diff options
| author | Eugen Rochko <eugen@zeonfederated.com> | 2017-03-14 15:59:21 +0100 |
|---|---|---|
| committer | Eugen Rochko <eugen@zeonfederated.com> | 2017-03-14 15:59:21 +0100 |
| commit | 02349b32696d6559ed64dbe4f401892d5fa5ddf7 (patch) | |
| tree | c521c1b6aeab67ace70ca1994f3eb412c7136f0d | |
| parent | 952bce302373c6903458c2a11236ae145e0bea71 (diff) | |
Obfuscate filenames better, double rate limits
| -rw-r--r-- | app/controllers/concerns/obfuscate_filename.rb | 6 | ||||
| -rw-r--r-- | config/initializers/rack-attack.rb | 4 | ||||
| -rw-r--r-- | docs/Using-the-API/Push-notifications.md | 2 |
3 files changed, 8 insertions, 4 deletions
diff --git a/app/controllers/concerns/obfuscate_filename.rb b/app/controllers/concerns/obfuscate_filename.rb index dde7ce8c6..9c896fb09 100644 --- a/app/controllers/concerns/obfuscate_filename.rb +++ b/app/controllers/concerns/obfuscate_filename.rb @@ -13,6 +13,10 @@ module ObfuscateFilename file = params.dig(*path) return if file.nil? - file.original_filename = 'media' + File.extname(file.original_filename) + file.original_filename = secure_token + File.extname(file.original_filename) + end + + def secure_token(length = 16) + SecureRandom.hex(length / 2) end end diff --git a/config/initializers/rack-attack.rb b/config/initializers/rack-attack.rb index 3f0ee1d7a..70f7846d1 100644 --- a/config/initializers/rack-attack.rb +++ b/config/initializers/rack-attack.rb @@ -1,6 +1,6 @@ class Rack::Attack # Rate limits for the API - throttle('api', limit: 150, period: 5.minutes) do |req| + throttle('api', limit: 300, period: 5.minutes) do |req| req.ip if req.path.match(/\A\/api\/v/) end @@ -11,7 +11,7 @@ class Rack::Attack headers = { 'X-RateLimit-Limit' => match_data[:limit].to_s, 'X-RateLimit-Remaining' => '0', - 'X-RateLimit-Reset' => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6) + 'X-RateLimit-Reset' => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6), } [429, headers, [{ error: 'Throttled' }.to_json]] diff --git a/docs/Using-the-API/Push-notifications.md b/docs/Using-the-API/Push-notifications.md index d98c8833a..fc373e723 100644 --- a/docs/Using-the-API/Push-notifications.md +++ b/docs/Using-the-API/Push-notifications.md @@ -1,4 +1,4 @@ Push notifications ================== -**Note: This push notification design turned out to not be fully operational on the side of Firebase. A different approach is in consideration** +See <https://github.com/Gargron/tusky-api> for an example of how to create push notifications for a mobile app. It involves using the Mastodon streaming API on behalf of the app's users, as a sort of proxy. |