FEATURE: rate limit anon searches per second (#19708)

2025-05-28 13:51:18 +08:00 · 2023-01-28 05:05:27 +11:00
parent 5f90790110
commit 2c8dfc3dbc
9 changed files with 208 additions and 78 deletions
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@ -29,8 +29,6 @@ class SearchController < ApplicationController
    # check for a malformed page parameter
    raise Discourse::InvalidParameters if page && (!page.is_a?(String) || page.to_i.to_s != page)

-    rate_limit_errors = rate_limit_search
-
    discourse_expires_in 1.minute

    search_args = {
@ -50,15 +48,11 @@ class SearchController < ApplicationController
    search_args[:ip_address] = request.remote_ip
    search_args[:user_id] = current_user.id if current_user.present?

-    if rate_limit_errors
-      result =
-        Search::GroupedSearchResults.new(
-          type_filter: search_args[:type_filter],
-          term: @search_term,
-          search_context: context,
-        )
-
-      result.error = I18n.t("rate_limiter.slow_down")
+    if rate_limit_search
+      return(
+        render json: failed_json.merge(message: I18n.t("rate_limiter.slow_down")),
+               status: :too_many_requests
+      )
    elsif site_overloaded?
      result =
        Search::GroupedSearchResults.new(
@ -89,8 +83,6 @@ class SearchController < ApplicationController
      raise Discourse::InvalidParameters.new("string contains null byte")
    end

-    rate_limit_errors = rate_limit_search
-
    discourse_expires_in 1.minute

    search_args = { guardian: guardian }
@ -112,15 +104,11 @@ class SearchController < ApplicationController
      :restrict_to_archetype
    ].present?

-    if rate_limit_errors
-      result =
-        Search::GroupedSearchResults.new(
-          type_filter: search_args[:type_filter],
-          term: params[:term],
-          search_context: context,
-        )
-
-      result.error = I18n.t("rate_limiter.slow_down")
+    if rate_limit_search
+      return(
+        render json: failed_json.merge(message: I18n.t("rate_limiter.slow_down")),
+               status: :too_many_requests
+      )
    elsif site_overloaded?
      result =
        GroupedSearchResults.new(
@ -188,14 +176,26 @@ class SearchController < ApplicationController
      else
        RateLimiter.new(
          nil,
-          "search-min-#{request.remote_ip}",
-          SiteSetting.rate_limit_search_anon_user,
+          "search-min-#{request.remote_ip}-per-sec",
+          SiteSetting.rate_limit_search_anon_user_per_second,
+          1.second,
+        ).performed!
+        RateLimiter.new(
+          nil,
+          "search-min-#{request.remote_ip}-per-min",
+          SiteSetting.rate_limit_search_anon_user_per_minute,
          1.minute,
        ).performed!
        RateLimiter.new(
          nil,
-          "search-min-anon-global",
-          SiteSetting.rate_limit_search_anon_global,
+          "search-min-anon-global-per-sec",
+          SiteSetting.rate_limit_search_anon_global_per_second,
+          1.second,
+        ).performed!
+        RateLimiter.new(
+          nil,
+          "search-min-anon-global-per-min",
+          SiteSetting.rate_limit_search_anon_global_per_minute,
          1.minute,
        ).performed!
      end