diff options
author | Eugen <eugen@zeonfederated.com> | 2017-04-18 22:29:14 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-04-18 22:29:14 +0200 |
commit | ff5baa5349ca7a5391cfa9e283d2f5e653f876ee (patch) | |
tree | c00a06ef9f35becb52d33e2d3876fe129f8143c7 /config/initializers/rack_attack.rb | |
parent | 297c11dba2864b20992cd3f98282f5ce35d5d144 (diff) |
Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079)
* Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well
Diffstat (limited to 'config/initializers/rack_attack.rb')
-rw-r--r-- | config/initializers/rack_attack.rb | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb new file mode 100644 index 000000000..67ec7c919 --- /dev/null +++ b/config/initializers/rack_attack.rb @@ -0,0 +1,36 @@ +# frozen_string_literal: true + +class Rack::Attack + # Rate limits for the API + throttle('api', limit: 300, period: 5.minutes) do |req| + req.ip if req.path =~ /\A\/api\/v/ + end + + # Rate limit logins + throttle('login', limit: 5, period: 5.minutes) do |req| + req.ip if req.path == '/auth/sign_in' && req.post? + end + + # Rate limit sign-ups + throttle('register', limit: 5, period: 5.minutes) do |req| + req.ip if req.path == '/auth' && req.post? + end + + # Rate limit forgotten passwords + throttle('reminder', limit: 5, period: 5.minutes) do |req| + req.ip if req.path == '/auth/password' && req.post? + end + + self.throttled_response = lambda do |env| + now = Time.now.utc + match_data = env['rack.attack.match_data'] + + headers = { + 'X-RateLimit-Limit' => match_data[:limit].to_s, + 'X-RateLimit-Remaining' => '0', + 'X-RateLimit-Reset' => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6), + } + + [429, headers, [{ error: 'Throttled' }.to_json]] + end +end |