From c068f908038290df64eb9061798cd540b9ee0a4d Mon Sep 17 00:00:00 2001
From: ThibG <thib@sitedethib.com>
Date: Mon, 27 May 2019 21:57:49 +0200
Subject: Improve rate limiting (#10860)

* Rate limit based on remote address IP, not on potential reverse proxy

* Limit rate of unauthenticated API requests further

* Rate-limit paging requests to one every 3 seconds
---
 config/initializers/rack_attack.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'config/initializers/rack_attack.rb')

diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index 555421d55..e07341b75 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -58,7 +58,7 @@ class Rack::Attack
   end
 
   throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req|
-    req.remote_ip if req.api_request? && req.unauthenticated?
+    req.remote_ip if req.api_request? && !req.authenticated?
   end
 
   throttle('throttle_api_media', limit: 300, period: 5.minutes) do |req|
@@ -70,7 +70,7 @@ class Rack::Attack
   end
 
   throttle('throttle_unauthenticated_media_proxy', limit: 30, period: 30.minutes) do |req|
-    req.remote_ip if req.unauthenticated? && req.path.start_with?('/media_proxy')
+    req.remote_ip if !req.authenticated? && req.path.start_with?('/media_proxy')
   end
 
   throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req|
@@ -83,7 +83,7 @@ class Rack::Attack
   end
 
   throttle('throttle_unauthenticated_paging', limit: 300, period: 15.minutes) do |req|
-    req.remote_ip if req.paging_request? && req.unauthenticated?
+    req.remote_ip if req.paging_request? && !req.authenticated?
   end
 
   API_DELETE_REBLOG_REGEX = /\A\/api\/v1\/statuses\/[\d]+\/unreblog/.freeze
-- 
cgit