glitch-social/config/initializers/rack_attack.rb

# frozen_string_literal: true

require 'doorkeeper/grape/authorization_decorator'

class Rack::Attack
  class Request
    def authenticated_token
      return @authenticated_token if defined?(@authenticated_token)

      @authenticated_token = Doorkeeper::OAuth::Token.authenticate(
        Doorkeeper::Grape::AuthorizationDecorator.new(self),
        *Doorkeeper.configuration.access_token_methods
      )
    end

    def remote_ip
      @remote_ip ||= (@env["action_dispatch.remote_ip"] || ip).to_s
    end

    def throttleable_remote_ip
      @throttleable_remote_ip ||= begin
        ip = IPAddr.new(remote_ip)

        if ip.ipv6?
          ip.mask(64)
        else
          ip
        end
      end.to_s
    end

    def authenticated_user_id
      authenticated_token&.resource_owner_id
    end

    def authenticated_token_id
      authenticated_token&.id
    end

    def unauthenticated?
      !authenticated_user_id
    end

    def api_request?
      path.start_with?('/api')
    end

    def path_matches?(other_path)
      /\A#{Regexp.escape(other_path)}(\..*)?\z/ =~ path
    end

    def web_request?
      !api_request?
    end

    def paging_request?
      params['page'].present? || params['min_id'].present? || params['max_id'].present? || params['since_id'].present?
    end
  end

  Rack::Attack.safelist('allow from localhost') do |req|
    req.remote_ip == '127.0.0.1' || req.remote_ip == '::1'
  end

  Rack::Attack.blocklist('deny from blocklist') do |req|
    IpBlock.blocked?(req.remote_ip)
  end

  throttle('throttle_authenticated_api', limit: 1_500, period: 5.minutes) do |req|
    req.authenticated_user_id if req.api_request?
  end

  throttle('throttle_per_token_api', limit: 300, period: 5.minutes) do |req|
    req.authenticated_token_id if req.api_request?
  end

  throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req|
    req.throttleable_remote_ip if req.api_request? && req.unauthenticated?
  end

  throttle('throttle_api_media', limit: 30, period: 30.minutes) do |req|
    req.authenticated_user_id if req.post? && req.path.match?(%r{\A/api/v\d+/media\z}i)
  end

  throttle('throttle_media_proxy', limit: 30, period: 10.minutes) do |req|
    req.throttleable_remote_ip if req.path.start_with?('/media_proxy')
  end

  throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req|
    req.throttleable_remote_ip if req.post? && req.path == '/api/v1/accounts'
  end

  throttle('throttle_authenticated_paging', limit: 300, period: 15.minutes) do |req|
    req.authenticated_user_id if req.paging_request?
  end

  throttle('throttle_unauthenticated_paging', limit: 300, period: 15.minutes) do |req|
    req.throttleable_remote_ip if req.paging_request? && req.unauthenticated?
  end

  API_DELETE_REBLOG_REGEX = %r{\A/api/v1/statuses/\d+/unreblog\z}
  API_DELETE_STATUS_REGEX = %r{\A/api/v1/statuses/\d+\z}

  throttle('throttle_api_delete', limit: 30, period: 30.minutes) do |req|
    req.authenticated_user_id if (req.post? && req.path.match?(API_DELETE_REBLOG_REGEX)) || (req.delete? && req.path.match?(API_DELETE_STATUS_REGEX))
  end

  throttle('throttle_sign_up_attempts/ip', limit: 25, period: 5.minutes) do |req|
    req.throttleable_remote_ip if req.post? && req.path_matches?('/auth')
  end

  throttle('throttle_password_resets/ip', limit: 25, period: 5.minutes) do |req|
    req.throttleable_remote_ip if req.post? && req.path_matches?('/auth/password')
  end

  throttle('throttle_password_resets/email', limit: 5, period: 30.minutes) do |req|
    req.params.dig('user', 'email').presence if req.post? && req.path_matches?('/auth/password')
  end

  throttle('throttle_email_confirmations/ip', limit: 25, period: 5.minutes) do |req|
    req.throttleable_remote_ip if req.post? && (req.path_matches?('/auth/confirmation') || req.path == '/api/v1/emails/confirmations')
  end

  throttle('throttle_email_confirmations/email', limit: 5, period: 30.minutes) do |req|
    if req.post? && req.path_matches?('/auth/password')
      req.params.dig('user', 'email').presence
    elsif req.post? && req.path == '/api/v1/emails/confirmations'
      req.authenticated_user_id
    end
  end

