bark/mastodon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 2 Wiki Activity

Merge commit from fork

Browse source 
* Add rate-limit on `/auth/setup`

* Remove useless test
This commit is contained in:
Claire 2025-02-27 15:44:35 +01:00 committed by GitHub
parent f5c4022a20
commit 06f879ce9b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 9 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
config/initializers/rack_attack.rb
View file

@ -122,7 +122,7 @@ class Rack::Attack
end
throttle('throttle_email_confirmations/ip', limit: 25, period: 5.minutes) do |req|
req.throttleable_remote_ip if req.post? && (req.path_matches?('/auth/confirmation') || req.path == '/api/v1/emails/confirmations')
req.throttleable_remote_ip if (req.post? && (req.path_matches?('/auth/confirmation') || req.path == '/api/v1/emails/confirmations')) || ((req.put? || req.patch?) && req.path_matches?('/auth/setup'))
end
throttle('throttle_email_confirmations/email', limit: 5, period: 30.minutes) do |req|
@ -133,6 +133,14 @@ class Rack::Attack
end
end
throttle('throttle_auth_setup/email', limit: 5, period: 10.minutes) do |req|
req.params.dig('user', 'email').presence if (req.put? || req.patch?) && req.path_matches?('/auth/setup')
end
throttle('throttle_auth_setup/account', limit: 5, period: 10.minutes) do |req|
req.warden_user_id if (req.put? || req.patch?) && req.path_matches?('/auth/setup')
end
throttle('throttle_login_attempts/ip', limit: 25, period: 5.minutes) do |req|
req.throttleable_remote_ip if req.post? && req.path_matches?('/auth/sign_in')
end

11
spec/requests/auth/setup_spec.rb
View file

@ -24,15 +24,4 @@ RSpec.describe 'Auth Setup' do
end
end
end
describe 'PUT /auth/setup' do
before { sign_in Fabricate(:user, confirmed_at: nil) }
it 'gracefully handles invalid nested params' do
put '/auth/setup?user=invalid'
expect(response)
.to have_http_status(400)
end
end
end