forked from fedi/mastodon
Obfuscate filenames better, double rate limits
This commit is contained in:
parent
952bce3023
commit
02349b3269
app/controllers/concerns
config/initializers
docs/Using-the-API
|
@ -13,6 +13,10 @@ module ObfuscateFilename
|
|||
file = params.dig(*path)
|
||||
return if file.nil?
|
||||
|
||||
file.original_filename = 'media' + File.extname(file.original_filename)
|
||||
file.original_filename = secure_token + File.extname(file.original_filename)
|
||||
end
|
||||
|
||||
def secure_token(length = 16)
|
||||
SecureRandom.hex(length / 2)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
class Rack::Attack
|
||||
# Rate limits for the API
|
||||
throttle('api', limit: 150, period: 5.minutes) do |req|
|
||||
throttle('api', limit: 300, period: 5.minutes) do |req|
|
||||
req.ip if req.path.match(/\A\/api\/v/)
|
||||
end
|
||||
|
||||
|
@ -11,7 +11,7 @@ class Rack::Attack
|
|||
headers = {
|
||||
'X-RateLimit-Limit' => match_data[:limit].to_s,
|
||||
'X-RateLimit-Remaining' => '0',
|
||||
'X-RateLimit-Reset' => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6)
|
||||
'X-RateLimit-Reset' => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6),
|
||||
}
|
||||
|
||||
[429, headers, [{ error: 'Throttled' }.to_json]]
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
Push notifications
|
||||
==================
|
||||
|
||||
**Note: This push notification design turned out to not be fully operational on the side of Firebase. A different approach is in consideration**
|
||||
See <https://github.com/Gargron/tusky-api> for an example of how to create push notifications for a mobile app. It involves using the Mastodon streaming API on behalf of the app's users, as a sort of proxy.
|
||||
|
|
Loading…
Reference in a new issue