mastodon/config/initializers/rack_attack.rb

# frozen_string_literal: true

class Rack::Attack
  # Rate limits for the API
  throttle('api', limit: 300, period: 5.minutes) do |req|
    req.ip if req.path =~ /\A\/api\/v/
  end

  # Rate limit logins
  throttle('login', limit: 5, period: 5.minutes) do |req|
    req.ip if req.path == '/auth/sign_in' && req.post?
  end

  # Rate limit sign-ups
  throttle('register', limit: 5, period: 5.minutes) do |req|
    req.ip if req.path == '/auth' && req.post?
  end

  # Rate limit forgotten passwords
  throttle('reminder', limit: 5, period: 5.minutes) do |req|
    req.ip if req.path == '/auth/password' && req.post?
  end

  self.throttled_response = lambda do |env|
    now        = Time.now.utc
    match_data = env['rack.attack.match_data']

    headers = {
      'X-RateLimit-Limit'     => match_data[:limit].to_s,
      'X-RateLimit-Remaining' => '0',
      'X-RateLimit-Reset'     => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6),
    }

    [429, headers, [{ error: 'Throttled' }.to_json]]
  end
end
Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well 2017-04-18 22:29:14 +02:00			`# frozen_string_literal: true`

Adding letter opener for development and Rack::Attack for future rate limiting implementations 2016-03-19 14:57:30 +01:00			`class Rack::Attack`
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API 2016-10-22 19:38:47 +02:00			`# Rate limits for the API`
Obfuscate filenames better, double rate limits 2017-03-14 15:59:21 +01:00			`throttle('api', limit: 300, period: 5.minutes) do \|req\|`
Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well 2017-04-18 22:29:14 +02:00			`req.ip if req.path =~ /\A\/api\/v/`
			`end`

			`# Rate limit logins`
			`throttle('login', limit: 5, period: 5.minutes) do \|req\|`
			`req.ip if req.path == '/auth/sign_in' && req.post?`
			`end`

			`# Rate limit sign-ups`
			`throttle('register', limit: 5, period: 5.minutes) do \|req\|`
			`req.ip if req.path == '/auth' && req.post?`
			`end`

			`# Rate limit forgotten passwords`
			`throttle('reminder', limit: 5, period: 5.minutes) do \|req\|`
			`req.ip if req.path == '/auth/password' && req.post?`
Fix #6 - Rate limit GET reqs to 300/5min, POST to 100/5min 2016-09-24 13:53:54 +02:00			`end`

Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API 2016-10-22 19:38:47 +02:00			`self.throttled_response = lambda do \|env\|`
			`now = Time.now.utc`
			`match_data = env['rack.attack.match_data']`

			`headers = {`
			`'X-RateLimit-Limit' => match_data[:limit].to_s,`
			`'X-RateLimit-Remaining' => '0',`
Obfuscate filenames better, double rate limits 2017-03-14 15:59:21 +01:00			`'X-RateLimit-Reset' => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6),`
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API 2016-10-22 19:38:47 +02:00			`}`

			`[429, headers, [{ error: 'Throttled' }.to_json]]`
Fixing FanOutOnWriteService, fixing Sidekiq not having enough DB connections in the pool, adding a throttle of 60rpm per IP, adding mini profiler, adding admin status to users 2016-03-25 14:12:24 +01:00			`end`
Adding letter opener for development and Rack::Attack for future rate limiting implementations 2016-03-19 14:57:30 +01:00			`end`