[#1260] Rate-limiting for create authentication and related requests.

2019-09-17 16:16:11 +03:00 · 2019-09-17 16:16:11 +03:00 · e7afb67c5c
parent a58f29b826
commit e7afb67c5c
4 changed files with 15 additions and 2 deletions
--- a/config/config.exs
+++ b/config/config.exs
@ -585,7 +585,7 @@ config :pleroma, :env, Mix.env()
 config :http_signatures,
  adapter: Pleroma.Signature

-config :pleroma, :rate_limit, nil
+config :pleroma, :rate_limit, authentication: {60_000, 15}

 config :pleroma, Pleroma.ActivityExpiration, enabled: true

--- a/config/description.exs
+++ b/config/description.exs
@ -2424,7 +2424,8 @@ config :pleroma, :config_description, [
    group: :pleroma,
    key: :rate_limit,
    type: :group,
-    description: "Rate limit settings. This is an advanced feature and disabled by default.",
+    description:
+      "Rate limit settings. This is an advanced feature enabled only for :authentication by default.",
    children: [
      %{
        key: :search,
@ -2463,6 +2464,12 @@ config :pleroma, :config_description, [
        description:
          "for fav / unfav or reblog / unreblog actions on the same status by the same user",
        suggestions: [{1000, 10}, [{10_000, 10}, {10_000, 50}]]
+      },
+      %{
+        key: :authentication,
+        type: [:tuple, {:list, :tuple}],
+        description: "for authentication create / password check / user existence check requests",
+        suggestions: [{60_000, 15}]
      }
    ]
  },
--- a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
+++ b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
@ -4,10 +4,15 @@

 defmodule Pleroma.Web.MongooseIM.MongooseIMController do
  use Pleroma.Web, :controller
+
  alias Comeonin.Pbkdf2
+  alias Pleroma.Plugs.RateLimiter
  alias Pleroma.Repo
  alias Pleroma.User

+  plug(RateLimiter, :authentication when action in [:user_exists, :check_password])
+  plug(RateLimiter, {:authentication, params: ["user"]} when action == :check_password)
+
  def user_exists(conn, %{"user" => username}) do
    with %User{} <- Repo.get_by(User, nickname: username, local: true) do
      conn
--- a/lib/pleroma/web/oauth/oauth_controller.ex
+++ b/lib/pleroma/web/oauth/oauth_controller.ex
@ -24,6 +24,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do

  plug(:fetch_session)
  plug(:fetch_flash)
+  plug(Pleroma.Plugs.RateLimiter, :authentication when action == :create_authorization)

  action_fallback(Pleroma.Web.OAuth.FallbackController)