me/glitchier-soc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
14360 commits 2 branches 0 tags 429 MiB
Commit graph

36 commits

Author SHA1 Message Date
Matt Jankowski
08421e7b90 Fix Naming/MemoizedInstanceVariableName cop (#25928) 2023-07-12 10:08:51 +02:00
Nick Schonning
ef344388c5 Autofix Rubocop Regex Style rules (#23690) 
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
 2023-06-06 14:50:51 +02:00
Nick Schonning
67c5ac4971 Autofix Rubocop Lint/AmbiguousOperatorPrecedence (#25002) 2023-05-16 10:51:59 +02:00
Nick Schonning
519ae8c0c6 Drop EOL Ruby 2.7 (#24237) 2023-04-27 01:46:18 +02:00
Eugen Rochko
d08bd66f42 Change rate limits to 1,500/5m per user, 300/5m per app (#23347) 2023-02-02 00:07:49 +01:00
Eugen Rochko
e18c8537e6 Fix rate limiting for paths with formats (#20675) 2022-11-14 20:26:31 +01:00
dependabot[bot]
0bc38b0a8a Bump rack-attack from 6.5.0 to 6.6.0 (#17405) 
* Bump rack-attack from 6.5.0 to 6.6.0

Bumps [rack-attack](https://github.com/rack/rack-attack) from 6.5.0 to 6.6.0.
- [Release notes](https://github.com/rack/rack-attack/releases)
- [Changelog](https://github.com/rack/rack-attack/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rack/rack-attack/compare/v6.5.0...v6.6.0)

---
updated-dependencies:
- dependency-name: rack-attack
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Fix usage of deprecated API

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
 2022-03-12 09:23:53 +01:00
Claire
9f9e82918f Fix error when trying to register (#17600) 2022-02-21 14:55:38 +01:00
zunda
8009c67a09 Avoid return within block (#17590) 
This prevents the error: LocalJumpError (unexpected return)
 2022-02-18 20:21:21 +01:00
Jeong Arm
ec4e4ada63 Throttle IPv6 signup for subnet (#17588) 2022-02-18 13:51:51 +01:00
Jeong Arm
df31a1a8e6 Fix media API limit (#17272) 2022-01-10 14:25:24 +01:00
Eugen Rochko
28399e88b5 Add POST /api/v1/emails/confirmations to REST API (#15816) 
Only available to the application the user originally signed-up with
 2021-03-01 18:39:47 +01:00
luigi
c19fe86d66 Optimize some regex matching (#15528) 
* Use Regex#match?

* Replace =~ too

* Avoid to call match? from Nil

* Keep value of Regexp.last_match
 2021-01-22 10:09:08 +01:00
Eugen Rochko
da4c730c47 Add IP-based rules (#14963) 2020-10-12 16:33:49 +02:00
Eugen Rochko
ac4f9abce6 Change rate limits for various paths (#14253) 
- Rate limit login attempts by target account
- Rate limit password resets and e-mail re-confirmations by target account
- Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before
 2020-07-07 15:26:39 +02:00
Eugen Rochko
8fa78c0ec8 Fix re-sending of e-mail confirmation not being rate limited (#13360) 
Fix #13330
 2020-03-31 18:20:48 +02:00
Eugen Rochko
a4668d994b Add specific rate limits for posting and following (#13172) 2020-03-08 15:17:39 +01:00
Eugen Rochko
e8b07657c2 Fix uncaught query param encoding errors (#12741) 2020-01-02 17:14:58 +01:00
Yamagishi Kazutoshi
025de313bc Change rate limit for media proxy (#11814) 2019-09-13 16:02:52 +02:00
Hinaloe
ae5f2716a5 Fix undefined method error (#10868) 2019-05-28 15:31:51 +03:00
mayaeh
a08bfea202 Fix undefined method error. (#10867) 2019-05-28 05:42:04 +02:00
ThibG
875faa1da6 Improve rate limiting (#10860) 
* Rate limit based on remote address IP, not on potential reverse proxy

* Limit rate of unauthenticated API requests further

* Rate-limit paging requests to one every 3 seconds
 2019-05-27 21:57:49 +02:00
Eugen Rochko
1ed2c9c16e Add rate limit for media proxy requests (#10490) 
30 per 30 minutes, like media uploads
 2019-04-07 04:26:43 +02:00
Eugen Rochko
9bf5658885 Add tight rate-limit for API deletions (#10042) 
Deletions take a lot of resources to execute and cause a lot of
federation traffic, so it makes sense to decrease the number
someone can queue up through the API.

