rate limits: adjust limits for various actions.

* Tie rate limits to both the user's ID and their IP address. * Make each endpoint have separate rate limits. This means that, for example, your post edit rate limit is separate from your post vote rate limit. Before all write actions had a shared rate limit. * Make all write endpoints have rate limits. Before some endpoints, such as voting, favoriting, commenting, or forum posting, weren't subject to rate limits. * Add stricter rate limits for some endpoints: ** 1 per 5 minutes for creating new accounts. ** 1 per minute for login attempts, changing your email address, or for creating mod reports. ** 1 per minute for sending dmails, creating comments, creating forum posts, or creating forum topics. ** 1 per second for voting, favoriting, or disapproving posts. ** These rate limits all have burst factors high enough that they shouldn't affect normal, non-automated users. * Raise the default write rate limit for Gold users from 2 per second to 4 per second, for all other actions not listed above. * Raise the default burst factor to 200 for all other actions not listed above. Before it was 10 for Members, 30 for Gold, and 60 for Platinum.
2021-03-05 04:50:37 -06:00
parent 4492610dfe
commit 413cd34c45
15 changed files with 55 additions and 49 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -8,7 +8,7 @@ class ApplicationController < ActionController::Base
  before_action :reset_current_user
  before_action :set_current_user
  before_action :normalize_search
-  before_action :api_check
+  before_action :check_rate_limit
  before_action :ip_ban_check
  before_action :set_variant
  before_action :add_headers
@@ -69,18 +69,12 @@ class ApplicationController < ActionController::Base
    response.headers["X-Git-Hash"] = Rails.application.config.x.git_hash
  end
-  def api_check
+  def check_rate_limit
-    return if CurrentUser.is_anonymous? || request.get? || request.head?
+    return if request.get? || request.head?
    rate_limiter = RateLimiter.new(
      "write",
      [CurrentUser.user.cache_key],
      cost: 1,
      rate: CurrentUser.user.api_regen_multiplier,
      burst: CurrentUser.user.api_burst_limit
    )
    rate_limiter = RateLimiter.for_action(controller_name, action_name, CurrentUser.user, CurrentUser.ip_addr)
    headers["X-Rate-Limit"] = rate_limiter.to_json
    rate_limiter.limit!
  end
--- a/app/controllers/comment_votes_controller.rb
+++ b/app/controllers/comment_votes_controller.rb
@@ -1,5 +1,4 @@
 class CommentVotesController < ApplicationController
  skip_before_action :api_check
  respond_to :js, :json, :xml, :html
  def index
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -1,7 +1,6 @@
 class CommentsController < ApplicationController
  respond_to :html, :xml, :json, :atom
  respond_to :js, only: [:new, :destroy, :undelete]
  skip_before_action :api_check
  def index
    params[:group_by] ||= "comment" if params[:search].present?
--- a/app/controllers/favorites_controller.rb
+++ b/app/controllers/favorites_controller.rb
@@ -1,6 +1,5 @@
 class FavoritesController < ApplicationController
  respond_to :html, :xml, :json, :js
  skip_before_action :api_check
  rescue_with Favorite::Error, status: 422
  def index
--- a/app/controllers/forum_posts_controller.rb
+++ b/app/controllers/forum_posts_controller.rb
@@ -1,6 +1,5 @@
 class ForumPostsController < ApplicationController
  respond_to :html, :xml, :json, :js
  skip_before_action :api_check
  def new
    @forum_post = authorize ForumPost.new_reply(params)
--- a/app/controllers/forum_topics_controller.rb
+++ b/app/controllers/forum_topics_controller.rb
@@ -2,7 +2,6 @@ class ForumTopicsController < ApplicationController
  respond_to :html, :xml, :json
  respond_to :atom, only: [:index, :show]
  before_action :normalize_search, :only => :index
  skip_before_action :api_check
  def new
    @forum_topic = authorize ForumTopic.new
--- a/app/controllers/moderator/post/posts_controller.rb
+++ b/app/controllers/moderator/post/posts_controller.rb
@@ -1,7 +1,6 @@
 module Moderator
  module Post
    class PostsController < ApplicationController
      skip_before_action :api_check
      respond_to :html, :json, :xml, :js
      def confirm_move_favorites
--- a/app/controllers/post_disapprovals_controller.rb
+++ b/app/controllers/post_disapprovals_controller.rb
@@ -1,5 +1,4 @@
 class PostDisapprovalsController < ApplicationController
  skip_before_action :api_check
  respond_to :js, :html, :json, :xml
  def create
--- a/app/controllers/post_votes_controller.rb
+++ b/app/controllers/post_votes_controller.rb
@@ -1,5 +1,4 @@
 class PostVotesController < ApplicationController
  skip_before_action :api_check
