[#1260] Rate-limiting for create authentication and related requests.

This commit is contained in:
Ivan Tashkinov 2019-09-17 16:16:11 +03:00
parent a58f29b826
commit e7afb67c5c
4 changed files with 15 additions and 2 deletions

View File

@ -585,7 +585,7 @@ config :pleroma, :env, Mix.env()
config :http_signatures, config :http_signatures,
adapter: Pleroma.Signature adapter: Pleroma.Signature
config :pleroma, :rate_limit, nil config :pleroma, :rate_limit, authentication: {60_000, 15}
config :pleroma, Pleroma.ActivityExpiration, enabled: true config :pleroma, Pleroma.ActivityExpiration, enabled: true

View File

@ -2424,7 +2424,8 @@ config :pleroma, :config_description, [
group: :pleroma, group: :pleroma,
key: :rate_limit, key: :rate_limit,
type: :group, type: :group,
description: "Rate limit settings. This is an advanced feature and disabled by default.", description:
"Rate limit settings. This is an advanced feature enabled only for :authentication by default.",
children: [ children: [
%{ %{
key: :search, key: :search,
@ -2463,6 +2464,12 @@ config :pleroma, :config_description, [
description: description:
"for fav / unfav or reblog / unreblog actions on the same status by the same user", "for fav / unfav or reblog / unreblog actions on the same status by the same user",
suggestions: [{1000, 10}, [{10_000, 10}, {10_000, 50}]] suggestions: [{1000, 10}, [{10_000, 10}, {10_000, 50}]]
},
%{
key: :authentication,
type: [:tuple, {:list, :tuple}],
description: "for authentication create / password check / user existence check requests",
suggestions: [{60_000, 15}]
} }
] ]
}, },

View File

@ -4,10 +4,15 @@
defmodule Pleroma.Web.MongooseIM.MongooseIMController do defmodule Pleroma.Web.MongooseIM.MongooseIMController do
use Pleroma.Web, :controller use Pleroma.Web, :controller
alias Comeonin.Pbkdf2 alias Comeonin.Pbkdf2
alias Pleroma.Plugs.RateLimiter
alias Pleroma.Repo alias Pleroma.Repo
alias Pleroma.User alias Pleroma.User
plug(RateLimiter, :authentication when action in [:user_exists, :check_password])
plug(RateLimiter, {:authentication, params: ["user"]} when action == :check_password)
def user_exists(conn, %{"user" => username}) do def user_exists(conn, %{"user" => username}) do
with %User{} <- Repo.get_by(User, nickname: username, local: true) do with %User{} <- Repo.get_by(User, nickname: username, local: true) do
conn conn

View File

@ -24,6 +24,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
plug(:fetch_session) plug(:fetch_session)
plug(:fetch_flash) plug(:fetch_flash)
plug(Pleroma.Plugs.RateLimiter, :authentication when action == :create_authorization)
action_fallback(Pleroma.Web.OAuth.FallbackController) action_fallback(Pleroma.Web.OAuth.FallbackController)