Change rate limits to 1,500/5m per user, 300/5m per app (#23347)

This commit is contained in:
Eugen Rochko 2023-02-02 00:07:49 +01:00 committed by GitHub
parent 420f33ccb9
commit c6ef56fd5e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -33,6 +33,10 @@ class Rack::Attack
authenticated_token&.resource_owner_id authenticated_token&.resource_owner_id
end end
def authenticated_token_id
authenticated_token&.id
end
def unauthenticated? def unauthenticated?
!authenticated_user_id !authenticated_user_id
end end
@ -62,10 +66,14 @@ class Rack::Attack
IpBlock.blocked?(req.remote_ip) IpBlock.blocked?(req.remote_ip)
end end
throttle('throttle_authenticated_api', limit: 300, period: 5.minutes) do |req| throttle('throttle_authenticated_api', limit: 1_500, period: 5.minutes) do |req|
req.authenticated_user_id if req.api_request? req.authenticated_user_id if req.api_request?
end end
throttle('throttle_per_token_api', limit: 300, period: 5.minutes) do |req|
req.authenticated_token_id if req.api_request?
end
throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req| throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req|
req.throttleable_remote_ip if req.api_request? && req.unauthenticated? req.throttleable_remote_ip if req.api_request? && req.unauthenticated?
end end