From e7afb67c5c26fcb07c1f8d4390c0573cebef9520 Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Tue, 17 Sep 2019 16:16:11 +0300 Subject: [PATCH 1/2] [#1260] Rate-limiting for create authentication and related requests. --- config/config.exs | 2 +- config/description.exs | 9 ++++++++- lib/pleroma/web/mongooseim/mongoose_im_controller.ex | 5 +++++ lib/pleroma/web/oauth/oauth_controller.ex | 1 + 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/config/config.exs b/config/config.exs index c7e0cf09f..15979702f 100644 --- a/config/config.exs +++ b/config/config.exs @@ -585,7 +585,7 @@ config :http_signatures, adapter: Pleroma.Signature -config :pleroma, :rate_limit, nil +config :pleroma, :rate_limit, authentication: {60_000, 15} config :pleroma, Pleroma.ActivityExpiration, enabled: true diff --git a/config/description.exs b/config/description.exs index 32d36d6d6..bd0378e00 100644 --- a/config/description.exs +++ b/config/description.exs @@ -2424,7 +2424,8 @@ group: :pleroma, key: :rate_limit, type: :group, - description: "Rate limit settings. This is an advanced feature and disabled by default.", + description: + "Rate limit settings. This is an advanced feature enabled only for :authentication by default.", children: [ %{ key: :search, @@ -2463,6 +2464,12 @@ description: "for fav / unfav or reblog / unreblog actions on the same status by the same user", suggestions: [{1000, 10}, [{10_000, 10}, {10_000, 50}]] + }, + %{ + key: :authentication, + type: [:tuple, {:list, :tuple}], + description: "for authentication create / password check / user existence check requests", + suggestions: [{60_000, 15}] } ] }, diff --git a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex index b786a521b..6ed181cff 100644 --- a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex +++ b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex @@ -4,10 +4,15 @@ defmodule Pleroma.Web.MongooseIM.MongooseIMController do use Pleroma.Web, :controller + alias Comeonin.Pbkdf2 + alias Pleroma.Plugs.RateLimiter alias Pleroma.Repo alias Pleroma.User + plug(RateLimiter, :authentication when action in [:user_exists, :check_password]) + plug(RateLimiter, {:authentication, params: ["user"]} when action == :check_password) + def user_exists(conn, %{"user" => username}) do with %User{} <- Repo.get_by(User, nickname: username, local: true) do conn diff --git a/lib/pleroma/web/oauth/oauth_controller.ex b/lib/pleroma/web/oauth/oauth_controller.ex index 81eae2c8b..281c7d2d8 100644 --- a/lib/pleroma/web/oauth/oauth_controller.ex +++ b/lib/pleroma/web/oauth/oauth_controller.ex @@ -24,6 +24,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do plug(:fetch_session) plug(:fetch_flash) + plug(Pleroma.Plugs.RateLimiter, :authentication when action == :create_authorization) action_fallback(Pleroma.Web.OAuth.FallbackController) From 9f28249dfb0918cfd97450494c6c306dae9ab3fb Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Wed, 18 Sep 2019 12:06:12 +0300 Subject: [PATCH 2/2] [#1260] Added changelog entry. --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4eb72c002..1a86881c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -116,6 +116,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Admin API: Added moderation log - Web response cache (currently, enabled for ActivityPub) - Mastodon API: Added an endpoint to get multiple statuses by IDs (`GET /api/v1/statuses/?ids[]=1&ids[]=2`) +- Authentication: Added rate limit for password-authorized actions / login existence checks. ### Changed - Configuration: Filter.AnonymizeFilename added ability to retain file extension with custom text