Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/lib/auth/default_current_user_provid...

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

464 lines
14 KiB
Ruby
Raw Normal View History

FEATURE: add global rate limiter for admin api 60 per minute Also move configuration of admin and user api rate limiting into global settings. This is not intended to be configurable per site
2017-12-10 19:07:22 -05:00
# frozen_string_literal: true
REFACTOR: Introduce RouteMatcher class This consolidates logic used to match routes in ApiKey, UserApiKey and DefaultCurrentUserProvider. This reduces duplicated logic, and will allow UserApiKeysScope to easily re-use the parameter matching logic from ApiKeyScope
2020-10-06 12:20:15 -04:00
require_relative "../route_matcher"
FEATURE: add global rate limiter for admin api 60 per minute Also move configuration of admin and user api rate limiting into global settings. This is not intended to be configurable per site
2017-12-10 19:07:22 -05:00
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
# You may have seen references to v0 and v1 of our auth cookie in the codebase
# and you're not sure how they differ, so here is an explanation:
#
# From the very early days of Discourse, the auth cookie (_t) consisted only of
# a 32 characters random string that Discourse used to identify/lookup the
# current user. We didn't include any metadata with the cookie or encrypt/sign
# it.
#
# That was v0 of the auth cookie until Nov 2021 when we merged a change that
# required us to store additional metadata with the cookie so we could get more
# information about current user early in the request lifecycle before we
# performed database lookup. We also started encrypting and signing the cookie
# to prevent tampering and obfuscate user information that we include in the
# cookie. This is v1 of our auth cookie and we still use it to this date.
#
# We still accept v0 of the auth cookie to keep users logged in, but upon
# cookie rotation (which happen every 10 minutes) they'll be switched over to
# the v1 format.
#
# We'll drop support for v0 after Discourse 2.9 is released.
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
class Auth::DefaultCurrentUserProvider
FIX: ruby bench not working properly - Remove thin which is no longer supported - Bypass admin api rate limiting in profile environment - Admin password was too short - Run by default in concurrency 1 mode - A skip bundle assets flag to speed up local testing
2018-02-18 18:12:51 -05:00
CURRENT_USER_KEY ||= "_DISCOURSE_CURRENT_USER"
FIX: Logout could fail due to cached user (#17325) Logging out failed when the current user was cached by an instance of `Auth::DefaultCurrentUserProvider` and `#log_off_user` was called on a different instance of that class. Co-authored-by: Sam <sam.saffron@gmail.com>
2022-07-04 11:01:19 -04:00
USER_TOKEN_KEY ||= "_DISCOURSE_USER_TOKEN"
FIX: ruby bench not working properly - Remove thin which is no longer supported - Bypass admin api rate limiting in profile environment - Admin password was too short - Run by default in concurrency 1 mode - A skip bundle assets flag to speed up local testing
2018-02-18 18:12:51 -05:00
API_KEY ||= "api_key"
FEATURE: Header based auth for API requests (#7129) Now you can also make authenticated API requests by passing the `api_key` and `api_username` in the HTTP header instead of query params. The new header values are: `Api-key` and `Api-Username`. Here is an example in cURL: ``` text curl -i -sS -X POST "http://127.0.0.1:3000/categories" \ -H "Content-Type: multipart/form-data;" \ -H "Api-Key: 7aa202bec1ff70563bc0a3d102feac0a7dd2af96b5b772a9feaf27485f9d31a2" \ -H "Api-Username: system" \ -F "name=7c1c0ed93583cba7124b745d1bd56b32" \ -F "color=49d9e9" \ -F "text_color=f0fcfd" ``` There is also support for `Api-User-Id` and `Api-User-External-Id` instead of specifying the username along with the key.
2019-03-08 11:13:31 -05:00
API_USERNAME ||= "api_username"
HEADER_API_KEY ||= "HTTP_API_KEY"
HEADER_API_USERNAME ||= "HTTP_API_USERNAME"
HEADER_API_USER_EXTERNAL_ID ||= "HTTP_API_USER_EXTERNAL_ID"
HEADER_API_USER_ID ||= "HTTP_API_USER_ID"
FEATURE: Allow parameter authentication for UserApiKeys (#9742) This refactors default_current_user_provider in a few ways: - Introduce a generic `api_parameter_allowed?` method which checks for whitelisted routes/formats - Only read the api_key parameter on allowed routes. It is now completely ignored on other routes (previously it would raise a 403) - Start reading user_api_key parameter on allowed routes - Refactor tests as end-end integration tests A plugin API for PARAMETER_API_PATTERNS will be added soon
2020-05-12 08:35:36 -04:00
PARAMETER_USER_API_KEY ||= "user_api_key"
FIX: ruby bench not working properly - Remove thin which is no longer supported - Bypass admin api rate limiting in profile environment - Admin password was too short - Run by default in concurrency 1 mode - A skip bundle assets flag to speed up local testing
2018-02-18 18:12:51 -05:00
USER_API_KEY ||= "HTTP_USER_API_KEY"
USER_API_CLIENT_ID ||= "HTTP_USER_API_CLIENT_ID"
API_KEY_ENV ||= "_DISCOURSE_API"
USER_API_KEY_ENV ||= "_DISCOURSE_USER_API"
Allow Discourse installs to name the token cookie
2018-03-13 16:48:40 -04:00
TOKEN_COOKIE ||= ENV["DISCOURSE_TOKEN_COOKIE"] || "_t"
FIX: ruby bench not working properly - Remove thin which is no longer supported - Bypass admin api rate limiting in profile environment - Admin password was too short - Run by default in concurrency 1 mode - A skip bundle assets flag to speed up local testing
2018-02-18 18:12:51 -05:00
PATH_INFO ||= "PATH_INFO"
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid
2016-07-27 22:58:49 -04:00
COOKIE_ATTEMPTS_PER_MIN ||= 10
FEATURE: detect when client thinks user is logged on but is not This cleans up an error condition where UI thinks a user is logged on but the user is not. If this happens user will be prompted to refresh.
