Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079)

* Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well
author: Eugen <eugen@zeonfederated.com> 2017-04-18 22:29:14 +0200
committer: GitHub <noreply@github.com> 2017-04-18 22:29:14 +0200
commit: ff5baa5349ca7a5391cfa9e283d2f5e653f876ee (patch)
tree: c00a06ef9f35becb52d33e2d3876fe129f8143c7
parent: 297c11dba2864b20992cd3f98282f5ce35d5d144 (diff)
1 files changed, 18 insertions, 1 deletions
diff --git a/config/initializers/rack-attack.rb b/config/initializers/rack_attack.rb
index 70f7846d1..67ec7c919 100644
--- a/config/initializers/rack-attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -1,7 +1,24 @@
+# frozen_string_literal: true
+
 class Rack::Attack
   # Rate limits for the API
   throttle('api', limit: 300, period: 5.minutes) do |req|
-    req.ip if req.path.match(/\A\/api\/v/)
+    req.ip if req.path =~ /\A\/api\/v/
+  end
+
+  # Rate limit logins
+  throttle('login', limit: 5, period: 5.minutes) do |req|
+    req.ip if req.path == '/auth/sign_in' && req.post?
+  end
+
+  # Rate limit sign-ups
+  throttle('register', limit: 5, period: 5.minutes) do |req|
+    req.ip if req.path == '/auth' && req.post?
+  end
+
+  # Rate limit forgotten passwords
+  throttle('reminder', limit: 5, period: 5.minutes) do |req|
+    req.ip if req.path == '/auth/password' && req.post?
   end
 
   self.throttled_response = lambda do |env|
author	Eugen <eugen@zeonfederated.com>	2017-04-18 22:29:14 +0200
committer	GitHub <noreply@github.com>	2017-04-18 22:29:14 +0200
commit	ff5baa5349ca7a5391cfa9e283d2f5e653f876ee (patch)
tree	c00a06ef9f35becb52d33e2d3876fe129f8143c7
parent	297c11dba2864b20992cd3f98282f5ce35d5d144 (diff)