github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Delete the invalid auth cookie even if you hit the rate limit

Browse Source
This commit is contained in:
Robin Ward
2018-02-09 19:09:54 -05:00
parent 2faa4c2f5f
commit 569e57f0a9
4 changed files with 27 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/application_controller.rb
View File

@ -159,6 +159,10 @@ class ApplicationController < ActionController::Base
end end
rescue_from Discourse::InvalidAccess do |e| rescue_from Discourse::InvalidAccess do |e|
if e.opts[:delete_cookie].present?
cookies.delete(e.opts[:delete_cookie])
end
rescue_discourse_actions( rescue_discourse_actions(
:invalid_access, :invalid_access,
403, 403,

8
lib/auth/default_current_user_provider.rb
View File

@ -48,7 +48,7 @@ class Auth::DefaultCurrentUserProvider
if auth_token && auth_token.length == 32 if auth_token && auth_token.length == 32
limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN , 60) limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN , 60)
if request.ip == "127.0.0.1" || request.ip == "::1" || limiter.can_perform? if limiter.can_perform?
@user_token = UserAuthToken.lookup(auth_token, @user_token = UserAuthToken.lookup(auth_token,
seen: true, seen: true,
user_agent: @env['HTTP_USER_AGENT'], user_agent: @env['HTTP_USER_AGENT'],
@ -62,7 +62,11 @@ class Auth::DefaultCurrentUserProvider
begin begin
limiter.performed! limiter.performed!
rescue RateLimiter::LimitExceeded rescue RateLimiter::LimitExceeded
raise Discourse::InvalidAccess raise Discourse::InvalidAccess.new(
'Invalid Access',
nil,
delete_cookie: TOKEN_COOKIE
)
end end
end end
end end

6
lib/discourse.rb
View File

@ -64,12 +64,12 @@ module Discourse
# When they don't have permission to do something # When they don't have permission to do something
class InvalidAccess < StandardError class InvalidAccess < StandardError
attr_reader :obj, :custom_message attr_reader :obj, :custom_message, :opts
def initialize(msg = nil, obj = nil, opts = nil) def initialize(msg = nil, obj = nil, opts = nil)
super(msg) super(msg)
opts ||= {} @opts = opts || {}
@custom_message = opts[:custom_message] if opts[:custom_message] @custom_message = opts[:custom_message] if @opts[:custom_message]
@obj = obj @obj = obj
end end
end end

15
spec/integration/rate_limiting_spec.rb
View File

@ -2,16 +2,29 @@
require 'rails_helper' require 'rails_helper'
describe 'admin rate limit' do describe 'rate limiter integration' do
before do before do
RateLimiter.enable RateLimiter.enable
RateLimiter.clear_all!
end end
after do after do
RateLimiter.disable RateLimiter.disable
end end
it "will clear the token cookie if invalid" do
name = Auth::DefaultCurrentUserProvider::TOKEN_COOKIE
# we try 11 times because the rate limit is 10
11.times {
cookies[name] = SecureRandom.hex
get '/categories.json'
expect(response.cookies.has_key?(name)).to eq(true)
expect(response.cookies[name]).to be_nil
}
end
it 'can cleanly limit requests' do it 'can cleanly limit requests' do
#request.set_header("action_dispatch.show_exceptions", true) #request.set_header("action_dispatch.show_exceptions", true)