Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting

to the API
2016-10-22 19:38:47 +02:00 · 2016-10-22 19:38:47 +02:00 · a9e40a3d80
commit a9e40a3d80
parent 17122df80d
26 changed files with 195 additions and 99 deletions
--- a/config/initializers/rack-attack.rb
+++ b/config/initializers/rack-attack.rb
@ -1,9 +1,19 @@
 class Rack::Attack
-  throttle('get-req/ip', limit: 300, period: 5.minutes) do |req|
-    req.ip if req.get?
+  # Rate limits for the API
+  throttle('api', limit: 150, period: 5.minutes) do |req|
+    req.ip if req.path.match(/\A\/api\//)
  end

-  throttle('post-req/ip', limit: 100, period: 5.minutes) do |req|
-    req.ip if req.post?
+  self.throttled_response = lambda do |env|
+    now        = Time.now.utc
+    match_data = env['rack.attack.match_data']
+
+    headers = {
+      'X-RateLimit-Limit'     => match_data[:limit].to_s,
+      'X-RateLimit-Remaining' => '0',
+      'X-RateLimit-Reset'     => (now + (match_data[:period] - now.to_i % match_data[:period])).to_s
+    }
+
+    [429, headers, [{ error: 'Throttled' }.to_json]]
  end
 end