  respond_to :js, :json, :xml, :html
  def index
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,6 +1,5 @@
 class UsersController < ApplicationController
  respond_to :html, :xml, :json
  skip_before_action :api_check
  def new
    @user = authorize User.new
--- a/app/logical/rate_limiter.rb
+++ b/app/logical/rate_limiter.rb
@@ -11,6 +11,28 @@ class RateLimiter
    @burst = burst
  end
  def self.for_action(controller_name, action_name, user, ip_addr)
    action = "#{controller_name}:#{action_name}"
    keys = [(user.cache_key unless user.is_anonymous?), "ip/#{ip_addr.to_s}"].compact
    case action
    when "users:create"
      rate, burst = 1.0/5.minutes, 10
    when "emails:update", "sessions:create", "moderation_reports:create"
      rate, burst = 1.0/1.minute, 10
    when "dmails:create", "comments:create", "forum_posts:create", "forum_topics:create"
      rate, burst = 1.0/1.minute, 50
    when "comment_votes:create", "comment_votes:destroy", "post_votes:create",
         "post_votes:destroy", "favorites:create", "favorites:destroy", "post_disapprovals:create"
      rate, burst = 1.0/1.second, 200
    else
      rate = user.api_regen_multiplier
      burst = 200
    end
    RateLimiter.new(action, keys, rate: rate, burst: burst)
  end
  def limit!
    raise RateLimitError if limited?
  end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -464,26 +464,12 @@ class User < ApplicationRecord
      # regen this amount per second
      def api_regen_multiplier(level)
-        if level >= User::Levels::PLATINUM
+        if level >= User::Levels::GOLD
          4
        elsif level == User::Levels::GOLD
          2
        else
          1
        end
      end
      # can make this many api calls at once before being bound by
      # api_regen_multiplier refilling your pool
      def api_burst_limit(level)
        if level >= User::Levels::PLATINUM
          60
        elsif level == User::Levels::GOLD
          30
        else
          10
        end
      end
    end
    def max_saved_searches
@@ -534,10 +520,6 @@ class User < ApplicationRecord
      User.api_regen_multiplier(level)
    end
    def api_burst_limit
      User.api_burst_limit(level)
    end
    def statement_timeout
      User.statement_timeout(level)
    end
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -61,10 +61,8 @@ class UserPolicy < ApplicationPolicy
        updated_at last_logged_in_at last_forum_read_at
        comment_threshold default_image_size
        favorite_tags blacklisted_tags time_zone per_page
-        custom_style favorite_count api_regen_multiplier
+        custom_style favorite_count statement_timeout favorite_group_limit
-        api_burst_limit statement_timeout
+        favorite_limit tag_query_limit max_saved_searches theme
        favorite_group_limit favorite_limit tag_query_limit
        max_saved_searches theme
      ]
    end
--- a/test/functional/sessions_controller_test.rb
+++ b/test/functional/sessions_controller_test.rb
@@ -72,6 +72,31 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
        assert_equal(0, @ip_ban.reload.hit_count)
        assert_nil(@ip_ban.last_hit_at)
      end
      should "rate limit logins to 10 per minute per IP" do
        freeze_time
        11.times do
          post session_path, params: { name: @user.name, password: "password" }, headers: { REMOTE_ADDR: "1.2.3.4" }
          assert_redirected_to posts_path
          assert_equal(@user.id, session[:user_id])
          delete_auth session_path, @user
        end
        post session_path, params: { name: @user.name, password: "password" }, headers: { REMOTE_ADDR: "1.2.3.4" }
        assert_response 429
        assert_not_equal(@user.id, session[:user_id])
        travel 59.seconds
        post session_path, params: { name: @user.name, password: "password" }, headers: { REMOTE_ADDR: "1.2.3.4" }
        assert_response 429
        assert_not_equal(@user.id, session[:user_id])
        travel 10.seconds
        post session_path, params: { name: @user.name, password: "password" }, headers: { REMOTE_ADDR: "1.2.3.4" }
        assert_redirected_to posts_path
        assert_equal(@user.id, session[:user_id])
      end
    end
    context "destroy action" do
--- a/test/unit/api_key_test.rb
+++ b/test/unit/api_key_test.rb
@@ -48,11 +48,5 @@ class ApiKeyTest < ActiveSupport::TestCase
    should "not authenticate with the wrong name" do
      assert_equal(false, create(:user).authenticate_api_key(@api_key.key))
    end
    should "have the same limits whether or not they have an api key" do
      assert_no_difference(["@user.reload.api_regen_multiplier", "@user.reload.api_burst_limit"]) do
        @api_key.destroy
      end
    end
  end
 end