FIX: Update global rate limiter keys/messages to clarify user vs ip (#25264)

2025-05-25 00:32:52 +08:00 · 2024-01-15 19:54:50 +00:00
parent 59c2407e18
commit a562214f56
2 changed files with 31 additions and 21 deletions
--- a/lib/middleware/request_tracker.rb
+++ b/lib/middleware/request_tracker.rb
@ -211,9 +211,9 @@ class Middleware::RequestTracker

    cookie = find_auth_cookie(env)
    if error_details = rate_limit(request, cookie)
-      available_in, error_code = error_details
+      available_in, error_code, limit_on_id = error_details
      message = <<~TEXT
-        Slow down, too many requests from this IP address.
+        Slow down, too many requests from this #{limit_on_id ? "user" : "IP address"}.
        Please retry again in #{available_in} seconds.
        Error code: #{error_code}.
      TEXT
@ -329,7 +329,7 @@ class Middleware::RequestTracker
    limiter10 =
      RateLimiter.new(
        nil,
-        "global_ip_limit_10_#{ip_or_id}",
+        "global_limit_10_#{ip_or_id}",
        GlobalSetting.max_reqs_per_ip_per_10_seconds,
        10,
        global: !limit_on_id,
@ -340,7 +340,7 @@ class Middleware::RequestTracker
    limiter60 =
      RateLimiter.new(
        nil,
-        "global_ip_limit_60_#{ip_or_id}",
+        "global_limit_60_#{ip_or_id}",
        GlobalSetting.max_reqs_per_ip_per_minute,
        60,
        global: !limit_on_id,
@ -351,7 +351,7 @@ class Middleware::RequestTracker
    limiter_assets10 =
      RateLimiter.new(
        nil,
-        "global_ip_limit_10_assets_#{ip_or_id}",
+        "global_limit_10_assets_#{ip_or_id}",
        GlobalSetting.max_asset_reqs_per_ip_per_10_seconds,
        10,
        error_code: limit_on_id ? "id_assets_10_secs_limit" : "ip_assets_10_secs_limit",
@ -363,13 +363,20 @@ class Middleware::RequestTracker

    if !limiter_assets10.can_perform?
      if warn
+        limited_on = limit_on_id ? "user_id" : "ip"
        Discourse.warn(
-          "Global asset IP rate limit exceeded for #{ip}: 10 second rate limit",
+          "Global asset rate limit exceeded for #{limited_on}: #{ip}: 10 second rate limit",
          uri: request.env["REQUEST_URI"],
        )
      end

-      return limiter_assets10.seconds_to_wait(Time.now.to_i), limiter_assets10.error_code if block
+      if block
+        return [
+          limiter_assets10.seconds_to_wait(Time.now.to_i),
+          limiter_assets10.error_code,
+          limit_on_id
+        ]
+      end
    end

    begin
@ -382,13 +389,14 @@ class Middleware::RequestTracker
      nil
    rescue RateLimiter::LimitExceeded => e
      if warn
+        limited_on = limit_on_id ? "user_id" : "ip"
        Discourse.warn(
-          "Global IP rate limit exceeded for #{ip}: #{type} second rate limit",
+          "Global rate limit exceeded for #{limited_on}: #{ip}: #{type} second rate limit",
          uri: request.env["REQUEST_URI"],
        )
      end
      if block
-        [e.available_in, e.error_code]
+        [e.available_in, e.error_code, limit_on_id]
      else
        nil
      end