Obfuscate filenames better, double rate limits

02349b32 · Eugen Rochko · 952bce30 · 02349b32 · 02349b32 · 02349b32
Commit 02349b32 authored 8 years ago by Eugen Rochko
--- a/app/controllers/concerns/obfuscate_filename.rb
+++ b/app/controllers/concerns/obfuscate_filename.rb
@@ -13,6 +13,10 @@ module ObfuscateFilename
    file = params.dig(*path)
    return if file.nil?

-    file.original_filename = 'media' + File.extname(file.original_filename)
+    file.original_filename = secure_token + File.extname(file.original_filename)
+  end
+
+  def secure_token(length = 16)
+    SecureRandom.hex(length / 2)
  end
 end
--- a/config/initializers/rack-attack.rb
+++ b/config/initializers/rack-attack.rb
 class Rack::Attack
  # Rate limits for the API
-  throttle('api', limit: 150, period: 5.minutes) do |req|
+  throttle('api', limit: 300, period: 5.minutes) do |req|
    req.ip if req.path.match(/\A\/api\/v/)
  end

@@ -11,7 +11,7 @@ class Rack::Attack
    headers = {
      'X-RateLimit-Limit'     => match_data[:limit].to_s,
      'X-RateLimit-Remaining' => '0',
-      'X-RateLimit-Reset'     => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6)
+      'X-RateLimit-Reset'     => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6),
    }

    [429, headers, [{ error: 'Throttled' }.to_json]]

--- a/docs/Using-the-API/Push-notifications.md
+++ b/docs/Using-the-API/Push-notifications.md
 Push notifications
 ==================

-**Note: This push notification design turned out to not be fully operational on the side of Firebase. A different approach is in consideration**
+See <https://github.com/Gargron/tusky-api> for an example of how to create push notifications for a mobile app. It involves using the Mastodon streaming API on behalf of the app's users, as a sort of proxy.