Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079)

* Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well

Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079)
ff5baa53 · Eugen · GitHub · 297c11db · ff5baa53
Commit ff5baa53 authored 7 years ago by Eugen Committed by GitHub 7 years ago
--- a/config/initializers/rack-attack.rb
+++ b/config/initializers/rack-attack.rb
+# frozen_string_literal: true
+
 class Rack::Attack
  # Rate limits for the API
  throttle('api', limit: 300, period: 5.minutes) do |req|
-    req.ip if req.path.match(/\A\/api\/v/)
+    req.ip if req.path =~ /\A\/api\/v/
+  end
+
+  # Rate limit logins
+  throttle('login', limit: 5, period: 5.minutes) do |req|
+    req.ip if req.path == '/auth/sign_in' && req.post?
+  end
+
+  # Rate limit sign-ups
+  throttle('register', limit: 5, period: 5.minutes) do |req|
+    req.ip if req.path == '/auth' && req.post?
+  end
+
+  # Rate limit forgotten passwords
+  throttle('reminder', limit: 5, period: 5.minutes) do |req|
+    req.ip if req.path == '/auth/password' && req.post?
  end

  self.throttled_response = lambda do |env|