squeegily
/
pleroma
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 42 Wiki Activity
Browse Source

Merge branch '1260-rate-limited-auth-actions' into 'develop' 

[#1260] Rate-limiting for create authentication and related requests

Closes #1260

See merge request pleroma/pleroma!1681
object-id-column
Haelwenn 4 years ago
parent
b4f3c16885 28fb98d69e
commit
15592f1abe
5 changed files with 16 additions and 2 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -0
      CHANGELOG.md
  2. +1
    -1
      config/config.exs
  3. +8
    -1
      config/description.exs
  4. +5
    -0
      lib/pleroma/web/mongooseim/mongoose_im_controller.ex
  5. +1
    -0
      lib/pleroma/web/oauth/oauth_controller.ex

+ 1
- 0
CHANGELOG.md View File

@@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Mastodon API: Add `upload_limit`, `avatar_upload_limit`, `background_upload_limit`, and `banner_upload_limit` to `/api/v1/instance`
- Mastodon API: Add `pleroma.unread_conversation_count` to the Account entity
- OAuth: support for hierarchical permissions / [Mastodon 2.4.3 OAuth permissions](https://docs.joinmastodon.org/api/permissions/)
- Authentication: Added rate limit for password-authorized actions / login existence checks

### Changed
- **Breaking:** Elixir >=1.8 is now required (was >= 1.7)


+ 1
- 1
config/config.exs View File

@@ -588,7 +588,7 @@ config :pleroma, :env, Mix.env()
config :http_signatures,
adapter: Pleroma.Signature

config :pleroma, :rate_limit, nil
config :pleroma, :rate_limit, authentication: {60_000, 15}

config :pleroma, Pleroma.ActivityExpiration, enabled: true



+ 8
- 1
config/description.exs View File

@@ -2290,7 +2290,8 @@ config :pleroma, :config_description, [
group: :pleroma,
key: :rate_limit,
type: :group,
description: "Rate limit settings. This is an advanced feature and disabled by default.",
description:
"Rate limit settings. This is an advanced feature enabled only for :authentication by default.",
children: [
%{
key: :search,
@@ -2329,6 +2330,12 @@ config :pleroma, :config_description, [
description:
"for fav / unfav or reblog / unreblog actions on the same status by the same user",
suggestions: [{1000, 10}, [{10_000, 10}, {10_000, 50}]]
},
%{
key: :authentication,
type: [:tuple, {:list, :tuple}],
description: "for authentication create / password check / user existence check requests",
suggestions: [{60_000, 15}]
}
]
},


+ 5
- 0
lib/pleroma/web/mongooseim/mongoose_im_controller.ex View File

@@ -4,10 +4,15 @@

defmodule Pleroma.Web.MongooseIM.MongooseIMController do
use Pleroma.Web, :controller

alias Comeonin.Pbkdf2
alias Pleroma.Plugs.RateLimiter
alias Pleroma.Repo
alias Pleroma.User

plug(RateLimiter, :authentication when action in [:user_exists, :check_password])
plug(RateLimiter, {:authentication, params: ["user"]} when action == :check_password)

def user_exists(conn, %{"user" => username}) do
with %User{} <- Repo.get_by(User, nickname: username, local: true) do
conn


+ 1
- 0
lib/pleroma/web/oauth/oauth_controller.ex View File

@@ -24,6 +24,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do

plug(:fetch_session)
plug(:fetch_flash)
plug(Pleroma.Plugs.RateLimiter, :authentication when action == :create_authorization)

action_fallback(Pleroma.Web.OAuth.FallbackController)



Write Preview
Loading…
Cancel
Save