2018-03-06 00:49:31 -05:00
BAD_TOKEN ||= "_DISCOURSE_BAD_TOKEN"
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
DECRYPTED_AUTH_COOKIE = "_DISCOURSE_DECRYPTED_AUTH_COOKIE"
TOKEN_SIZE = 32
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
DEV: Prevent 'previous definition' warnings for PARAMETER_API_PATTERNS
2020-05-13 07:54:28 -04:00
PARAMETER_API_PATTERNS ||= [
REFACTOR: Introduce RouteMatcher class This consolidates logic used to match routes in ApiKey, UserApiKey and DefaultCurrentUserProvider. This reduces duplicated logic, and will allow UserApiKeysScope to easily re-use the parameter matching logic from ApiKeyScope
2020-10-06 12:20:15 -04:00
RouteMatcher.new(
methods: :get,
actions: [
FEATURE: Allow parameter authentication for UserApiKeys (#9742) This refactors default_current_user_provider in a few ways: - Introduce a generic `api_parameter_allowed?` method which checks for whitelisted routes/formats - Only read the api_key parameter on allowed routes. It is now completely ignored on other routes (previously it would raise a 403) - Start reading user_api_key parameter on allowed routes - Refactor tests as end-end integration tests A plugin API for PARAMETER_API_PATTERNS will be added soon
2020-05-12 08:35:36 -04:00
"posts#latest",
"posts#user_posts_feed",
"groups#posts_feed",
"groups#mentions_feed",
FIX: Add missing rss routes to parameter api whitelist
2020-05-12 11:08:35 -04:00
"list#user_topics_feed",
FEATURE: Allow parameter authentication for UserApiKeys (#9742) This refactors default_current_user_provider in a few ways: - Introduce a generic `api_parameter_allowed?` method which checks for whitelisted routes/formats - Only read the api_key parameter on allowed routes. It is now completely ignored on other routes (previously it would raise a 403) - Start reading user_api_key parameter on allowed routes - Refactor tests as end-end integration tests A plugin API for PARAMETER_API_PATTERNS will be added soon
2020-05-12 08:35:36 -04:00
"list#category_feed",
FIX: Add missing rss routes to parameter api whitelist
2020-05-12 11:08:35 -04:00
"topics#feed",
"badges#show",
"tags#tag_feed",
"tags#show",
*%i[latest unread new read posted bookmarks].map { |f| "list##{f}_feed" },
*%i[all yearly quarterly monthly weekly daily].map { |p| "list#top_#{p}_feed" },
*%i[latest unread new read posted bookmarks].map { |f| "tags#show_#{f}" },
FEATURE: Allow parameter authentication for UserApiKeys (#9742) This refactors default_current_user_provider in a few ways: - Introduce a generic `api_parameter_allowed?` method which checks for whitelisted routes/formats - Only read the api_key parameter on allowed routes. It is now completely ignored on other routes (previously it would raise a 403) - Start reading user_api_key parameter on allowed routes - Refactor tests as end-end integration tests A plugin API for PARAMETER_API_PATTERNS will be added soon
2020-05-12 08:35:36 -04:00
],
REFACTOR: Introduce RouteMatcher class This consolidates logic used to match routes in ApiKey, UserApiKey and DefaultCurrentUserProvider. This reduces duplicated logic, and will allow UserApiKeysScope to easily re-use the parameter matching logic from ApiKeyScope
2020-10-06 12:20:15 -04:00
formats: :rss,
FEATURE: Add email_encoded parameter to accept inbound base64 encoded emails (#12947) We have found when receiving and posting inbound emails to the handle_mail route, it is better to POST the payload as a base64 encoded string to avoid strange encoding issues. This introduces a new param of `email_encoded` and maintains the legacy param of email, showing a deprecation warning. Eventually the old param of `email` will be dropped and the new one `email_encoded` will be the only way to handle_mail.
