From 34930e1a3ec8c5cbd6822b1093daedc8ffe1926b Mon Sep 17 00:00:00 2001 From: Emelia Smith Date: Wed, 21 Aug 2024 23:56:49 +0200 Subject: [PATCH] Align sign-up rate limits between API and Web UI --- config/initializers/rack_attack.rb | 4 ++-- spec/config/initializers/rack/attack_spec.rb | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb index b4eaab1daa..75e2193e06 100644 --- a/config/initializers/rack_attack.rb +++ b/config/initializers/rack_attack.rb @@ -86,7 +86,7 @@ class Rack::Attack req.throttleable_remote_ip if req.path.start_with?('/media_proxy') end - throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req| + throttle('throttle_api_sign_up', limit: 15, period: 15.minutes) do |req| req.throttleable_remote_ip if req.post? && req.path == '/api/v1/accounts' end @@ -109,7 +109,7 @@ class Rack::Attack req.throttleable_remote_ip if req.post? && req.path == '/api/v1/apps' end - throttle('throttle_sign_up_attempts/ip', limit: 25, period: 5.minutes) do |req| + throttle('throttle_sign_up_attempts/ip', limit: 15, period: 15.minutes) do |req| req.throttleable_remote_ip if req.post? && req.path_matches?('/auth') end diff --git a/spec/config/initializers/rack/attack_spec.rb b/spec/config/initializers/rack/attack_spec.rb index 19de480898..1aaa912848 100644 --- a/spec/config/initializers/rack/attack_spec.rb +++ b/spec/config/initializers/rack/attack_spec.rb @@ -74,8 +74,8 @@ describe Rack::Attack, type: :request do describe 'throttle excessive sign-up requests by IP address' do context 'when accessed through the website' do let(:throttle) { 'throttle_sign_up_attempts/ip' } - let(:limit) { 25 } - let(:period) { 5.minutes } + let(:limit) { 15 } + let(:period) { 15.minutes } let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } } context 'with exact path' do @@ -93,8 +93,8 @@ describe Rack::Attack, type: :request do context 'when accessed through the API' do let(:throttle) { 'throttle_api_sign_up' } - let(:limit) { 5 } - let(:period) { 30.minutes } + let(:limit) { 15 } + let(:period) { 15.minutes } let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } } context 'with exact path' do