Change rate limits to 1,500/5m per user, 300/5m per app (#23347)
This commit is contained in:
parent
420f33ccb9
commit
c6ef56fd5e
|
@ -33,6 +33,10 @@ class Rack::Attack
|
|||
authenticated_token&.resource_owner_id
|
||||
end
|
||||
|
||||
def authenticated_token_id
|
||||
authenticated_token&.id
|
||||
end
|
||||
|
||||
def unauthenticated?
|
||||
!authenticated_user_id
|
||||
end
|
||||
|
@ -62,10 +66,14 @@ class Rack::Attack
|
|||
IpBlock.blocked?(req.remote_ip)
|
||||
end
|
||||
|
||||
throttle('throttle_authenticated_api', limit: 300, period: 5.minutes) do |req|
|
||||
throttle('throttle_authenticated_api', limit: 1_500, period: 5.minutes) do |req|
|
||||
req.authenticated_user_id if req.api_request?
|
||||
end
|
||||
|
||||
throttle('throttle_per_token_api', limit: 300, period: 5.minutes) do |req|
|
||||
req.authenticated_token_id if req.api_request?
|
||||
end
|
||||
|
||||
throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req|
|
||||
req.throttleable_remote_ip if req.api_request? && req.unauthenticated?
|
||||
end
|
||||
|
|
Reference in New Issue