  throttle('throttle_login_attempts/ip', limit: 25, period: 5.minutes) do |req|
    req.throttleable_remote_ip if req.post? && req.path_matches?('/auth/sign_in')
  end

  throttle('throttle_login_attempts/email', limit: 25, period: 1.hour) do |req|
    req.session[:attempt_user_id] || req.params.dig('user', 'email').presence if req.post? && req.path_matches?('/auth/sign_in')
  end

  self.throttled_responder = lambda do |request|
    now        = Time.now.utc
    match_data = request.env['rack.attack.match_data']

    headers = {
      'Content-Type' => 'application/json',
      'X-RateLimit-Limit' => match_data[:limit].to_s,
      'X-RateLimit-Remaining' => '0',
      'X-RateLimit-Reset' => (now + (match_data[:period] - (now.to_i % match_data[:period]))).iso8601(6),
    }

    [429, headers, [{ error: I18n.t('errors.429') }.to_json]]
  end
end
Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well 2017-04-18 21:29:14 +01:00			`# frozen_string_literal: true`

Missing require 'authorization_decorator'. (#5947) 2017-12-09 14:12:10 +00:00			`require 'doorkeeper/grape/authorization_decorator'`

Adding letter opener for development and Rack::Attack for future rate limiting implementations 2016-03-19 13:57:30 +00:00			`class Rack::Attack`
Rate limit by user instead of IP when API user is authenticated (#5923) * Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper 2017-12-09 13:20:02 +00:00			`class Request`
			`def authenticated_token`
Fix `Naming/MemoizedInstanceVariableName` cop (#25928) 2023-07-12 09:08:51 +01:00			`return @authenticated_token if defined?(@authenticated_token)`
Rate limit by user instead of IP when API user is authenticated (#5923) * Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper 2017-12-09 13:20:02 +00:00
Fix `Naming/MemoizedInstanceVariableName` cop (#25928) 2023-07-12 09:08:51 +01:00			`@authenticated_token = Doorkeeper::OAuth::Token.authenticate(`
Rate limit by user instead of IP when API user is authenticated (#5923) * Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper 2017-12-09 13:20:02 +00:00			`Doorkeeper::Grape::AuthorizationDecorator.new(self),`
			`*Doorkeeper.configuration.access_token_methods`
			`)`
			`end`

Improve rate limiting (#10860) * Rate limit based on remote address IP, not on potential reverse proxy * Limit rate of unauthenticated API requests further * Rate-limit paging requests to one every 3 seconds 2019-05-27 20:57:49 +01:00			`def remote_ip`
			`@remote_ip \|\|= (@env["action_dispatch.remote_ip"] \|\| ip).to_s`
			`end`

Fix rate limiting for paths with formats (#20675) 2022-11-14 19:26:31 +00:00			`def throttleable_remote_ip`
			`@throttleable_remote_ip \|\|= begin`
			`ip = IPAddr.new(remote_ip)`

			`if ip.ipv6?`
			`ip.mask(64)`
			`else`
			`ip`
			`end`
			`end.to_s`
			`end`

Rate limit by user instead of IP when API user is authenticated (#5923) * Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper 2017-12-09 13:20:02 +00:00			`def authenticated_user_id`
			`authenticated_token&.resource_owner_id`
			`end`

Change rate limits to 1,500/5m per user, 300/5m per app (#23347) 2023-02-01 23:07:49 +00:00			`def authenticated_token_id`
			`authenticated_token&.id`
			`end`

Rate limit by user instead of IP when API user is authenticated (#5923) * Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper 2017-12-09 13:20:02 +00:00			`def unauthenticated?`
			`!authenticated_user_id`
			`end`

			`def api_request?`
			`path.start_with?('/api')`
			`end`

Fix rate limiting for paths with formats (#20675) 2022-11-14 19:26:31 +00:00			`def path_matches?(other_path)`
			`/\A#{Regexp.escape(other_path)}(\..*)?\z/ =~ path`
			`end`

