prevent from attaching several media to one post, which would happen in a short period. For example, if the period is 5 minutes, the rate limit would be: 10 * 1024 / 8 / (24 * 60 / 5) = 4 This long period allows to lift the limit up.
6 years ago
Change rate limit for media proxy (#11814)
4 years ago
Improve rate limiting (#10860) * Rate limit based on remote address IP, not on potential reverse proxy * Limit rate of unauthenticated API requests further * Rate-limit paging requests to one every 3 seconds
5 years ago
Add rate limit for media proxy requests (#10490) 30 per 30 minutes, like media uploads
5 years ago
Add REST API for creating an account (#9572) * Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account
5 years ago
Improve rate limiting (#10860) * Rate limit based on remote address IP, not on potential reverse proxy * Limit rate of unauthenticated API requests further * Rate-limit paging requests to one every 3 seconds
5 years ago
Fix undefined method error (#10868)
5 years ago
Add REST API for creating an account (#9572) * Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account
5 years ago
Add tight rate-limit for API deletions (#10042) Deletions take a lot of resources to execute and cause a lot of federation traffic, so it makes sense to decrease the number someone can queue up through the API. 30 per 30 minutes
5 years ago
Optimize some regex matching (#15528) * Use Regex#match? * Replace =~ too * Avoid to call match? from Nil * Keep value of Regexp.last_match
3 years ago
Add tight rate-limit for API deletions (#10042) Deletions take a lot of resources to execute and cause a lot of federation traffic, so it makes sense to decrease the number someone can queue up through the API. 30 per 30 minutes
5 years ago
Change rate limits for various paths (#14253) - Rate limit login attempts by target account - Rate limit password resets and e-mail re-confirmations by target account - Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before
3 years ago
Add `POST /api/v1/emails/confirmations` to REST API (#15816) Only available to the application the user originally signed-up with
3 years ago
Change rate limits for various paths (#14253) - Rate limit login attempts by target account - Rate limit password resets and e-mail re-confirmations by target account - Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before
3 years ago
Add `POST /api/v1/emails/confirmations` to REST API (#15816) Only available to the application the user originally signed-up with
3 years ago
Change rate limits for various paths (#14253) - Rate limit login attempts by target account - Rate limit password resets and e-mail re-confirmations by target account - Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before
3 years ago
Fix #6 - Rate limit GET reqs to 300/5min, POST to 100/5min
7 years ago
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API
7 years ago
Add Content-Type header on throttled response to fix mojibake (#4558) application/json only allows Unicode, so this prevents from wrong charset detection.
6 years ago
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API
7 years ago
Obfuscate filenames better, double rate limits
7 years ago
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API
7 years ago
Localize 'throttled' (#2755)
7 years ago
Fixing FanOutOnWriteService, fixing Sidekiq not having enough DB connections in the pool, adding a throttle of 60rpm per IP, adding mini profiler, adding admin status to users
8 years ago
Adding letter opener for development and Rack::Attack for future rate limiting implementations
8 years ago
 
  1. # frozen_string_literal: true
  2. 

  3. require 'doorkeeper/grape/authorization_decorator'
  4. 

  5. class Rack::Attack
  6.   class Request
  7.     def authenticated_token
  8.       return @token if defined?(@token)
  9. 

  10.       @token = Doorkeeper::OAuth::Token.authenticate(
  11.         Doorkeeper::Grape::AuthorizationDecorator.new(self),
  12.         *Doorkeeper.configuration.access_token_methods
  13.       )
  14.     end
  15. 

  16.     def remote_ip
  17.       @remote_ip ||= (@env["action_dispatch.remote_ip"] || ip).to_s
  18.     end
  19. 

  20.     def authenticated_user_id
  21.       authenticated_token&.resource_owner_id
  22.     end
  23. 

  24.     def unauthenticated?
  25.       !authenticated_user_id
  26.     end
  27. 

  28.     def api_request?
  29.       path.start_with?('/api')
  30.     end
  31. 

  32.     def web_request?
  33.       !api_request?
  34.     end
  35. 

  36.     def paging_request?
  37.       params['page'].present? || params['min_id'].present? || params['max_id'].present? || params['since_id'].present?
  38.     end
  39.   end
  40. 

  41.   Rack::Attack.safelist('allow from localhost') do |req|
  42.     req.remote_ip == '127.0.0.1' || req.remote_ip == '::1'
  43.   end
  44. 