2021-05-05 22:59:52 -04:00
),
REFACTOR: Introduce RouteMatcher class This consolidates logic used to match routes in ApiKey, UserApiKey and DefaultCurrentUserProvider. This reduces duplicated logic, and will allow UserApiKeysScope to easily re-use the parameter matching logic from ApiKeyScope
2020-10-06 12:20:15 -04:00
RouteMatcher.new(methods: :get, actions: "users#bookmarks", formats: :ics),
RouteMatcher.new(methods: :post, actions: "admin/email#handle_mail", formats: nil),
FEATURE: Allow parameter authentication for UserApiKeys (#9742) This refactors default_current_user_provider in a few ways: - Introduce a generic `api_parameter_allowed?` method which checks for whitelisted routes/formats - Only read the api_key parameter on allowed routes. It is now completely ignored on other routes (previously it would raise a 403) - Start reading user_api_key parameter on allowed routes - Refactor tests as end-end integration tests A plugin API for PARAMETER_API_PATTERNS will be added soon
2020-05-12 08:35:36 -04:00
]
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
def self.find_v0_auth_cookie(request)
FIX: Correctly handle invalid auth cookies (#16995) Previously it would blow up on invalid utf byte sequences. This was a source of spec flakiness.
2022-06-07 07:00:25 -04:00
cookie = request.cookies[TOKEN_COOKIE]
cookie if cookie&.valid_encoding? && cookie.present? && cookie.size == TOKEN_SIZE
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
end
def self.find_v1_auth_cookie(env)
return env[DECRYPTED_AUTH_COOKIE] if env.key?(DECRYPTED_AUTH_COOKIE)
env[DECRYPTED_AUTH_COOKIE] = begin
request = ActionDispatch::Request.new(env)
FIX: Correctly handle invalid auth cookies (#16995) Previously it would blow up on invalid utf byte sequences. This was a source of spec flakiness.
2022-06-07 07:00:25 -04:00
cookie = request.cookies[TOKEN_COOKIE]
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
# don't even initialize a cookie jar if we don't have a cookie at all
FIX: Correctly handle invalid auth cookies (#16995) Previously it would blow up on invalid utf byte sequences. This was a source of spec flakiness.
2022-06-07 07:00:25 -04:00
if cookie&.valid_encoding? && cookie.present?
FIX: Do not error when json-serialized cookies are used (#16522) We intend to switch to the `:json` serializer, which will stringify all keys. However, we need a clean revert path. This commit ensures that our `_t` cookie handling works with both marshal (the current default) and json (the new default) serialization.
2022-04-20 14:15:40 -04:00
request.cookie_jar.encrypted[TOKEN_COOKIE]&.with_indifferent_access
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
end
end
end
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
# do all current user initialization here
Revert "FIX: Don't rate limit admin and staff constraints when matching routes." This reverts commit 651b50b1a159258588ebd716f678035db2239b5a.
2018-09-04 02:17:05 -04:00
def initialize(env)
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
@env = env
@request = Rack::Request.new(env)
FIX: Logout could fail due to cached user (#17325) Logging out failed when the current user was cached by an instance of `Auth::DefaultCurrentUserProvider` and `#log_off_user` was called on a different instance of that class. Co-authored-by: Sam <sam.saffron@gmail.com>
2022-07-04 11:01:19 -04:00
@user_token = env[USER_TOKEN_KEY]
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
end
# our current user, return nil if none is found
def current_user
return @env[CURRENT_USER_KEY] if @env.key?(CURRENT_USER_KEY)
FEATURE: allow long polling to go to a different url Added the site setting long_polling_base_url , this allows you to farm long polling to a different server. This setting is very important if a CDN is serving dynamic content.
2014-10-23 22:38:00 -04:00
# bypass if we have the shared session header
if shared_key = @env["HTTP_X_SHARED_SESSION_KEY"]
DEV: s/\$redis/Discourse\.redis (#8431) This commit also adds a rubocop rule to prevent global variables.
2019-12-03 04:05:53 -05:00
uid = Discourse.redis.get("shared_session_key_#{shared_key}")
FEATURE: allow long polling to go to a different url Added the site setting long_polling_base_url , this allows you to farm long polling to a different server. This setting is very important if a CDN is serving dynamic content.
2014-10-23 22:38:00 -04:00
user = nil
user = User.find_by(id: uid.to_i) if uid
@env[CURRENT_USER_KEY] = user
return user
end
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
request = @request
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
SECURITY: inactive/suspended accounts should be banned from api Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:02:33 -05:00
user_api_key = @env[USER_API_KEY]
FEATURE: Allow parameter authentication for UserApiKeys (#9742) This refactors default_current_user_provider in a few ways: - Introduce a generic `api_parameter_allowed?` method which checks for whitelisted routes/formats - Only read the api_key parameter on allowed routes. It is now completely ignored on other routes (previously it would raise a 403) - Start reading user_api_key parameter on allowed routes - Refactor tests as end-end integration tests A plugin API for PARAMETER_API_PATTERNS will be added soon
2020-05-12 08:35:36 -04:00
api_key = @env[HEADER_API_KEY]
if !@env.blank? && request[PARAMETER_USER_API_KEY] && api_parameter_allowed?
user_api_key ||= request[PARAMETER_USER_API_KEY]
end
api_key ||= request[API_KEY] if !@env.blank? && request[API_KEY] && api_parameter_allowed?
