From 99242b92bcc1965b2a72c01216bce7c232322f15 Mon Sep 17 00:00:00 2001
From: abcang <abcang1015@gmail.com>
Date: Sat, 9 Dec 2017 10:31:37 +0900
Subject: Keep WebPush settings (#5879)
---
.../api/web/push_subscriptions_controller_spec.rb | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
(limited to 'spec/controllers')
diff --git a/spec/controllers/api/web/push_subscriptions_controller_spec.rb b/spec/controllers/api/web/push_subscriptions_controller_spec.rb
index 7e83b801d..bbf94c5c6 100644
--- a/spec/controllers/api/web/push_subscriptions_controller_spec.rb
+++ b/spec/controllers/api/web/push_subscriptions_controller_spec.rb
@@ -48,6 +48,23 @@ describe Api::Web::PushSubscriptionsController do
expect(push_subscription['key_p256dh']).to eq(create_payload[:subscription][:keys][:p256dh])
expect(push_subscription['key_auth']).to eq(create_payload[:subscription][:keys][:auth])
end
+
+ context 'with initial data' do
+ it 'saves alert settings' do
+ sign_in(user)
+
+ stub_request(:post, create_payload[:subscription][:endpoint]).to_return(status: 200)
+
+ post :create, format: :json, params: create_payload.merge(alerts_payload)
+
+ push_subscription = Web::PushSubscription.find_by(endpoint: create_payload[:subscription][:endpoint])
+
+ expect(push_subscription.data['follow']).to eq(alerts_payload[:data][:follow])
+ expect(push_subscription.data['favourite']).to eq(alerts_payload[:data][:favourite])
+ expect(push_subscription.data['reblog']).to eq(alerts_payload[:data][:reblog])
+ expect(push_subscription.data['mention']).to eq(alerts_payload[:data][:mention])
+ end
+ end
end
describe 'PUT #update' do
--
cgit
From a865b62efc0f7025f789f4413a03ccacd57db7bb Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Sat, 9 Dec 2017 14:20:02 +0100
Subject: Rate limit by user instead of IP when API user is authenticated
(#5923)
* Fix #668 - Rate limit by user instead of IP when API user is authenticated
* Fix code style issue
* Use request decorator provided by Doorkeeper
---
app/controllers/concerns/rate_limit_headers.rb | 3 +-
config/initializers/rack_attack.rb | 55 ++++++++++++++++------
.../concerns/rate_limit_headers_spec.rb | 2 +-
3 files changed, 44 insertions(+), 16 deletions(-)
(limited to 'spec/controllers')
diff --git a/app/controllers/concerns/rate_limit_headers.rb b/app/controllers/concerns/rate_limit_headers.rb
index 36cb91075..ac9b58f5d 100644
--- a/app/controllers/concerns/rate_limit_headers.rb
+++ b/app/controllers/concerns/rate_limit_headers.rb
@@ -44,7 +44,8 @@ module RateLimitHeaders
end
def api_throttle_data
- request.env['rack.attack.throttle_data']['api']
+ request.env['rack.attack.throttle_data']['throttle_authenticated_api'] ||
+ request.env['rack.attack.throttle_data']['throttle_unauthenticated_api']
end
def request_time
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index 53cb106ca..fddcbc52c 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -1,6 +1,41 @@
# frozen_string_literal: true
class Rack::Attack
+ class Request
+ def authenticated_token
+ return @token if defined?(@token)
+
+ @token = Doorkeeper::OAuth::Token.authenticate(
+ Doorkeeper::Grape::AuthorizationDecorator.new(self),
+ *Doorkeeper.configuration.access_token_methods
+ )
+ end
+
+ def authenticated_user_id
+ authenticated_token&.resource_owner_id
+ end
+
+ def unauthenticated?
+ !authenticated_user_id
+ end
+
+ def api_request?
+ path.start_with?('/api')
+ end
+
+ def web_request?
+ !api_request?
+ end
+ end
+
+ PROTECTED_PATHS = %w(
+ /auth/sign_in
+ /auth
+ /auth/password
+ ).freeze
+
+ PROTECTED_PATHS_REGEX = Regexp.union(PROTECTED_PATHS.map { |path| /\A#{Regexp.escape(path)}/ })
+
# Always allow requests from localhost
# (blocklist & throttles are skipped)
Rack::Attack.safelist('allow from localhost') do |req|
@@ -8,24 +43,16 @@ class Rack::Attack
'127.0.0.1' == req.ip || '::1' == req.ip
end
- # Rate limits for the API
- throttle('api', limit: 300, period: 5.minutes) do |req|
- req.ip if req.path =~ /\A\/api\/v/
- end
-
- # Rate limit logins
- throttle('login', limit: 5, period: 5.minutes) do |req|
- req.ip if req.path == '/auth/sign_in' && req.post?
