nekobus
/
mastodon_neko
forked from closed-social/mastodon
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
闭社主体 forked from https://github.com/tootsuite/mastodon
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4036 Commits
2 Branches
112 MiB
Tree: 85c7c42098
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '85c7c42098'
${ noResults }
mastodon_neko/config/initializers/rack_attack.rb

44 lines
1.3 KiB
Raw Normal View History

Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well
7 years ago
Adding letter opener for development and Rack::Attack for future rate limiting implementations
8 years ago
allow localhost to bypass the ratelimit (#2554)
7 years ago
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API
8 years ago
Obfuscate filenames better, double rate limits
7 years ago
Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well
7 years ago
Fix #6 - Rate limit GET reqs to 300/5min, POST to 100/5min
8 years ago
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API
8 years ago
Add Content-Type header on throttled response to fix mojibake (#4558) application/json only allows Unicode, so this prevents from wrong charset detection.
7 years ago
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API
8 years ago
Obfuscate filenames better, double rate limits
7 years ago
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API
8 years ago
Localize 'throttled' (#2755)
7 years ago
Fixing FanOutOnWriteService, fixing Sidekiq not having enough DB connections in the pool, adding a throttle of 60rpm per IP, adding mini profiler, adding admin status to users
8 years ago
Adding letter opener for development and Rack::Attack for future rate limiting implementations
8 years ago
 
  1. # frozen_string_literal: true
  2. 

  3. class Rack::Attack
  4.   # Always allow requests from localhost
  5.   # (blocklist & throttles are skipped)
  6.   Rack::Attack.safelist('allow from localhost') do |req|
  7.     # Requests are allowed if the return value is truthy
  8.     '127.0.0.1' == req.ip || '::1' == req.ip
  9.   end
  10. 

  11.   # Rate limits for the API
  12.   throttle('api', limit: 300, period: 5.minutes) do |req|
  13.     req.ip if req.path =~ /\A\/api\/v/
  14.   end
  15. 

  16.   # Rate limit logins
  17.   throttle('login', limit: 5, period: 5.minutes) do |req|
  18.     req.ip if req.path == '/auth/sign_in' && req.post?
  19.   end
  20. 

  21.   # Rate limit sign-ups
  22.   throttle('register', limit: 5, period: 5.minutes) do |req|
  23.     req.ip if req.path == '/auth' && req.post?
  24.   end
  25. 

  26.   # Rate limit forgotten passwords
  27.   throttle('reminder', limit: 5, period: 5.minutes) do |req|
  28.     req.ip if req.path == '/auth/password' && req.post?
  29.   end
  30. 

  31.   self.throttled_response = lambda do |env|
  32.     now        = Time.now.utc
  33.     match_data = env['rack.attack.match_data']
  34. 

  35.     headers = {
  36.       'Content-Type'          => 'application/json',
  37.       'X-RateLimit-Limit'     => match_data[:limit].to_s,
  38.       'X-RateLimit-Remaining' => '0',
  39.       'X-RateLimit-Reset'     => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6),
  40.     }
  41. 

  42.     [429, headers, [{ error: I18n.t('errors.429') }.to_json]]
  43.   end
  44. end