diff options
| author | David Yip <yipdw@member.fsf.org> | 2017-12-12 02:54:13 -0600 |
|---|---|---|
| committer | David Yip <yipdw@member.fsf.org> | 2017-12-12 02:54:13 -0600 |
| commit | a057ed5cfea2c1c4fb21984cadae993740fb25e0 (patch) | |
| tree | c965f135b8c46f679eb22e80a37550c8b985b9ea /config/initializers | |
| parent | 04eaa1943f002865f8a0234e19c6ea4cc1d3bb6a (diff) | |
| parent | 14c4a33cd9bfc1212cb362897272e5ea7d1529e5 (diff) | |
Merge remote-tracking branch 'tootsuite/master' into merge-upstream
Diffstat (limited to 'config/initializers')
| -rw-r--r-- | config/initializers/paperclip.rb | 47 | ||||
| -rw-r--r-- | config/initializers/rack_attack.rb | 57 |
2 files changed, 69 insertions, 35 deletions
diff --git a/config/initializers/paperclip.rb b/config/initializers/paperclip.rb index 14bd034e6..8aa1d1b6e 100644 --- a/config/initializers/paperclip.rb +++ b/config/initializers/paperclip.rb @@ -14,40 +14,45 @@ Paperclip::Attachment.default_options.merge!( ) if ENV['S3_ENABLED'] == 'true' - require 'fog/aws' + require 'aws-sdk' + Aws.eager_autoload!(services: %w(S3)) - s3_protocol = ENV.fetch('S3_PROTOCOL') { 'https' } - s3_hostname = ENV.fetch('S3_HOSTNAME') { "s3-#{ENV['S3_REGION']}.amazonaws.com" } - aws_signature_version = ENV['S3_SIGNATURE_VERSION'] == 's3' ? 2 : ENV['S3_SIGNATURE_VERSION'].to_i - aws_signature_version = 4 if aws_signature_version.zero? + s3_region = ENV.fetch('S3_REGION') { 'us-east-1' } + s3_protocol = ENV.fetch('S3_PROTOCOL') { 'https' } + s3_hostname = ENV.fetch('S3_HOSTNAME') { "s3-#{s3_region}.amazonaws.com" } Paperclip::Attachment.default_options.merge!( - fog_credentials: { - provider: 'AWS', - aws_access_key_id: ENV['AWS_ACCESS_KEY_ID'], - aws_secret_access_key: ENV['AWS_SECRET_ACCESS_KEY'], - aws_signature_version: aws_signature_version, - region: ENV.fetch('S3_REGION') { 'us-east-1' }, - scheme: s3_protocol, - host: s3_hostname + storage: :s3, + s3_protocol: s3_protocol, + s3_host_name: s3_hostname, + s3_headers: { + 'Cache-Control' => 'max-age=315576000', + }, + s3_permissions: ENV.fetch('S3_PERMISSION') { 'public-read' }, + s3_region: s3_region, + s3_credentials: { + bucket: ENV['S3_BUCKET'], + access_key_id: ENV['AWS_ACCESS_KEY_ID'], + secret_access_key: ENV['AWS_SECRET_ACCESS_KEY'], }, - fog_directory: ENV['S3_BUCKET'], - fog_options: { - acl: ENV.fetch('S3_PERMISSION') { 'public-read' }, - cache_control: 'max-age=315576000', + s3_options: { + signature_version: ENV.fetch('S3_SIGNATURE_VERSION') { 'v4' }, } ) if ENV.has_key?('S3_ENDPOINT') - Paperclip::Attachment.default_options[:fog_credentials].merge!( + Paperclip::Attachment.default_options[:s3_options].merge!( endpoint: ENV['S3_ENDPOINT'], - path_style: true + force_path_style: true ) - Paperclip::Attachment.default_options[:fog_host] = "#{s3_protocol}://#{s3_hostname}/#{ENV['S3_BUCKET']}" + Paperclip::Attachment.default_options[:url] = ':s3_path_url' end if ENV.has_key?('S3_CLOUDFRONT_HOST') - Paperclip::Attachment.default_options[:fog_host] = "#{s3_protocol}://#{ENV['S3_CLOUDFRONT_HOST']}" + Paperclip::Attachment.default_options.merge!( + url: ':s3_alias_url', + s3_host_alias: ENV['S3_CLOUDFRONT_HOST'] + ) end elsif ENV['SWIFT_ENABLED'] == 'true' require 'fog/openstack' diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb index 53cb106ca..b38fb302b 100644 --- a/config/initializers/rack_attack.rb +++ b/config/initializers/rack_attack.rb @@ -1,6 +1,43 @@ # frozen_string_literal: true +require 'doorkeeper/grape/authorization_decorator' + class Rack::Attack + class Request + def authenticated_token + return @token if defined?(@token) + + @token = Doorkeeper::OAuth::Token.authenticate( + Doorkeeper::Grape::AuthorizationDecorator.new(self), + *Doorkeeper.configuration.access_token_methods + ) + end + + def authenticated_user_id + authenticated_token&.resource_owner_id + end + + def unauthenticated? + !authenticated_user_id + end + + def api_request? + path.start_with?('/api') + end + + def web_request? + !api_request? + end + end + + PROTECTED_PATHS = %w( + /auth/sign_in + /auth + /auth/password + ).freeze + + PROTECTED_PATHS_REGEX = Regexp.union(PROTECTED_PATHS.map { |path| /\A#{Regexp.escape(path)}/ }) + # Always allow requests from localhost # (blocklist & throttles are skipped) Rack::Attack.safelist('allow from localhost') do |req| @@ -8,24 +45,16 @@ class Rack::Attack '127.0.0.1' == req.ip || '::1' == req.ip end - # Rate limits for the API - throttle('api', limit: 300, period: 5.minutes) do |req| - req.ip if req.path =~ /\A\/api\/v/ - end - - # Rate limit logins - throttle('login', limit: 5, period: 5.minutes) do |req| - req.ip if req.path == '/auth/sign_in' && req.post? + throttle('throttle_authenticated_api', limit: 300, period: 5.minutes) do |req| + req.api_request? && req.authenticated_user_id end - # Rate limit sign-ups - throttle('register', limit: 5, period: 5.minutes) do |req| - req.ip if req.path == '/auth' && req.post? + throttle('throttle_unauthenticated_api', limit: 7_500, period: 5.minutes) do |req| + req.ip if req.api_request? end - # Rate limit forgotten passwords - throttle('reminder', limit: 5, period: 5.minutes) do |req| - req.ip if req.path == '/auth/password' && req.post? + throttle('protected_paths', limit: 5, period: 5.minutes) do |req| + req.ip if req.post? && req.path =~ PROTECTED_PATHS_REGEX end self.throttled_response = lambda do |env| |