Apply a 25x rate limit by IP even to authenticated requests (#5948)
This commit is contained in:
parent
e56323a4dd
commit
feed07227b
|
@ -44,8 +44,8 @@ module RateLimitHeaders
|
||||||
end
|
end
|
||||||
|
|
||||||
def api_throttle_data
|
def api_throttle_data
|
||||||
request.env['rack.attack.throttle_data']['throttle_authenticated_api'] ||
|
most_limited_type, = request.env['rack.attack.throttle_data'].min_by { |_, v| v[:limit] }
|
||||||
request.env['rack.attack.throttle_data']['throttle_unauthenticated_api']
|
request.env['rack.attack.throttle_data'][most_limited_type]
|
||||||
end
|
end
|
||||||
|
|
||||||
def request_time
|
def request_time
|
||||||
|
|
|
@ -49,8 +49,8 @@ class Rack::Attack
|
||||||
req.api_request? && req.authenticated_user_id
|
req.api_request? && req.authenticated_user_id
|
||||||
end
|
end
|
||||||
|
|
||||||
throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req|
|
throttle('throttle_unauthenticated_api', limit: 7_500, period: 5.minutes) do |req|
|
||||||
req.ip if req.api_request? && req.unauthenticated?
|
req.ip if req.api_request?
|
||||||
end
|
end
|
||||||
|
|
||||||
throttle('protected_paths', limit: 5, period: 5.minutes) do |req|
|
throttle('protected_paths', limit: 5, period: 5.minutes) do |req|
|
||||||
|
|
Loading…
Reference in New Issue