Apply a 25x rate limit by IP even to authenticated requests (#5948)

6 lat temu · feed07227b
--- a/app/controllers/concerns/rate_limit_headers.rb
+++ b/app/controllers/concerns/rate_limit_headers.rb
@@ -44,8 +44,8 @@ module RateLimitHeaders
  end

  def api_throttle_data
    request.env['rack.attack.throttle_data']['throttle_authenticated_api'] ||
      request.env['rack.attack.throttle_data']['throttle_unauthenticated_api']
    most_limited_type, = request.env['rack.attack.throttle_data'].min_by { |_, v| v[:limit] }
    request.env['rack.attack.throttle_data'][most_limited_type]
  end

  def request_time
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -49,8 +49,8 @@ class Rack::Attack
    req.api_request? && req.authenticated_user_id
  end

  throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req|
    req.ip if req.api_request? && req.unauthenticated?
  throttle('throttle_unauthenticated_api', limit: 7_500, period: 5.minutes) do |req|
    req.ip if req.api_request?
  end

  throttle('protected_paths', limit: 5, period: 5.minutes) do |req|