  45.   Rack::Attack.blocklist('deny from blocklist') do |req|
  46.     IpBlock.blocked?(req.remote_ip)
  47.   end
  48. 

  49.   throttle('throttle_authenticated_api', limit: 300, period: 5.minutes) do |req|
  50.     req.authenticated_user_id if req.api_request?
  51.   end
  52. 

  53.   throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req|
  54.     req.remote_ip if req.api_request? && req.unauthenticated?
  55.   end
  56. 

  57.   throttle('throttle_api_media', limit: 30, period: 30.minutes) do |req|
  58.     req.authenticated_user_id if req.post? && req.path.start_with?('/api/v1/media')
  59.   end
  60. 

  61.   throttle('throttle_media_proxy', limit: 30, period: 10.minutes) do |req|
  62.     req.remote_ip if req.path.start_with?('/media_proxy')
  63.   end
  64. 

  65.   throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req|
  66.     req.remote_ip if req.post? && req.path == '/api/v1/accounts'
  67.   end
  68. 

  69.   throttle('throttle_authenticated_paging', limit: 300, period: 15.minutes) do |req|
  70.     req.authenticated_user_id if req.paging_request?
  71.   end
  72. 

  73.   throttle('throttle_unauthenticated_paging', limit: 300, period: 15.minutes) do |req|
  74.     req.remote_ip if req.paging_request? && req.unauthenticated?
  75.   end
  76. 

  77.   API_DELETE_REBLOG_REGEX = /\A\/api\/v1\/statuses\/[\d]+\/unreblog/.freeze
  78.   API_DELETE_STATUS_REGEX = /\A\/api\/v1\/statuses\/[\d]+/.freeze
  79. 

  80.   throttle('throttle_api_delete', limit: 30, period: 30.minutes) do |req|
  81.     req.authenticated_user_id if (req.post? && req.path.match?(API_DELETE_REBLOG_REGEX)) || (req.delete? && req.path.match?(API_DELETE_STATUS_REGEX))
  82.   end
  83. 

  84.   throttle('throttle_sign_up_attempts/ip', limit: 25, period: 5.minutes) do |req|
  85.     req.remote_ip if req.post? && req.path == '/auth'
  86.   end
  87. 

  88.   throttle('throttle_password_resets/ip', limit: 25, period: 5.minutes) do |req|
  89.     req.remote_ip if req.post? && req.path == '/auth/password'
  90.   end
  91. 

  92.   throttle('throttle_password_resets/email', limit: 5, period: 30.minutes) do |req|
  93.     req.params.dig('user', 'email').presence if req.post? && req.path == '/auth/password'
  94.   end
  95. 

  96.   throttle('throttle_email_confirmations/ip', limit: 25, period: 5.minutes) do |req|
  97.     req.remote_ip if req.post? && %w(/auth/confirmation /api/v1/emails/confirmations).include?(req.path)
  98.   end
  99. 

  100.   throttle('throttle_email_confirmations/email', limit: 5, period: 30.minutes) do |req|
  101.     if req.post? && req.path == '/auth/password'
  102.       req.params.dig('user', 'email').presence
  103.     elsif req.post? && req.path == '/api/v1/emails/confirmations'
  104.       req.authenticated_user_id
  105.     end
  106.   end
  107. 

  108.   throttle('throttle_login_attempts/ip', limit: 25, period: 5.minutes) do |req|
  109.     req.remote_ip if req.post? && req.path == '/auth/sign_in'
  110.   end
  111. 

  112.   throttle('throttle_login_attempts/email', limit: 25, period: 1.hour) do |req|
  113.     req.session[:attempt_user_id] || req.params.dig('user', 'email').presence if req.post? && req.path == '/auth/sign_in'
  114.   end
  115. 

  116.   self.throttled_response = lambda do |env|
  117.     now        = Time.now.utc
  118.     match_data = env['rack.attack.match_data']
  119. 

  120.     headers = {
  121.       'Content-Type'          => 'application/json',
  122.       'X-RateLimit-Limit'     => match_data[:limit].to_s,
  123.       'X-RateLimit-Remaining' => '0',
  124.       'X-RateLimit-Reset'     => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6),
  125.     }
  126. 

  127.     [429, headers, [{ error: I18n.t('errors.429') }.to_json]]
  128.   end
  129. end