jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

controllers: refactor rate limits.

Browse Source 
Refactor controllers so that endpoint rate limits are declared locally,
with the endpoint, instead of globally, in a single method in ApplicationController.

This way an endpoint's rate limit is declared in the same file as the
endpoint itself.

This is so we can add fine-grained rate limits for certain GET requests.
Before rate limits were only for non-GET requests.
This commit is contained in:
evazion
2021-12-09 21:37:09 -06:00
parent aeb2b2b7ae
commit 2e9f4dc2f4
14 changed files with 67 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
app/logical/rate_limiter.rb
View File

@@ -21,34 +21,19 @@ class RateLimiter
@burst = burst
end
# Create a RateLimiter object for the current controller, action, user, and
# IP. A RateLimiter usually has two RateLimits, one for the user and one for
# their IP. The action is limited if either the user or their IP are limited.
# Create a RateLimiter object for the given action. A RateLimiter usually has
# two RateLimits, one for the user and one for their IP. The action is
# limited if either the user or their IP are limited.
#
# @param controller_name [String] the current controller
# @param action_name [String] the current controller action
# @param user [User] the current user
# @param ip_addr [String] the user's IP address
# @return [RateLimit] the rate limit for the action
def self.for_action(controller_name, action_name, user, ip_addr)
action = "#{controller_name}:#{action_name}"
# @param action [String] An identifier for the action being rate limited.
# @param rate [Float] The rate limit, in actions per second.
# @param burst [Float] The burst limit (the maximum number of actions you can
# perform in one burst before being rate limited).
# @param user [User] The current user.
# @param ip_addr [String] The user's IP address.
# @return [RateLimit] The rate limit for the action.
def self.build(action:, rate:, burst:, user:, ip_addr:)
keys = [(user.cache_key unless user.is_anonymous?), "ip/#{ip_addr.to_s}"].compact
case action
when "users:create"
rate, burst = 1.0 / 5.minutes, 10
when "emails:update", "sessions:create", "moderation_reports:create"
rate, burst = 1.0 / 1.minute, 10
when "dmails:create", "comments:create", "forum_posts:create", "forum_topics:create"
rate, burst = 1.0 / 1.minute, 50
when "comment_votes:create", "comment_votes:destroy", "post_votes:create",
"post_votes:destroy", "favorites:create", "favorites:destroy", "post_disapprovals:create"
rate, burst = 1.0 / 1.second, 200
else
rate = user.api_regen_multiplier
burst = 200
end
RateLimiter.new(action, keys, rate: rate, burst: burst)
end