Rate limit by user instead of IP when API user is authenticated (#5923) * Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper 2017-12-09 13:20:02 +00:00			`def web_request?`
			`!api_request?`
			`end`
Improve rate limiting (#10860) * Rate limit based on remote address IP, not on potential reverse proxy * Limit rate of unauthenticated API requests further * Rate-limit paging requests to one every 3 seconds 2019-05-27 20:57:49 +01:00
			`def paging_request?`
			`params['page'].present? \|\| params['min_id'].present? \|\| params['max_id'].present? \|\| params['since_id'].present?`
			`end`
Rate limit by user instead of IP when API user is authenticated (#5923) * Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper 2017-12-09 13:20:02 +00:00			`end`

allow localhost to bypass the ratelimit (#2554) 2017-04-29 23:27:49 +01:00			`Rack::Attack.safelist('allow from localhost') do \|req\|`
Improve rate limiting (#10860) * Rate limit based on remote address IP, not on potential reverse proxy * Limit rate of unauthenticated API requests further * Rate-limit paging requests to one every 3 seconds 2019-05-27 20:57:49 +01:00			`req.remote_ip == '127.0.0.1' \|\| req.remote_ip == '::1'`
allow localhost to bypass the ratelimit (#2554) 2017-04-29 23:27:49 +01:00			`end`

Add IP-based rules (#14963) 2020-10-12 15:33:49 +01:00			`Rack::Attack.blocklist('deny from blocklist') do \|req\|`
			`IpBlock.blocked?(req.remote_ip)`
			`end`

Change rate limits to 1,500/5m per user, 300/5m per app (#23347) 2023-02-01 23:07:49 +00:00			`throttle('throttle_authenticated_api', limit: 1_500, period: 5.minutes) do \|req\|`
Add tight rate-limit for API deletions (#10042) Deletions take a lot of resources to execute and cause a lot of federation traffic, so it makes sense to decrease the number someone can queue up through the API. 30 per 30 minutes 2019-02-14 05:27:54 +00:00			`req.authenticated_user_id if req.api_request?`
Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well 2017-04-18 21:29:14 +01:00			`end`

Change rate limits to 1,500/5m per user, 300/5m per app (#23347) 2023-02-01 23:07:49 +00:00			`throttle('throttle_per_token_api', limit: 300, period: 5.minutes) do \|req\|`
			`req.authenticated_token_id if req.api_request?`
			`end`

Improve rate limiting (#10860) * Rate limit based on remote address IP, not on potential reverse proxy * Limit rate of unauthenticated API requests further * Rate-limit paging requests to one every 3 seconds 2019-05-27 20:57:49 +01:00			`throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do \|req\|`
Fix rate limiting for paths with formats (#20675) 2022-11-14 19:26:31 +00:00			`req.throttleable_remote_ip if req.api_request? && req.unauthenticated?`
Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) * Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well 2017-04-18 21:29:14 +01:00			`end`

Add tight rate-limit for API deletions (#10042) Deletions take a lot of resources to execute and cause a lot of federation traffic, so it makes sense to decrease the number someone can queue up through the API. 30 per 30 minutes 2019-02-14 05:27:54 +00:00			`throttle('throttle_api_media', limit: 30, period: 30.minutes) do \|req\|`
Autofix Rubocop Regex Style rules (#23690) Co-authored-by: Claire <claire.github-309c@sitedethib.com> 2023-06-06 13:50:51 +01:00			`req.authenticated_user_id if req.post? && req.path.match?(%r{\A/api/v\d+/media\z}i)`
Throttle media post (#7337) The previous rate limit allowed to post media so fast that it is possible to fill up the disk space even before an administrator notices. The new rate limit is configured so that it takes 24 hours to eat 10 gigabytes: 10 * 1024 / 8 / (24 * 60 / 30) = 27 (which rounded to 30) The period is set long so that it does not prevent from attaching several media to one post, which would happen in a short period. For example, if the period is 5 minutes, the rate limit would be: 10 * 1024 / 8 / (24 * 60 / 5) = 4 This long period allows to lift the limit up. 2018-05-03 16:32:00 +01:00			`end`

Change rate limit for media proxy (#11814) 2019-09-13 15:02:52 +01:00			`throttle('throttle_media_proxy', limit: 30, period: 10.minutes) do \|req\|`
Fix rate limiting for paths with formats (#20675) 2022-11-14 19:26:31 +00:00			`req.throttleable_remote_ip if req.path.start_with?('/media_proxy')`
Add rate limit for media proxy requests (#10490) 30 per 30 minutes, like media uploads 2019-04-07 03:26:43 +01:00			`end`

Add REST API for creating an account (#9572) * Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account 2018-12-24 18:12:38 +00:00			`throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do \|req\|`
Fix rate limiting for paths with formats (#20675) 2022-11-14 19:26:31 +00:00			`req.throttleable_remote_ip if req.post? && req.path == '/api/v1/accounts'`
Improve rate limiting (#10860) * Rate limit based on remote address IP, not on potential reverse proxy * Limit rate of unauthenticated API requests further * Rate-limit paging requests to one every 3 seconds 2019-05-27 20:57:49 +01:00			`end`

