abunchtell
/
mastodon
1
0
Fork 0
Code Issues 0 Activity
The code powering m.abunchtell.com https://m.abunchtell.com
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6484 Commits
1 Branch
94 MiB
 
 
 
 
Tree: 5d2fc6de32
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '5d2fc6de32'
${ noResults }
mastodon/config/initializers/rack_attack.rb

82 lines
2.2 KiB
Raw Blame History 

  1. # frozen_string_literal: true

  2. 

  3. require 'doorkeeper/grape/authorization_decorator'

  4. 

  5. class Rack::Attack

  6.   class Request

  7.     def authenticated_token

  8.       return @token if defined?(@token)

  9. 

  10.       @token = Doorkeeper::OAuth::Token.authenticate(

  11.         Doorkeeper::Grape::AuthorizationDecorator.new(self),

  12.         *Doorkeeper.configuration.access_token_methods

  13.       )

  14.     end

  15. 

  16.     def authenticated_user_id

  17.       authenticated_token&.resource_owner_id

  18.     end

  19. 

  20.     def unauthenticated?

  21.       !authenticated_user_id

  22.     end

  23. 

  24.     def api_request?

  25.       path.start_with?('/api')

  26.     end

  27. 

  28.     def web_request?

  29.       !api_request?

  30.     end

  31.   end

  32. 

  33.   PROTECTED_PATHS = %w(

  34.     /auth/sign_in

  35.     /auth

  36.     /auth/password

  37.   ).freeze

  38. 

  39.   PROTECTED_PATHS_REGEX = Regexp.union(PROTECTED_PATHS.map { |path| /\A#{Regexp.escape(path)}/ })

  40. 

  41.   # Always allow requests from localhost

  42.   # (blocklist & throttles are skipped)

  43.   Rack::Attack.safelist('allow from localhost') do |req|

  44.     # Requests are allowed if the return value is truthy

  45.     req.ip == '127.0.0.1' || req.ip == '::1'

  46.   end

  47. 

  48.   throttle('throttle_authenticated_api', limit: 300, period: 5.minutes) do |req|

  49.     req.api_request? && req.authenticated_user_id

  50.   end

  51. 

  52.   throttle('throttle_unauthenticated_api', limit: 7_500, period: 5.minutes) do |req|

  53.     req.ip if req.api_request?

  54.   end

  55. 

  56.   throttle('throttle_media', limit: 30, period: 30.minutes) do |req|

  57.     req.authenticated_user_id if req.post? && req.path.start_with?('/api/v1/media')

  58.   end

  59. 

  60.   throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req|

  61.     req.ip if req.post? && req.path == '/api/v1/accounts'

  62.   end

  63. 

  64.   throttle('protected_paths', limit: 25, period: 5.minutes) do |req|

  65.     req.ip if req.post? && req.path =~ PROTECTED_PATHS_REGEX

  66.   end

  67. 

  68.   self.throttled_response = lambda do |env|

  69.     now        = Time.now.utc

  70.     match_data = env['rack.attack.match_data']

  71. 

  72.     headers = {

  73.       'Content-Type'          => 'application/json',

  74.       'X-RateLimit-Limit'     => match_data[:limit].to_s,

  75.       'X-RateLimit-Remaining' => '0',

  76.       'X-RateLimit-Reset'     => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6),

  77.     }

  78. 

  79.     [429, headers, [{ error: I18n.t('errors.429') }.to_json]]

  80.   end

  81. end