SECURITY: inactive/suspended accounts should be banned from api Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:02:33 -05:00
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
auth_token = find_auth_token
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
current_user = nil
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
if auth_token
SECURITY: do cookie auth rate limiting earlier
2016-08-08 20:02:18 -04:00
limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN, 60)
FIX: Delete the invalid auth cookie even if you hit the rate limit
2018-02-09 19:09:54 -05:00
if limiter.can_perform?
FIX: Logout could fail due to cached user (#17325) Logging out failed when the current user was cached by an instance of `Auth::DefaultCurrentUserProvider` and `#log_off_user` was called on a different instance of that class. Co-authored-by: Sam <sam.saffron@gmail.com>
2022-07-04 11:01:19 -04:00
@env[USER_TOKEN_KEY] = @user_token =
begin
FIX: Rescue from readonly errors when looking up auth tokens. Since this is rare, we don't want to check for `Discourse.pg_readonly_mode?` on every request since we have to reach for Redis. Instead, just rescue the error here.
2020-06-03 04:36:51 -04:00
UserAuthToken.lookup(
auth_token,
seen: true,
user_agent: @env["HTTP_USER_AGENT"],
path: @env["REQUEST_PATH"],
client_ip: @request.ip,
)
rescue ActiveRecord::ReadOnlyError
nil
end
FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging
2017-02-13 14:01:01 -05:00
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
current_user = @user_token.try(:user)
SECURITY: do cookie auth rate limiting earlier
2016-08-08 20:02:18 -04:00
end
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid
2016-07-27 22:58:49 -04:00
FEATURE: detect when client thinks user is logged on but is not This cleans up an error condition where UI thinks a user is logged on but the user is not. If this happens user will be prompted to refresh.
2018-03-06 00:49:31 -05:00
if !current_user
@env[BAD_TOKEN] = true
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid
2016-07-27 22:58:49 -04:00
begin
Revert "FIX: Don't rate limit admin and staff constraints when matching routes." This reverts commit 651b50b1a159258588ebd716f678035db2239b5a.
2018-09-04 02:17:05 -04:00
limiter.performed!
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid
2016-07-27 22:58:49 -04:00
rescue RateLimiter::LimitExceeded
FIX: Delete the invalid auth cookie even if you hit the rate limit
2018-02-09 19:09:54 -05:00
raise Discourse::InvalidAccess.new("Invalid Access", nil, delete_cookie: TOKEN_COOKIE)
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid
2016-07-27 22:58:49 -04:00
end
end
FEATURE: detect when client thinks user is logged on but is not This cleans up an error condition where UI thinks a user is logged on but the user is not. If this happens user will be prompted to refresh.
2018-03-06 00:49:31 -05:00
elsif @env["HTTP_DISCOURSE_LOGGED_IN"]
@env[BAD_TOKEN] = true
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
end
# possible we have an api call, impersonate
SECURITY: inactive/suspended accounts should be banned from api Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:02:33 -05:00
if api_key
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
current_user = lookup_api_user(api_key, request)
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
if !current_user
raise Discourse::InvalidAccess.new(
I18n.t("invalid_api_credentials"),
nil,
custom_message: "invalid_api_credentials",
)
end
SECURITY: inactive/suspended accounts should be banned from api Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:02:33 -05:00
raise Discourse::InvalidAccess if current_user.suspended? || !current_user.active
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
admin_api_key_limiter.performed! if !Rails.env.profile?
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
@env[API_KEY_ENV] = true
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
end
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent
2016-08-15 03:58:33 -04:00
# user api key handling
SECURITY: inactive/suspended accounts should be banned from api Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:02:33 -05:00
if user_api_key
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
@hashed_user_api_key = ApiKey.hash_key(user_api_key)
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent
2016-08-15 03:58:33 -04:00
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
user_api_key_obj =
UserApiKey
.active
.joins(:user)
.where(key_hash: @hashed_user_api_key)
.includes(:user, :scopes)
.first
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent
2016-08-15 03:58:33 -04:00
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
raise Discourse::InvalidAccess unless user_api_key_obj
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent
2016-08-15 03:58:33 -04:00
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
user_api_key_limiter_60_secs.performed!
user_api_key_limiter_1_day.performed!
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent
2016-08-15 03:58:33 -04:00
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
user_api_key_obj.ensure_allowed!(@env)
current_user = user_api_key_obj.user
SECURITY: inactive/suspended accounts should be banned from api Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:02:33 -05:00
raise Discourse::InvalidAccess if current_user.suspended? || !current_user.active
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent
2016-08-15 03:58:33 -04:00
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
user_api_key_obj.update_last_used(@env[USER_API_CLIENT_ID]) if can_write?