30 per 30 minutes
 2019-02-14 06:27:54 +01:00
Eugen Rochko
bbf9f4f93b Add REST API for creating an account (#9572) 
* Add REST API for creating an account

The method is available to apps with a token obtained via the client
credentials grant. It creates a user and account records, as well as
an access token for the app that initiated the request. The user is
unconfirmed, and an e-mail is sent as usual.

The method returns the access token, which the app should save for
later. The REST API is not available to users with unconfirmed
accounts, so the app must be smart to wait for the user to click a
link in their e-mail inbox.

The method is rate-limited by IP to 5 requests per 30 minutes.

* Redirect users back to app from confirmation if they were created with an app

* Add tests

* Return 403 on the method if registrations are not open

* Require agreement param to be true in the API when creating an account
 2018-12-24 19:12:38 +01:00
aus-social
c883b1ffc9 lint pass 2 (#8878) 
* Code quality pass

* Typofix

* Update applications_controller_spec.rb

* Update applications_controller_spec.rb
 2018-10-04 17:38:04 +02:00
Akihiko Odaki
854d974499 Add a missing question mark in rack_attack.rb (#7338) 2018-05-03 18:51:00 +02:00
Akihiko Odaki
5cddff0795 Throttle media post (#7337) 
The previous rate limit allowed to post media so fast that it is possible
to fill up the disk space even before an administrator notices. The new
rate limit is configured so that it takes 24 hours to eat 10 gigabytes:
10 * 1024 / 8 / (24 * 60 / 30) = 27 (which rounded to 30)

The period is set long so that it does not prevent from attaching several
media to one post, which would happen in a short period. For example,
if the period is 5 minutes, the rate limit would be:
10 * 1024 / 8 / (24 * 60 / 5) = 4

This long period allows to lift the limit up.
 2018-05-03 17:32:00 +02:00
Eugen Rochko
b7b0f630a0 Increase rate limit on protected paths (#6229) 
Previously each protected path had a separate rate limit. Now they're all in the same bucket, so people are more likely to hit one with register->login. Increasing to 25 per 5 minutes should be fine.
 2018-01-09 17:07:54 +01:00
Eugen Rochko
31fe0d067b Apply a 25x rate limit by IP even to authenticated requests (#5948) 2017-12-11 15:32:29 +01:00
Naoki Kosaka
77660c4624 Missing require 'authorization_decorator'. (#5947) 2017-12-09 15:12:10 +01:00
Eugen Rochko
87af0bf6cf Rate limit by user instead of IP when API user is authenticated (#5923) 
* Fix #668 - Rate limit by user instead of IP when API user is authenticated

* Fix code style issue

* Use request decorator provided by Doorkeeper
 2017-12-09 14:20:02 +01:00
unarist
527eacf403 Add Content-Type header on throttled response to fix mojibake (#4558) 
application/json only allows Unicode, so this prevents from wrong charset detection.
 2017-08-08 15:47:35 +02:00
alpaca-tc
62738bf1a9 Localize 'throttled' (#2755) 2017-05-03 23:36:19 +02:00
Tristan Mahé
19881e24fe allow localhost to bypass the ratelimit (#2554) 2017-04-30 00:27:49 +02:00
Eugen
e47b32072f Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) 
* Add rate limits for logins and sign-ups by IP (5 in 5 minutes)
Should be enough for normal attempts

* Add rate limit for forgotten password form as well
 2017-04-18 22:29:14 +02:00
Renamed from config/initializers/rack-attack.rb (Browse further)