			`throttle('throttle_authenticated_paging', limit: 300, period: 15.minutes) do \|req\|`
			`req.authenticated_user_id if req.paging_request?`
			`end`

			`throttle('throttle_unauthenticated_paging', limit: 300, period: 15.minutes) do \|req\|`
Fix rate limiting for paths with formats (#20675) 2022-11-14 19:26:31 +00:00			`req.throttleable_remote_ip if req.paging_request? && req.unauthenticated?`
Add REST API for creating an account (#9572) * Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account 2018-12-24 18:12:38 +00:00			`end`

Autofix Rubocop Regex Style rules (#23690) Co-authored-by: Claire <claire.github-309c@sitedethib.com> 2023-06-06 13:50:51 +01:00			`API_DELETE_REBLOG_REGEX = %r{\A/api/v1/statuses/\d+/unreblog\z}`
			`API_DELETE_STATUS_REGEX = %r{\A/api/v1/statuses/\d+\z}`
Add tight rate-limit for API deletions (#10042) Deletions take a lot of resources to execute and cause a lot of federation traffic, so it makes sense to decrease the number someone can queue up through the API. 30 per 30 minutes 2019-02-14 05:27:54 +00:00
			`throttle('throttle_api_delete', limit: 30, period: 30.minutes) do \|req\|`
Optimize some regex matching (#15528) * Use Regex#match? * Replace =~ too * Avoid to call match? from Nil * Keep value of Regexp.last_match 2021-01-22 09:09:08 +00:00			`req.authenticated_user_id if (req.post? && req.path.match?(API_DELETE_REBLOG_REGEX)) \|\| (req.delete? && req.path.match?(API_DELETE_STATUS_REGEX))`
Add tight rate-limit for API deletions (#10042) Deletions take a lot of resources to execute and cause a lot of federation traffic, so it makes sense to decrease the number someone can queue up through the API. 30 per 30 minutes 2019-02-14 05:27:54 +00:00			`end`

Change rate limits for various paths (#14253) - Rate limit login attempts by target account - Rate limit password resets and e-mail re-confirmations by target account - Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before 2020-07-07 14:26:39 +01:00			`throttle('throttle_sign_up_attempts/ip', limit: 25, period: 5.minutes) do \|req\|`
Fix rate limiting for paths with formats (#20675) 2022-11-14 19:26:31 +00:00			`req.throttleable_remote_ip if req.post? && req.path_matches?('/auth')`
Change rate limits for various paths (#14253) - Rate limit login attempts by target account - Rate limit password resets and e-mail re-confirmations by target account - Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before 2020-07-07 14:26:39 +01:00			`end`

			`throttle('throttle_password_resets/ip', limit: 25, period: 5.minutes) do \|req\|`
Fix rate limiting for paths with formats (#20675) 2022-11-14 19:26:31 +00:00			`req.throttleable_remote_ip if req.post? && req.path_matches?('/auth/password')`
Change rate limits for various paths (#14253) - Rate limit login attempts by target account - Rate limit password resets and e-mail re-confirmations by target account - Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before 2020-07-07 14:26:39 +01:00			`end`

			`throttle('throttle_password_resets/email', limit: 5, period: 30.minutes) do \|req\|`
Fix rate limiting for paths with formats (#20675) 2022-11-14 19:26:31 +00:00			`req.params.dig('user', 'email').presence if req.post? && req.path_matches?('/auth/password')`
Change rate limits for various paths (#14253) - Rate limit login attempts by target account - Rate limit password resets and e-mail re-confirmations by target account - Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before 2020-07-07 14:26:39 +01:00			`end`

			`throttle('throttle_email_confirmations/ip', limit: 25, period: 5.minutes) do \|req\|`
Fix rate limiting for paths with formats (#20675) 2022-11-14 19:26:31 +00:00			`req.throttleable_remote_ip if req.post? && (req.path_matches?('/auth/confirmation') \|\| req.path == '/api/v1/emails/confirmations')`
Change rate limits for various paths (#14253) - Rate limit login attempts by target account - Rate limit password resets and e-mail re-confirmations by target account - Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before 2020-07-07 14:26:39 +01:00			`end`