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent
2016-08-15 03:58:33 -04:00
SECURITY: don't grant same privileges to user_api and api access User API is no longer gets bypasses that standard API gets. Only bypasses are CSRF and XHR requirements.
2016-12-15 20:05:20 -05:00
@env[USER_API_KEY_ENV] = true
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent
2016-08-15 03:58:33 -04:00
end
SECURITY: inactive/suspended accounts should be banned from api Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:02:33 -05:00
# keep this rule here as a safeguard
# under no conditions to suspended or inactive accounts get current_user
current_user = nil if current_user && (current_user.suspended? || !current_user.active)
FIX: Do not update `last seen` time for suspended users
2018-07-18 11:04:57 -04:00
if current_user && should_update_last_seen?
FIX: last ip address could point at wrong ip Due to unicorn env object recycling request.ip could point at the wrong ip address by the time defer block is called. This usually would happen under load. This also avoids keeping the entire request object as referenced by the closure.
2020-03-11 02:42:56 -04:00
ip = request.ip
FIX: avoid concurrent usage of AR models (#16596) Flagged by the truffle team at: https://meta.discourse.org/t/thread-unsafe-current-user-usage-in-auth-defaultcurrentuserprovider/225671 This usage of AR is unsafe currently, as AR models are not safe for concurrent usage Introduces a new query potentially every minute which should be acceptable.
2022-05-02 18:50:56 -04:00
user_id = current_user.id
old_ip = current_user.ip_address
FIX: last ip address could point at wrong ip Due to unicorn env object recycling request.ip could point at the wrong ip address by the time defer block is called. This usually would happen under load. This also avoids keeping the entire request object as referenced by the closure.
2020-03-11 02:42:56 -04:00
FIX: Do not update `last seen` time for suspended users
2018-07-18 11:04:57 -04:00
Scheduler::Defer.later "Updating Last Seen" do
FIX: avoid concurrent usage of AR models (#16596) Flagged by the truffle team at: https://meta.discourse.org/t/thread-unsafe-current-user-usage-in-auth-defaultcurrentuserprovider/225671 This usage of AR is unsafe currently, as AR models are not safe for concurrent usage Introduces a new query potentially every minute which should be acceptable.
2022-05-02 18:50:56 -04:00
if User.should_update_last_seen?(user_id)
if u = User.find_by(id: user_id)
u.update_last_seen!(Time.zone.now, force: true)
end
end
User.update_ip_address!(user_id, new_ip: ip, old_ip: old_ip)
FIX: Do not update `last seen` time for suspended users
2018-07-18 11:04:57 -04:00
end
end
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
@env[CURRENT_USER_KEY] = current_user
end
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
def refresh_session(user, session, cookie_jar)
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
# if user was not loaded, no point refreshing session
# it could be an anonymous path, this would add cost
return if is_api? || !@env.key?(CURRENT_USER_KEY)
SECURITY: inactive/suspended accounts should be banned from api Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:02:33 -05:00
if !is_user_api? && @user_token && @user_token.user == user
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
rotated_at = @user_token.rotated_at
needs_rotation =
DEV: Apply syntax_tree formatting to `lib/*`
2023-01-09 07:10:19 -05:00
(
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
if @user_token.auth_token_seen
rotated_at < UserAuthToken::ROTATE_TIME.ago
DEV: Apply syntax_tree formatting to `lib/*`
2023-01-09 07:10:19 -05:00
else
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
rotated_at < UserAuthToken::URGENT_ROTATE_TIME.ago
DEV: Apply syntax_tree formatting to `lib/*`
2023-01-09 07:10:19 -05:00
end
)
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
needed to remove legacy from a few more spots
2018-05-03 21:11:44 -04:00
if needs_rotation
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
if @user_token.rotate!(
user_agent: @env["HTTP_USER_AGENT"],
FIX: Improve token rotation and increase logging - avoid access denied on bad cookie, instead just nuke it - avoid marking a token unseen for first minute post rotation - log path in user auth token logs
2017-03-07 13:27:34 -05:00
client_ip: @request.ip,
path: @env["REQUEST_PATH"],
)
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
set_auth_cookie!(@user_token.unhashed_auth_token, user, cookie_jar)
FEATURE: add user_session_refreshed trigger (#9412) Trigger an event for plugins to consume when a user session is refreshed. This allows external auth to be notified about account activity, and be able to take action such as use oauth refresh tokens to keep oauth tokens valid.
2020-04-14 12:32:24 -04:00
DiscourseEvent.trigger(:user_session_refreshed, user)
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
end
end
FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions.
2016-07-24 22:07:31 -04:00
end
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
cookie_jar.delete(TOKEN_COOKIE) if !user && cookie_jar.key?(TOKEN_COOKIE)
FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions.
