From ff5baa5349ca7a5391cfa9e283d2f5e653f876ee Mon Sep 17 00:00:00 2001 From: Eugen Date: Tue, 18 Apr 2017 22:29:14 +0200 Subject: [PATCH] Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well --- .../{rack-attack.rb => rack_attack.rb} | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) rename config/initializers/{rack-attack.rb => rack_attack.rb} (50%) diff --git a/config/initializers/rack-attack.rb b/config/initializers/rack_attack.rb similarity index 50% rename from config/initializers/rack-attack.rb rename to config/initializers/rack_attack.rb index 70f7846d1..67ec7c919 100644 --- a/config/initializers/rack-attack.rb +++ b/config/initializers/rack_attack.rb @@ -1,7 +1,24 @@ +# frozen_string_literal: true + class Rack::Attack # Rate limits for the API throttle('api', limit: 300, period: 5.minutes) do |req| - req.ip if req.path.match(/\A\/api\/v/) + req.ip if req.path =~ /\A\/api\/v/ + end + + # Rate limit logins + throttle('login', limit: 5, period: 5.minutes) do |req| + req.ip if req.path == '/auth/sign_in' && req.post? + end + + # Rate limit sign-ups + throttle('register', limit: 5, period: 5.minutes) do |req| + req.ip if req.path == '/auth' && req.post? + end + + # Rate limit forgotten passwords + throttle('reminder', limit: 5, period: 5.minutes) do |req| + req.ip if req.path == '/auth/password' && req.post? end self.throttled_response = lambda do |env|