Align sign-up rate limits between API and Web UI

This commit is contained in:
Emelia Smith 2024-08-21 23:56:49 +02:00
parent 19a1acb38b
commit 34930e1a3e
No known key found for this signature in database
2 changed files with 6 additions and 6 deletions

View file

@ -86,7 +86,7 @@ class Rack::Attack
req.throttleable_remote_ip if req.path.start_with?('/media_proxy') req.throttleable_remote_ip if req.path.start_with?('/media_proxy')
end end
throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req| throttle('throttle_api_sign_up', limit: 15, period: 15.minutes) do |req|
req.throttleable_remote_ip if req.post? && req.path == '/api/v1/accounts' req.throttleable_remote_ip if req.post? && req.path == '/api/v1/accounts'
end end
@ -109,7 +109,7 @@ class Rack::Attack
req.throttleable_remote_ip if req.post? && req.path == '/api/v1/apps' req.throttleable_remote_ip if req.post? && req.path == '/api/v1/apps'
end end
throttle('throttle_sign_up_attempts/ip', limit: 25, period: 5.minutes) do |req| throttle('throttle_sign_up_attempts/ip', limit: 15, period: 15.minutes) do |req|
req.throttleable_remote_ip if req.post? && req.path_matches?('/auth') req.throttleable_remote_ip if req.post? && req.path_matches?('/auth')
end end

View file

@ -74,8 +74,8 @@ describe Rack::Attack, type: :request do
describe 'throttle excessive sign-up requests by IP address' do describe 'throttle excessive sign-up requests by IP address' do
context 'when accessed through the website' do context 'when accessed through the website' do
let(:throttle) { 'throttle_sign_up_attempts/ip' } let(:throttle) { 'throttle_sign_up_attempts/ip' }
let(:limit) { 25 } let(:limit) { 15 }
let(:period) { 5.minutes } let(:period) { 15.minutes }
let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } } let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }
context 'with exact path' do context 'with exact path' do
@ -93,8 +93,8 @@ describe Rack::Attack, type: :request do
context 'when accessed through the API' do context 'when accessed through the API' do
let(:throttle) { 'throttle_api_sign_up' } let(:throttle) { 'throttle_api_sign_up' }
let(:limit) { 5 } let(:limit) { 15 }
let(:period) { 30.minutes } let(:period) { 15.minutes }
let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } } let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }
context 'with exact path' do context 'with exact path' do