2016-07-24 22:07:31 -04:00
end
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
def log_on_user(user, session, cookie_jar, opts = {})
FIX: Logout could fail due to cached user (#17325) Logging out failed when the current user was cached by an instance of `Auth::DefaultCurrentUserProvider` and `#log_off_user` was called on a different instance of that class. Co-authored-by: Sam <sam.saffron@gmail.com>
2022-07-04 11:01:19 -04:00
@env[USER_TOKEN_KEY] = @user_token =
UserAuthToken.generate!(
Only check for suspicious login for staff members
2018-10-25 18:29:28 -04:00
user_id: user.id,
user_agent: @env["HTTP_USER_AGENT"],
path: @env["REQUEST_PATH"],
client_ip: @request.ip,
FIX: Do not check for suspicious login when impersonating. (#6534) * FIX: Do not check for suspicious login when impersonating. * DEV: Add 'impersonate' parameter to log_on_user.
2018-11-12 09:34:12 -05:00
staff: user.staff?,
FIX: opts is a hash in 'log_on_user' cc @nbianca
2018-11-12 10:00:12 -05:00
impersonate: opts[:impersonate],
)
FIX: don't expire old sessions when logging in
2016-07-25 21:37:41 -04:00
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
set_auth_cookie!(@user_token.unhashed_auth_token, user, cookie_jar)
DEV: Replace User.unstage and User#unstage API with User#unstage! (#8906) * DEV: Replace User.unstage and User#unstage API with User#unstage! Quoting @SamSaffron: > User.unstage mixes concerns of both unstaging users and updating params which is fragile/surprising. > u.unstage destroys notifications and raises a user_unstaged event prior to the user becoming unstaged and the user object being saved. User#unstage! no longer updates user attributes and saves the object before triggering the `user_unstaged` event. * Update one more spec * Assign attributes after unstaging
2020-03-17 11:48:24 -04:00
user.unstage!
automatically make developers admins on account creation, this solves the user #1 problem you can simply set the DEVELOPER_EMAILS to a comma delimited list and the users will be auto admined
2013-11-01 19:25:43 -04:00
make_developer_admin(user)
FEATURE: new bootstrap mode settings for brand new Discourse community (#4193) * FEATURE: new bootstrap mode settings for brand new Discourse community * new SiteSetting.set_and_log method
2016-04-26 13:08:19 -04:00
enable_bootstrap_mode(user)
FEATURE: Limit the number of active sessions for a user (#8411) If a user has more than 60 active sessions, the oldest sessions will be terminated automatically. This protects performance when logging in and when loading the list of recently used devices.
2019-11-27 07:39:31 -05:00
UserAuthToken.enforce_session_count_limit!(user.id)
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
@env[CURRENT_USER_KEY] = user
end
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
def set_auth_cookie!(unhashed_auth_token, user, cookie_jar)
data = {
token: unhashed_auth_token,
user_id: user.id,
trust_level: user.trust_level,
issued_at: Time.zone.now.to_i,
FEATURE: set secure flag on _t cookie if https is forced
2016-10-16 21:11:15 -04:00
}
FEATURE: add support for same site cookies Defaults to Lax, can be disabled or set to Strict. Strict will only work if you require login and use SSO. Otherwise when clicking on links to your site you will appear logged out till you refresh the page.
2017-02-23 12:01:28 -05:00
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
expires = SiteSetting.maximum_session_age.hours.from_now if SiteSetting.persistent_sessions
FEATURE: Add support for not persistent sessions In some cases Discourse admins may opt for sessions not to persist when a browser is closed. This is particularly useful in healthcare and education settings where computers are shared among multiple workers. By default `persistent_sessions` site setting is enabled, to opt out you must disable the site setting.
2020-09-11 01:11:13 -04:00
FEATURE: add support for same site cookies Defaults to Lax, can be disabled or set to Strict. Strict will only work if you require login and use SSO. Otherwise when clicking on links to your site you will appear logged out till you refresh the page.
2017-02-23 12:01:28 -05:00
same_site = SiteSetting.same_site_cookies if SiteSetting.same_site_cookies != "Disabled"
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
cookie_jar.encrypted[TOKEN_COOKIE] = {
value: data,
httponly: true,
secure: SiteSetting.force_https,
expires: expires,
same_site: same_site,
}
FEATURE: set secure flag on _t cookie if https is forced
2016-10-16 21:11:15 -04:00
end
FIX: Make sure first admin users are added to auto groups (#18494) When a user with an email matching those inside the DISCOURSE_DEVELOPER_EMAILS env var log in, we make them into admin users if they are not already. This is used when setting up the first admin user for self-hosters, since the discourse-setup script sets the provided admin emails into DISCOURSE_DEVELOPER_EMAILS. The issue being fixed here is that the new admins were not being automatically added to the staff and admins automatic groups, which was causing issues with the site settings that are group_list based that don't have an explicit staff override. All we need to do is refresh the automatic staff, admin groups when admin is granted for the user.
