rack_attack.rb 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153
  1. # frozen_string_literal: true
  2. require 'doorkeeper/grape/authorization_decorator'
  3. class Rack::Attack
  4. class Request
  5. def authenticated_token
  6. return @token if defined?(@token)
  7. @token = Doorkeeper::OAuth::Token.authenticate(
  8. Doorkeeper::Grape::AuthorizationDecorator.new(self),
  9. *Doorkeeper.configuration.access_token_methods
  10. )
  11. end
  12. def remote_ip
  13. @remote_ip ||= (@env["action_dispatch.remote_ip"] || ip).to_s
  14. end
  15. def throttleable_remote_ip
  16. @throttleable_remote_ip ||= begin
  17. ip = IPAddr.new(remote_ip)
  18. if ip.ipv6?
  19. ip.mask(64)
  20. else
  21. ip
  22. end
  23. end.to_s
  24. end
  25. def authenticated_user_id
  26. authenticated_token&.resource_owner_id
  27. end
  28. def authenticated_token_id
  29. authenticated_token&.id
  30. end
  31. def unauthenticated?
  32. !authenticated_user_id
  33. end
  34. def api_request?
  35. path.start_with?('/api')
  36. end
  37. def path_matches?(other_path)
  38. /\A#{Regexp.escape(other_path)}(\..*)?\z/ =~ path
  39. end
  40. def web_request?
  41. !api_request?
  42. end
  43. def paging_request?
  44. params['page'].present? || params['min_id'].present? || params['max_id'].present? || params['since_id'].present?
  45. end
  46. end
  47. Rack::Attack.safelist('allow from localhost') do |req|
  48. req.remote_ip == '127.0.0.1' || req.remote_ip == '::1'
  49. end
  50. Rack::Attack.blocklist('deny from blocklist') do |req|
  51. IpBlock.blocked?(req.remote_ip)
  52. end
  53. throttle('throttle_authenticated_api', limit: 1_500, period: 5.minutes) do |req|
  54. req.authenticated_user_id if req.api_request?
  55. end
  56. throttle('throttle_per_token_api', limit: 300, period: 5.minutes) do |req|
  57. req.authenticated_token_id if req.api_request?
  58. end
  59. throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req|
  60. req.throttleable_remote_ip if req.api_request? && req.unauthenticated?
  61. end
  62. throttle('throttle_api_media', limit: 30, period: 30.minutes) do |req|
  63. req.authenticated_user_id if req.post? && req.path.match?(/\A\/api\/v\d+\/media\z/i)
  64. end
  65. throttle('throttle_media_proxy', limit: 30, period: 10.minutes) do |req|
  66. req.throttleable_remote_ip if req.path.start_with?('/media_proxy')
  67. end
  68. throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req|
  69. req.throttleable_remote_ip if req.post? && req.path == '/api/v1/accounts'
  70. end
  71. throttle('throttle_authenticated_paging', limit: 300, period: 15.minutes) do |req|
  72. req.authenticated_user_id if req.paging_request?
  73. end
  74. throttle('throttle_unauthenticated_paging', limit: 300, period: 15.minutes) do |req|
  75. req.throttleable_remote_ip if req.paging_request? && req.unauthenticated?
  76. end
  77. API_DELETE_REBLOG_REGEX = /\A\/api\/v1\/statuses\/[\d]+\/unreblog\z/.freeze
  78. API_DELETE_STATUS_REGEX = /\A\/api\/v1\/statuses\/[\d]+\z/.freeze
  79. throttle('throttle_api_delete', limit: 30, period: 30.minutes) do |req|
  80. req.authenticated_user_id if (req.post? && req.path.match?(API_DELETE_REBLOG_REGEX)) || (req.delete? && req.path.match?(API_DELETE_STATUS_REGEX))
  81. end
  82. throttle('throttle_sign_up_attempts/ip', limit: 25, period: 5.minutes) do |req|
  83. req.throttleable_remote_ip if req.post? && req.path_matches?('/auth')
  84. end
  85. throttle('throttle_password_resets/ip', limit: 25, period: 5.minutes) do |req|
  86. req.throttleable_remote_ip if req.post? && req.path_matches?('/auth/password')
  87. end
  88. throttle('throttle_password_resets/email', limit: 5, period: 30.minutes) do |req|
  89. req.params.dig('user', 'email').presence if req.post? && req.path_matches?('/auth/password')
  90. end
  91. throttle('throttle_email_confirmations/ip', limit: 25, period: 5.minutes) do |req|
  92. req.throttleable_remote_ip if req.post? && (req.path_matches?('/auth/confirmation') || req.path == '/api/v1/emails/confirmations')
  93. end
  94. throttle('throttle_email_confirmations/email', limit: 5, period: 30.minutes) do |req|
  95. if req.post? && req.path_matches?('/auth/password')
  96. req.params.dig('user', 'email').presence
  97. elsif req.post? && req.path == '/api/v1/emails/confirmations'
  98. req.authenticated_user_id
  99. end
  100. end
  101. throttle('throttle_login_attempts/ip', limit: 25, period: 5.minutes) do |req|
  102. req.throttleable_remote_ip if req.post? && req.path_matches?('/auth/sign_in')
  103. end
  104. throttle('throttle_login_attempts/email', limit: 25, period: 1.hour) do |req|
  105. req.session[:attempt_user_id] || req.params.dig('user', 'email').presence if req.post? && req.path_matches?('/auth/sign_in')
  106. end
  107. self.throttled_responder = lambda do |request|
  108. now = Time.now.utc
  109. match_data = request.env['rack.attack.match_data']
  110. headers = {
  111. 'Content-Type' => 'application/json',
  112. 'X-RateLimit-Limit' => match_data[:limit].to_s,
  113. 'X-RateLimit-Remaining' => '0',
  114. 'X-RateLimit-Reset' => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6),
  115. }
  116. [429, headers, [{ error: I18n.t('errors.429') }.to_json]]
  117. end
  118. end