LenPayne/mastodon
1
0
Fork 0
forked from cybrespace/mastodon
Code Issues Pull requests Releases Wiki Activity

Apply a 25x rate limit by IP even to authenticated requests (#5948)

Browse source
This commit is contained in:
Eugen Rochko 2017-12-11 15:32:29 +01:00 committed by GitHub
parent e56323a4dd
commit feed07227b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/controllers/concerns/rate_limit_headers.rb
View file

@ -44,8 +44,8 @@ module RateLimitHeaders
end
def api_throttle_data
request.env['rack.attack.throttle_data']['throttle_authenticated_api'] ||
request.env['rack.attack.throttle_data']['throttle_unauthenticated_api']
most_limited_type, = request.env['rack.attack.throttle_data'].min_by { |_, v| v[:limit] }
request.env['rack.attack.throttle_data'][most_limited_type]
end
def request_time

4
config/initializers/rack_attack.rb
View file

@ -49,8 +49,8 @@ class Rack::Attack
req.api_request? && req.authenticated_user_id
end
throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req|
req.ip if req.api_request? && req.unauthenticated?
throttle('throttle_unauthenticated_api', limit: 7_500, period: 5.minutes) do |req|
req.ip if req.api_request?
end
throttle('protected_paths', limit: 5, period: 5.minutes) do |req|