			`throttle('throttle_email_confirmations/email', limit: 5, period: 30.minutes) do \|req\|`
Fix rate limiting for paths with formats (#20675) 2022-11-14 19:26:31 +00:00			`if req.post? && req.path_matches?('/auth/password')`
Add `POST /api/v1/emails/confirmations` to REST API (#15816) Only available to the application the user originally signed-up with 2021-03-01 17:39:47 +00:00			`req.params.dig('user', 'email').presence`
			`elsif req.post? && req.path == '/api/v1/emails/confirmations'`
			`req.authenticated_user_id`
			`end`
Change rate limits for various paths (#14253) - Rate limit login attempts by target account - Rate limit password resets and e-mail re-confirmations by target account - Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before 2020-07-07 14:26:39 +01:00			`end`

			`throttle('throttle_login_attempts/ip', limit: 25, period: 5.minutes) do \|req\|`
Fix rate limiting for paths with formats (#20675) 2022-11-14 19:26:31 +00:00			`req.throttleable_remote_ip if req.post? && req.path_matches?('/auth/sign_in')`
Change rate limits for various paths (#14253) - Rate limit login attempts by target account - Rate limit password resets and e-mail re-confirmations by target account - Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before 2020-07-07 14:26:39 +01:00			`end`

			`throttle('throttle_login_attempts/email', limit: 25, period: 1.hour) do \|req\|`
Fix rate limiting for paths with formats (#20675) 2022-11-14 19:26:31 +00:00			`req.session[:attempt_user_id] \|\| req.params.dig('user', 'email').presence if req.post? && req.path_matches?('/auth/sign_in')`
Fix #6 - Rate limit GET reqs to 300/5min, POST to 100/5min 2016-09-24 12:53:54 +01:00			`end`

Bump rack-attack from 6.5.0 to 6.6.0 (#17405) * Bump rack-attack from 6.5.0 to 6.6.0 Bumps [rack-attack](https://github.com/rack/rack-attack) from 6.5.0 to 6.6.0. - [Release notes](https://github.com/rack/rack-attack/releases) - [Changelog](https://github.com/rack/rack-attack/blob/master/CHANGELOG.md) - [Commits](https://github.com/rack/rack-attack/compare/v6.5.0...v6.6.0) --- updated-dependencies: - dependency-name: rack-attack dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Fix usage of deprecated API Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eugen Rochko <eugen@zeonfederated.com> 2022-03-12 08:23:53 +00:00			`self.throttled_responder = lambda do \|request\|`
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API 2016-10-22 18:38:47 +01:00			`now = Time.now.utc`
Bump rack-attack from 6.5.0 to 6.6.0 (#17405) * Bump rack-attack from 6.5.0 to 6.6.0 Bumps [rack-attack](https://github.com/rack/rack-attack) from 6.5.0 to 6.6.0. - [Release notes](https://github.com/rack/rack-attack/releases) - [Changelog](https://github.com/rack/rack-attack/blob/master/CHANGELOG.md) - [Commits](https://github.com/rack/rack-attack/compare/v6.5.0...v6.6.0) --- updated-dependencies: - dependency-name: rack-attack dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Fix usage of deprecated API Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eugen Rochko <eugen@zeonfederated.com> 2022-03-12 08:23:53 +00:00			`match_data = request.env['rack.attack.match_data']`
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API 2016-10-22 18:38:47 +01:00
			`headers = {`
Autofix Rubocop cops for config/ (#24145) 2023-10-03 14:24:12 +01:00			`'Content-Type' => 'application/json',`
			`'X-RateLimit-Limit' => match_data[:limit].to_s,`
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API 2016-10-22 18:38:47 +01:00			`'X-RateLimit-Remaining' => '0',`
Autofix Rubocop cops for config/ (#24145) 2023-10-03 14:24:12 +01:00			`'X-RateLimit-Reset' => (now + (match_data[:period] - (now.to_i % match_data[:period]))).iso8601(6),`
Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting to the API 2016-10-22 18:38:47 +01:00			`}`

Localize 'throttled' (#2755) 2017-05-03 22:36:19 +01:00			`[429, headers, [{ error: I18n.t('errors.429') }.to_json]]`
Fixing FanOutOnWriteService, fixing Sidekiq not having enough DB connections in the pool, adding a throttle of 60rpm per IP, adding mini profiler, adding admin status to users 2016-03-25 13:12:24 +00:00			`end`
Adding letter opener for development and Rack::Attack for future rate limiting implementations 2016-03-19 13:57:30 +00:00			`end`