2022-10-06 01:16:38 -04:00
# This is also used to set the first admin of the site via
# the finish installation & register -> user account activation
# for signup flow, since all admin emails are stored in
# DISCOURSE_DEVELOPER_EMAILS for self-hosters.
automatically make developers admins on account creation, this solves the user #1 problem you can simply set the DEVELOPER_EMAILS to a comma delimited list and the users will be auto admined
2013-11-01 19:25:43 -04:00
def make_developer_admin(user)
if user.active? && !user.admin && Rails.configuration.respond_to?(:developer_emails) &&
Rails.configuration.developer_emails.include?(user.email)
FEATURE: on initial boot hint users on how to get admin
2014-03-24 03:03:39 -04:00
user.admin = true
user.save
FIX: Make sure first admin users are added to auto groups (#18494) When a user with an email matching those inside the DISCOURSE_DEVELOPER_EMAILS env var log in, we make them into admin users if they are not already. This is used when setting up the first admin user for self-hosters, since the discourse-setup script sets the provided admin emails into DISCOURSE_DEVELOPER_EMAILS. The issue being fixed here is that the new admins were not being automatically added to the staff and admins automatic groups, which was causing issues with the site settings that are group_list based that don't have an explicit staff override. All we need to do is refresh the automatic staff, admin groups when admin is granted for the user.
2022-10-06 01:16:38 -04:00
Group.refresh_automatic_groups!(:staff, :admins)
automatically make developers admins on account creation, this solves the user #1 problem you can simply set the DEVELOPER_EMAILS to a comma delimited list and the users will be auto admined
2013-11-01 19:25:43 -04:00
end
end
FEATURE: new bootstrap mode settings for brand new Discourse community (#4193) * FEATURE: new bootstrap mode settings for brand new Discourse community * new SiteSetting.set_and_log method
2016-04-26 13:08:19 -04:00
def enable_bootstrap_mode(user)
FIX: always unstage users when they log in
2018-05-13 11:00:02 -04:00
return if SiteSetting.bootstrap_mode_enabled
if user.admin && user.last_seen_at.nil? && user.is_singular_admin?
Jobs.enqueue(:enable_bootstrap_mode, user_id: user.id)
end
FEATURE: new bootstrap mode settings for brand new Discourse community (#4193) * FEATURE: new bootstrap mode settings for brand new Discourse community * new SiteSetting.set_and_log method
2016-04-26 13:08:19 -04:00
end
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
def log_off_user(session, cookie_jar)
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
user = current_user
FIX: always unstage users when they log in
2018-05-13 11:00:02 -04:00
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
if SiteSetting.log_out_strict && user
user.user_auth_tokens.destroy_all
clear mini profiler cookie when admin logs off
2016-05-18 03:27:54 -04:00
if user.admin && defined?(Rack::MiniProfiler)
# clear the profiling cookie to keep stuff tidy
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
cookie_jar.delete("__profilin")
clear mini profiler cookie when admin logs off
2016-05-18 03:27:54 -04:00
end
FEATURE: Add event trigger when a user is logged out.
2016-07-04 05:20:30 -04:00
user.logged_out
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
elsif user && @user_token
@user_token.destroy
FEATURE: logging out logs you out everywhere can be disabled by changing the setting "log_out_strict" to false
2015-01-27 20:56:25 -05:00
end
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
cookie_jar.delete("authentication_data")
cookie_jar.delete(TOKEN_COOKIE)
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
end
# api has special rights return true if api was detected
def is_api?
current_user
SECURITY: don't grant same privileges to user_api and api access User API is no longer gets bypasses that standard API gets. Only bypasses are CSRF and XHR requirements.
2016-12-15 20:05:20 -05:00
!!(@env[API_KEY_ENV])
end
def is_user_api?
current_user
!!(@env[USER_API_KEY_ENV])
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
end
def has_auth_cookie?
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
find_auth_token.present?
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
end
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
def should_update_last_seen?
FIX: Handle PG readonly mode in `Auth::DefaultCurrentUserProvider`. Avoid writing to the DB when PG is in readonly mode.
2020-07-21 01:43:28 -04:00
return false unless can_write?
FIX: Don't update `User#last_seen_at` when PG is in readonly take 3.
2019-01-22 05:07:48 -05:00
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
api = !!@env[API_KEY_ENV] || !!@env[USER_API_KEY_ENV]
FEATURE: Allow API requests to specify the `DISCOURSE_VISIBLE` header This allows API consumers to automatically update the user's last_seen time. The default behaviour is unchanged.
2019-04-15 12:34:34 -04:00
if @request.xhr? || api
FEATURE: Stricter rules for user presence Previously we would consider a user "present" and "last seen" if the browser window was visible. This has many edge cases, you could be considered present and around for days just by having a window open and no screensaver on. Instead we now also check that you either clicked, transitioned around app or scrolled the page in the last minute in combination with window visibility This will lead to more reliable notifications via email and reduce load of message bus for cases where a user walks away from the terminal
2020-03-26 02:35:32 -04:00
@env["HTTP_DISCOURSE_PRESENT"] == "true"
FIX: last seen date erroneously updated when browser in background In some cases user may be "last seen" even though browser tab is in the background or computer is locked
2017-02-28 12:34:57 -05:00
else
true
end
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
end
protected
def lookup_api_user(api_key_value, request)
FEATURE: Hash API keys in the database (#8438) API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak. This makes the merge lower risk, because we have some time to revert if needed. Once the change is confirmed to be working, we will add a second commit to drop the `key` column.
