Merge branch '1260-rate-limited-auth-actions' into 'develop'
[#1260] Rate-limiting for create authentication and related requests Closes #1260 See merge request pleroma/pleroma!1681
This commit is contained in:
commit
15592f1abe
|
@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
- Mastodon API: Add `upload_limit`, `avatar_upload_limit`, `background_upload_limit`, and `banner_upload_limit` to `/api/v1/instance`
|
||||
- Mastodon API: Add `pleroma.unread_conversation_count` to the Account entity
|
||||
- OAuth: support for hierarchical permissions / [Mastodon 2.4.3 OAuth permissions](https://docs.joinmastodon.org/api/permissions/)
|
||||
- Authentication: Added rate limit for password-authorized actions / login existence checks
|
||||
|
||||
### Changed
|
||||
- **Breaking:** Elixir >=1.8 is now required (was >= 1.7)
|
||||
|
|
|
@ -588,7 +588,7 @@
|
|||
config :http_signatures,
|
||||
adapter: Pleroma.Signature
|
||||
|
||||
config :pleroma, :rate_limit, nil
|
||||
config :pleroma, :rate_limit, authentication: {60_000, 15}
|
||||
|
||||
config :pleroma, Pleroma.ActivityExpiration, enabled: true
|
||||
|
||||
|
|
|
@ -2290,7 +2290,8 @@
|
|||
group: :pleroma,
|
||||
key: :rate_limit,
|
||||
type: :group,
|
||||
description: "Rate limit settings. This is an advanced feature and disabled by default.",
|
||||
description:
|
||||
"Rate limit settings. This is an advanced feature enabled only for :authentication by default.",
|
||||
children: [
|
||||
%{
|
||||
key: :search,
|
||||
|
@ -2329,6 +2330,12 @@
|
|||
description:
|
||||
"for fav / unfav or reblog / unreblog actions on the same status by the same user",
|
||||
suggestions: [{1000, 10}, [{10_000, 10}, {10_000, 50}]]
|
||||
},
|
||||
%{
|
||||
key: :authentication,
|
||||
type: [:tuple, {:list, :tuple}],
|
||||
description: "for authentication create / password check / user existence check requests",
|
||||
suggestions: [{60_000, 15}]
|
||||
}
|
||||
]
|
||||
},
|
||||
|
|
|
@ -4,10 +4,15 @@
|
|||
|
||||
defmodule Pleroma.Web.MongooseIM.MongooseIMController do
|
||||
use Pleroma.Web, :controller
|
||||
|
||||
alias Comeonin.Pbkdf2
|
||||
alias Pleroma.Plugs.RateLimiter
|
||||
alias Pleroma.Repo
|
||||
alias Pleroma.User
|
||||
|
||||
plug(RateLimiter, :authentication when action in [:user_exists, :check_password])
|
||||
plug(RateLimiter, {:authentication, params: ["user"]} when action == :check_password)
|
||||
|
||||
def user_exists(conn, %{"user" => username}) do
|
||||
with %User{} <- Repo.get_by(User, nickname: username, local: true) do
|
||||
conn
|
||||
|
|
|
@ -24,6 +24,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
|
|||
|
||||
plug(:fetch_session)
|
||||
plug(:fetch_flash)
|
||||
plug(Pleroma.Plugs.RateLimiter, :authentication when action == :create_authorization)
|
||||
|
||||
action_fallback(Pleroma.Web.OAuth.FallbackController)
|
||||
|
||||
|
|
Loading…
Reference in a new issue