From cba51e1c38fa66ba0acb85ec6d437a65553c8f6e Mon Sep 17 00:00:00 2001 From: Arpit Jalan Date: Tue, 21 Feb 2017 22:53:35 +0530 Subject: [PATCH] FEATURE: new site setting for max logins per ip per hour/minute --- app/controllers/session_controller.rb | 4 ++-- config/locales/server.en.yml | 5 ++++- config/site_settings.yml | 8 ++++++++ spec/controllers/session_controller_spec.rb | 17 +++++++++++++++++ 4 files changed, 31 insertions(+), 3 deletions(-) diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb index 7ac3749f46b..0a18b3c539a 100644 --- a/app/controllers/session_controller.rb +++ b/app/controllers/session_controller.rb @@ -158,8 +158,8 @@ class SessionController < ApplicationController return end - RateLimiter.new(nil, "login-hr-#{request.remote_ip}", 30, 1.hour).performed! - RateLimiter.new(nil, "login-min-#{request.remote_ip}", 6, 1.minute).performed! + RateLimiter.new(nil, "login-hr-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_hour, 1.hour).performed! + RateLimiter.new(nil, "login-min-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_minute, 1.minute).performed! params.require(:login) params.require(:password) diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index 2bdfb97f356..7b4d19b764e 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -1121,6 +1121,9 @@ en: max_invites_per_day: "Maximum number of invites a user can send per day." max_topic_invitations_per_day: "Maximum number of topic invitations a user can send per day." + max_logins_per_ip_per_hour: "Maximum number of logins allowed per IP address per hour" + max_logins_per_ip_per_minute: "Maximum number of logins allowed per IP address per minute" + alert_admins_if_errors_per_minute: "Number of errors per minute in order to trigger an admin alert. A value of 0 disables this feature. NOTE: requires restart." alert_admins_if_errors_per_hour: "Number of errors per hour in order to trigger an admin alert. A value of 0 disables this feature. NOTE: requires restart." @@ -1423,7 +1426,7 @@ en: delete_drafts_older_than_n_days: Delete drafts older than (n) days. bootstrap_mode_min_users: "Minimum number of users required to disable bootstrap mode (set to 0 to disable)" - + prevent_anons_from_downloading_files: "Prevent anonymous users from downloading attachments. WARNING: this will prevent any non-image site assets posted as attachments from working." slug_generation_method: "Choose a slug generation method. 'encoded' will generate percent encoding string. 'none' will disable slug at all." diff --git a/config/site_settings.yml b/config/site_settings.yml index bdca54abe27..2ea8839d5af 100644 --- a/config/site_settings.yml +++ b/config/site_settings.yml @@ -983,6 +983,14 @@ rate_limits: max_prints_per_hour_per_user: default: 5 client: true + max_logins_per_ip_per_hour: + min: 1 + max: 20000 + default: 30 + max_logins_per_ip_per_minute: + min: 1 + max: 20000 + default: 6 developer: force_hostname: diff --git a/spec/controllers/session_controller_spec.rb b/spec/controllers/session_controller_spec.rb index 2f0cbee330e..5645eca8221 100644 --- a/spec/controllers/session_controller_spec.rb +++ b/spec/controllers/session_controller_spec.rb @@ -659,6 +659,23 @@ describe SessionController do end end end + + context 'rate limited' do + it 'rate limits login' do + SiteSetting.max_logins_per_ip_per_hour = 2 + RateLimiter.stubs(:disabled?).returns(false) + RateLimiter.clear_all! + + 2.times do + xhr :post, :create, login: user.username, password: 'myawesomepassword' + expect(response).to be_success + end + xhr :post, :create, login: user.username, password: 'myawesomepassword' + expect(response).not_to be_success + json = JSON.parse(response.body) + expect(json["error_type"]).to eq("rate_limit") + end + end end describe '.destroy' do