about summary refs log tree commit diff
path: root/config/initializers
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2016-10-22 19:38:47 +0200
committerEugen Rochko <eugen@zeonfederated.com>2016-10-22 19:39:44 +0200
commita9e40a3d80435431f689b8d19005dd77a8f50224 (patch)
tree48573a1f1ec9c14789c529de3b8fb8badfb20444 /config/initializers
parent17122df80dc7e85910a9cfa049d2e33ef84288c6 (diff)
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting
to the API
Diffstat (limited to 'config/initializers')
-rw-r--r--config/initializers/doorkeeper.rb4
-rw-r--r--config/initializers/rabl_init.rb2
-rw-r--r--config/initializers/rack-attack.rb18
3 files changed, 17 insertions, 7 deletions
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
index 97eaea678..16297456e 100644
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -50,8 +50,8 @@ Doorkeeper.configure do
   # Define access token scopes for your provider
   # For more information go to
   # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
-  # default_scopes  :public
-  # optional_scopes :write, :follow
+  default_scopes  :read
+  optional_scopes :write, :follow
 
   # Change the way client credentials are retrieved from the request object.
   # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
diff --git a/config/initializers/rabl_init.rb b/config/initializers/rabl_init.rb
index d14f8c54e..325bf0c78 100644
--- a/config/initializers/rabl_init.rb
+++ b/config/initializers/rabl_init.rb
@@ -1,5 +1,5 @@
 Rabl.configure do |config|
-  config.cache_all_output  = true
+  config.cache_all_output  = false
   config.cache_sources     = !!Rails.env.production?
   config.include_json_root = false
   config.view_paths        = [Rails.root.join('app/views')]
diff --git a/config/initializers/rack-attack.rb b/config/initializers/rack-attack.rb
index fb447685b..6d9286e66 100644
--- a/config/initializers/rack-attack.rb
+++ b/config/initializers/rack-attack.rb
@@ -1,9 +1,19 @@
 class Rack::Attack
-  throttle('get-req/ip', limit: 300, period: 5.minutes) do |req|
-    req.ip if req.get?
+  # Rate limits for the API
+  throttle('api', limit: 150, period: 5.minutes) do |req|
+    req.ip if req.path.match(/\A\/api\//)
   end
 
-  throttle('post-req/ip', limit: 100, period: 5.minutes) do |req|
-    req.ip if req.post?
+  self.throttled_response = lambda do |env|
+    now        = Time.now.utc
+    match_data = env['rack.attack.match_data']
+
+    headers = {
+      'X-RateLimit-Limit'     => match_data[:limit].to_s,
+      'X-RateLimit-Remaining' => '0',
+      'X-RateLimit-Reset'     => (now + (match_data[:period] - now.to_i % match_data[:period])).to_s
+    }
+
+    [429, headers, [{ error: 'Throttled' }.to_json]]
   end
 end