@ -13,6 +13,10 @@ class Rack::Attack
)
)
end
end
def remote_ip
@remote_ip || = ( @env [ " action_dispatch.remote_ip " ] || ip ) . to_s
end
def authenticated_user_id
def authenticated_user_id
authenticated_token & . resource_owner_id
authenticated_token & . resource_owner_id
end
end
@ -28,6 +32,10 @@ class Rack::Attack
def web_request?
def web_request?
! api_request?
! api_request?
end
end
def paging_request?
params [ 'page' ] . present? || params [ 'min_id' ] . present? || params [ 'max_id' ] . present? || params [ 'since_id' ] . present?
end
end
end
PROTECTED_PATHS = %w(
PROTECTED_PATHS = %w(
@ -42,15 +50,15 @@ class Rack::Attack
# (blocklist & throttles are skipped)
# (blocklist & throttles are skipped)
Rack :: Attack . safelist ( 'allow from localhost' ) do | req |
Rack :: Attack . safelist ( 'allow from localhost' ) do | req |
# Requests are allowed if the return value is truthy
# Requests are allowed if the return value is truthy
req . ip == '127.0.0.1' || req . ip == '::1'
req . remote_ ip == '127.0.0.1' || req . remote_ ip == '::1'
end
end
throttle ( 'throttle_authenticated_api' , limit : 300 , period : 5 . minutes ) do | req |
throttle ( 'throttle_authenticated_api' , limit : 300 , period : 5 . minutes ) do | req |
req . authenticated_user_id if req . api_request?
req . authenticated_user_id if req . api_request?
end
end
throttle ( 'throttle_unauthenticated_api' , limit : 7_5 00, period : 5 . minutes ) do | req |
throttle ( 'throttle_unauthenticated_api' , limit : 3 00, period : 5 . minutes ) do | req |
req . ip if req . api_request?
req . remote_ ip if req . api_request? && ! req . authenticated ?
end
end
throttle ( 'throttle_api_media' , limit : 30 , period : 30 . minutes ) do | req |
throttle ( 'throttle_api_media' , limit : 30 , period : 30 . minutes ) do | req |
@ -58,11 +66,20 @@ class Rack::Attack
end
end
throttle ( 'throttle_media_proxy' , limit : 30 , period : 30 . minutes ) do | req |
throttle ( 'throttle_media_proxy' , limit : 30 , period : 30 . minutes ) do | req |
req . ip if req . path . start_with? ( '/media_proxy' )
req . remote_ ip if req . path . start_with? ( '/media_proxy' )
end
end
throttle ( 'throttle_api_sign_up' , limit : 5 , period : 30 . minutes ) do | req |
throttle ( 'throttle_api_sign_up' , limit : 5 , period : 30 . minutes ) do | req |
req . ip if req . post? && req . path == '/api/v1/accounts'
req . remote_ip if req . post? && req . path == '/api/v1/accounts'
end
# Throttle paging, as it is mainly used for public pages and AP collections
throttle ( 'throttle_authenticated_paging' , limit : 300 , period : 15 . minutes ) do | req |
req . authenticated_user_id if req . paging_request?
end
throttle ( 'throttle_unauthenticated_paging' , limit : 300 , period : 15 . minutes ) do | req |
req . remote_ip if req . paging_request? && ! req . authenticated?
end
end
API_DELETE_REBLOG_REGEX = / \ A \/ api \/ v1 \/ statuses \/ [ \ d]+ \/ unreblog / . freeze
API_DELETE_REBLOG_REGEX = / \ A \/ api \/ v1 \/ statuses \/ [ \ d]+ \/ unreblog / . freeze
@ -73,7 +90,7 @@ class Rack::Attack
end
end
throttle ( 'protected_paths' , limit : 25 , period : 5 . minutes ) do | req |
throttle ( 'protected_paths' , limit : 25 , period : 5 . minutes ) do | req |
req . ip if req . post? && req . path =~ PROTECTED_PATHS_REGEX
req . remote_ ip if req . post? && req . path =~ PROTECTED_PATHS_REGEX
end
end
self . throttled_response = lambda do | env |
self . throttled_response = lambda do | env |