Change rate limits to 1,500/5m per user, 300/5m per app (#23347)

1 year ago · c6ef56fd5e
parent 420f33ccb9
commit c6ef56fd5e
1 changed files with 9 additions and 1 deletions
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@ -33,6 +33,10 @@ class Rack::Attack
      authenticated_token&.resource_owner_id
    end

+    def authenticated_token_id
+      authenticated_token&.id
+    end
+
    def unauthenticated?
      !authenticated_user_id
    end
@ -62,10 +66,14 @@ class Rack::Attack
    IpBlock.blocked?(req.remote_ip)
  end

-  throttle('throttle_authenticated_api', limit: 300, period: 5.minutes) do |req|
+  throttle('throttle_authenticated_api', limit: 1_500, period: 5.minutes) do |req|
    req.authenticated_user_id if req.api_request?
  end

+  throttle('throttle_per_token_api', limit: 300, period: 5.minutes) do |req|
+    req.authenticated_token_id if req.api_request?
+  end
+
  throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req|
    req.throttleable_remote_ip if req.api_request? && req.unauthenticated?
  end