jyt94
/
closedSocialMastodon
forked from closed-social/mastodon
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
闭社主体 forked from https://github.com/tootsuite/mastodon
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2383 Commits
3 Branches
123 MiB
Tree: 0d6c1e9cba
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0d6c1e9cba'
${ noResults }
closedSocialMastodon/config/initializers/rack_attack.rb

36 lines
1.0 KiB
Raw Normal View History

Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well
7 years ago
Adding letter opener for development and Rack::Attack for future rate limiting implementations
8 years ago
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API
8 years ago
Obfuscate filenames better, double rate limits
7 years ago
Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well
7 years ago
Fix #6 - Rate limit GET reqs to 300/5min, POST to 100/5min
8 years ago
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API
8 years ago
Obfuscate filenames better, double rate limits
7 years ago
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API
8 years ago
Fixing FanOutOnWriteService, fixing Sidekiq not having enough DB connections in the pool, adding a throttle of 60rpm per IP, adding mini profiler, adding admin status to users
8 years ago
Adding letter opener for development and Rack::Attack for future rate limiting implementations
8 years ago
 
  1. # frozen_string_literal: true
  2. 

  3. class Rack::Attack
  4.   # Rate limits for the API
  5.   throttle('api', limit: 300, period: 5.minutes) do |req|
  6.     req.ip if req.path =~ /\A\/api\/v/
  7.   end
  8. 

  9.   # Rate limit logins
  10.   throttle('login', limit: 5, period: 5.minutes) do |req|
  11.     req.ip if req.path == '/auth/sign_in' && req.post?
  12.   end
  13. 

  14.   # Rate limit sign-ups
  15.   throttle('register', limit: 5, period: 5.minutes) do |req|
  16.     req.ip if req.path == '/auth' && req.post?
  17.   end
  18. 

  19.   # Rate limit forgotten passwords
  20.   throttle('reminder', limit: 5, period: 5.minutes) do |req|
  21.     req.ip if req.path == '/auth/password' && req.post?
  22.   end
  23. 

  24.   self.throttled_response = lambda do |env|
  25.     now        = Time.now.utc
  26.     match_data = env['rack.attack.match_data']
  27. 

  28.     headers = {
  29.       'X-RateLimit-Limit'     => match_data[:limit].to_s,
  30.       'X-RateLimit-Remaining' => '0',
  31.       'X-RateLimit-Reset'     => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6),
  32.     }
  33. 

  34.     [429, headers, [{ error: 'Throttled' }.to_json]]
  35.   end
  36. end