Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Rack::Attack #526

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Gemfile
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,8 @@ gem "fake_email_validator"

gem "jwt", "~> 2.4"

gem "rack-attack"

group :development do
gem "binding_of_caller"
gem "byebug"
Expand Down
3 changes: 3 additions & 0 deletions Gemfile.lock
Original file line number Diff line number Diff line change
Expand Up @@ -350,6 +350,8 @@ GEM
questiongenerator (1.0.0)
racc (1.6.0)
rack (2.2.4)
rack-attack (6.6.1)
rack (>= 1.0, < 3)
rack-protection (2.2.0)
rack
rack-proxy (0.7.2)
Expand Down Expand Up @@ -610,6 +612,7 @@ DEPENDENCIES
poltergeist
puma
questiongenerator (~> 1.0)
rack-attack
rails (~> 6.1)
rails-controller-testing
rails-i18n (~> 6.0)
Expand Down
2 changes: 2 additions & 0 deletions config/application.rb
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ class Application < Rails::Application
# Use Sidekiq for background jobs
config.active_job.queue_adapter = :sidekiq

config.middleware.use Rack::Attack

config.i18n.default_locale = "en"
config.i18n.fallbacks = [I18n.default_locale]
config.i18n.enforce_available_locales = false
Expand Down
25 changes: 25 additions & 0 deletions config/initializers/rack_attack.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# frozen_string_literal: true

class Rack::Attack
class Request < ::Rack::Request
def authenticated_user_id
@env.dig("rack.session", "warden.user.user.key", 0, 0)
end

def unauthenticated?
!authenticated_user_id
end

def remote_ip
@remote_ip ||= (@env["action_dispatch.remote_ip"] || ip).to_s
end
end

throttle("throttle_unauthenticated_asking", limit: 3, period: 1.minutes) do |req|
req.remote_ip if req.path == "/ajax/ask" && req.unauthenticated?
end

throttle("throttle_authenticated_asking", limit: 30, period: 15.minutes) do |req|
req.authenticated_user_id if req.path == "/ajax/ask" && !req.unauthenticated?
end
end
73 changes: 73 additions & 0 deletions spec/requests/rack_attack_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
# frozen_string_literal: true

require "rails_helper"

RSpec.describe "Rack::Attack", type: :request do
include ActiveSupport::Testing::TimeHelpers
include Warden::Test::Helpers

before(:each) do
Rack::Attack.enabled = true
Rack::Attack.reset!
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Correctable] Layout/TrailingWhitespace: Trailing whitespace detected.

end

describe "throttle_unauthenticated_asking" do
it "should throttle unauthenticated users" do
3.times do
post "/ajax/ask"
expect(response.status).to eq(200)
end

post "/ajax/ask"
expect(response.status).to eq(429)
end

it "should unthrottle after the given period" do
3.times do
post "/ajax/ask"
expect(response.status).to eq(200)
end

post "/ajax/ask"
expect(response.status).to eq(429)

travel_to(5.minutes.from_now) do
post "/ajax/ask"
expect(response.status).to eq(200)
end
end
end

describe "throttle_authenticated_asking" do
let (:user) { FactoryBot.create(:user) }
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Correctable] Lint/ParenthesesAsGroupedExpression: (...) interpreted as grouped expression.


it "should throttle authenticated users" do
login_as user, scope: :user

30.times do
post "/ajax/ask"
expect(response.status).to eq(200)
end

post "/ajax/ask"
expect(response.status).to eq(429)
end

it "should unthrottle after the given period" do
login_as user, scope: :user

30.times do
post "/ajax/ask"
expect(response.status).to eq(200)
end

post "/ajax/ask"
expect(response.status).to eq(429)

travel_to(20.minutes.from_now) do
post "/ajax/ask"
expect(response.status).to eq(200)
end
end
end
end