+ throttle('throttle_authenticated_api', limit: 300, period: 5.minutes) do |req|
+ req.api_request? && req.authenticated_user_id
end
- # Rate limit sign-ups
- throttle('register', limit: 5, period: 5.minutes) do |req|
- req.ip if req.path == '/auth' && req.post?
+ throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req|
+ req.ip if req.api_request? && req.unauthenticated?
end
- # Rate limit forgotten passwords
- throttle('reminder', limit: 5, period: 5.minutes) do |req|
- req.ip if req.path == '/auth/password' && req.post?
+ throttle('protected_paths', limit: 5, period: 5.minutes) do |req|
+ req.ip if req.post? && req.path =~ PROTECTED_PATHS_REGEX
end
self.throttled_response = lambda do |env|
diff --git a/spec/controllers/concerns/rate_limit_headers_spec.rb b/spec/controllers/concerns/rate_limit_headers_spec.rb
index 719978dc2..00a9a2080 100644
--- a/spec/controllers/concerns/rate_limit_headers_spec.rb
+++ b/spec/controllers/concerns/rate_limit_headers_spec.rb
@@ -34,7 +34,7 @@ describe ApplicationController do
let(:start_time) { DateTime.new(2017, 1, 1, 12, 0, 0).utc }
before do
- request.env['rack.attack.throttle_data'] = { 'api' => { limit: 100, count: 20, period: 10 } }
+ request.env['rack.attack.throttle_data'] = { 'throttle_authenticated_api' => { limit: 100, count: 20, period: 10 } }
travel_to start_time do
get 'show'
end
--
cgit
From 1356ed72cd4f595e93a5fa23fd8d7459fc8f81b3 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Tue, 12 Dec 2017 03:55:39 +0100
Subject: Fix #5953 - Add GET /api/v1/accounts/:id/lists (#5983)
---
.../api/v1/accounts/lists_controller.rb | 20 +++++++++++++++++++
config/routes.rb | 1 +
.../api/v1/accounts/lists_controller_spec.rb | 23 ++++++++++++++++++++++
3 files changed, 44 insertions(+)
create mode 100644 app/controllers/api/v1/accounts/lists_controller.rb
create mode 100644 spec/controllers/api/v1/accounts/lists_controller_spec.rb
(limited to 'spec/controllers')
diff --git a/app/controllers/api/v1/accounts/lists_controller.rb b/app/controllers/api/v1/accounts/lists_controller.rb
new file mode 100644
index 000000000..a7ba89ce2
--- /dev/null
+++ b/app/controllers/api/v1/accounts/lists_controller.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+class Api::V1::Accounts::ListsController < Api::BaseController
+ before_action -> { doorkeeper_authorize! :read }
+ before_action :require_user!
+ before_action :set_account
+
+ respond_to :json
+
+ def index
+ @lists = @account.lists.where(account: current_account)
+ render json: @lists, each_serializer: REST::ListSerializer
+ end
+
+ private
+
+ def set_account
+ @account = Account.find(params[:account_id])
+ end
+end
diff --git a/config/routes.rb b/config/routes.rb
index 6313a355d..467849c03 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -269,6 +269,7 @@ Rails.application.routes.draw do
resources :statuses, only: :index, controller: 'accounts/statuses'
resources :followers, only: :index, controller: 'accounts/follower_accounts'
resources :following, only: :index, controller: 'accounts/following_accounts'
+ resources :lists, only: :index, controller: 'accounts/lists'
member do
post :follow
diff --git a/spec/controllers/api/v1/accounts/lists_controller_spec.rb b/spec/controllers/api/v1/accounts/lists_controller_spec.rb
new file mode 100644
index 000000000..0a372f65b
--- /dev/null
+++ b/spec/controllers/api/v1/accounts/lists_controller_spec.rb
@@ -0,0 +1,23 @@
+require 'rails_helper'
+
+describe Api::V1::Accounts::ListsController do
+ render_views
+
+ let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) }
+ let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') }
+ let(:account) { Fabricate(:account) }
+ let(:list) { Fabricate(:list, account: user.account) }
+
+ before do
+ allow(controller).to receive(:doorkeeper_token) { token }
+ user.account.follow!(account)
+ list.accounts << account
+ end
+
+ describe 'GET #index' do
+ it 'returns http success' do
+ get :index, params: { account_id: account.id }
+ expect(response).to have_http_status(:success)
+ end
+ end
+end
--
cgit