Apply a 25x rate limit by IP even to authenticated requests (#5948)

author: Eugen Rochko <eugen@zeonfederated.com> 2017-12-11 15:32:29 +0100
committer: GitHub <noreply@github.com> 2017-12-11 15:32:29 +0100
commit: feed07227ba9feb8def161dc127033016c749ac5 (patch)
tree: 1cc057a237e2987b4b54cca6dde954ee0df737de
parent: e56323a4dd3048fa6f46590052bcba75d82b3317 (diff)
2 files changed, 4 insertions, 4 deletions
diff --git a/app/controllers/concerns/rate_limit_headers.rb b/app/controllers/concerns/rate_limit_headers.rb
index ac9b58f5d..b79c558d8 100644
--- a/app/controllers/concerns/rate_limit_headers.rb
+++ b/app/controllers/concerns/rate_limit_headers.rb
@@ -44,8 +44,8 @@ module RateLimitHeaders
   end
 
   def api_throttle_data
-    request.env['rack.attack.throttle_data']['throttle_authenticated_api'] ||
-      request.env['rack.attack.throttle_data']['throttle_unauthenticated_api']
+    most_limited_type, = request.env['rack.attack.throttle_data'].min_by { |_, v| v[:limit] }
+    request.env['rack.attack.throttle_data'][most_limited_type]
   end
 
   def request_time
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index 41db76929..b38fb302b 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -49,8 +49,8 @@ class Rack::Attack
     req.api_request? && req.authenticated_user_id
   end
 
-  throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req|
-    req.ip if req.api_request? && req.unauthenticated?
+  throttle('throttle_unauthenticated_api', limit: 7_500, period: 5.minutes) do |req|
+    req.ip if req.api_request?
   end
 
   throttle('protected_paths', limit: 5, period: 5.minutes) do |req|
author	Eugen Rochko <eugen@zeonfederated.com>	2017-12-11 15:32:29 +0100
committer	GitHub <noreply@github.com>	2017-12-11 15:32:29 +0100
commit	feed07227ba9feb8def161dc127033016c749ac5 (patch)
tree	1cc057a237e2987b4b54cca6dde954ee0df737de
parent	e56323a4dd3048fa6f46590052bcba75d82b3317 (diff)