2019-12-12 06:45:00 -05:00
if api_key = ApiKey.active.with_key(api_key_value).includes(:user).first
FIX: prevent mixed api auth headers & query params When using the api and you provide an http header based api key any other auth based information (username, external_id, or user_id) passed in as query params will not be used and vice versa. Followup to f03b293e6a5f12f12ba2a61ab2bc2cfb8a7f1a63
2019-03-12 19:16:42 -04:00
api_username = header_api_key? ? @env[HEADER_API_USERNAME] : request[API_USERNAME]
DEV: Add update message for an outdated mail-receiver Previous versions of the mail-receiver used query based api credentials, if we detect this we will show a message in the admin panel to update the mail receiver.
2019-11-08 19:28:48 -05:00
DEV: Do not log API key scope and/or source-ip mismatches (#15423) Using an incorrectly-scoped API key is something which should be fixed by the client - no need to log errors on the server-side.
2021-12-29 07:22:21 -05:00
return nil if !api_key.request_allowed?(@env)
FEATURE: allow restricting API keys to a particular range
2014-11-19 23:21:49 -05:00
FEATURE: track date api key was last used Start tracking the date an api key was last used. This has already been the case for user_api_keys. This information can provide us with the ability to automatically expire unused api keys after N days.
2019-09-03 04:10:29 -04:00
user =
if api_key.user
api_key.user if !api_username || (api_key.user.username_lower == api_username.downcase)
elsif api_username
User.find_by(username_lower: api_username.downcase)
elsif user_id = header_api_key? ? @env[HEADER_API_USER_ID] : request["api_user_id"]
User.find_by(id: user_id.to_i)
elsif external_id =
header_api_key? ? @env[HEADER_API_USER_EXTERNAL_ID] : request["api_user_external_id"]
SingleSignOnRecord.find_by(external_id: external_id.to_s).try(:user)
end
FIX: Handle PG readonly mode in `Auth::DefaultCurrentUserProvider`. Avoid writing to the DB when PG is in readonly mode.
2020-07-21 01:43:28 -04:00
if user && can_write?
PERF: Throttle updates to API key last_used_at (#16390) Co-authored-by: David Taylor <david@taylorhq.com>
2022-04-06 10:01:52 -04:00
Scheduler::Defer.later "Updating api_key last_used" do
api_key.update_last_used!
end
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
end
FEATURE: track date api key was last used Start tracking the date an api key was last used. This has already been the case for user_api_keys. This information can provide us with the ability to automatically expire unused api keys after N days.
2019-09-03 04:10:29 -04:00
user
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
end
end
DEV: Extract global admin api rate limiting into a dedicated method. * We have a use case for overriding the rate limiting logic in a plugin.
2018-09-04 04:35:49 -04:00
private
FEATURE: Allow plugins to register parameter-based API routes (#10505) Example usage: ``` add_api_parameter_route( method: :get, route: "users#bookmarks", format: :ics ) ```
2020-08-24 05:24:52 -04:00
def parameter_api_patterns
PARAMETER_API_PATTERNS + DiscoursePluginRegistry.api_parameter_routes
end
FEATURE: Allow parameter authentication for UserApiKeys (#9742) This refactors default_current_user_provider in a few ways: - Introduce a generic `api_parameter_allowed?` method which checks for whitelisted routes/formats - Only read the api_key parameter on allowed routes. It is now completely ignored on other routes (previously it would raise a 403) - Start reading user_api_key parameter on allowed routes - Refactor tests as end-end integration tests A plugin API for PARAMETER_API_PATTERNS will be added soon
2020-05-12 08:35:36 -04:00
# By default we only allow headers for sending API credentials
# However, in some scenarios it is essential to send them via url parameters
# so we need to add some exceptions
def api_parameter_allowed?
REFACTOR: Introduce RouteMatcher class This consolidates logic used to match routes in ApiKey, UserApiKey and DefaultCurrentUserProvider. This reduces duplicated logic, and will allow UserApiKeysScope to easily re-use the parameter matching logic from ApiKeyScope
2020-10-06 12:20:15 -04:00
parameter_api_patterns.any? { |p| p.match?(env: @env) }
DEV: Only show deprecation message for non-whitelisted requests As another step toward fully dreprecating query parameter authentication in API requests this change prevents an admin dashboard message from showing up if using a whitelisted route like rss feeds or the mail-receiver route.
2020-03-16 14:05:24 -04:00
end
FIX: prevent mixed api auth headers & query params When using the api and you provide an http header based api key any other auth based information (username, external_id, or user_id) passed in as query params will not be used and vice versa. Followup to f03b293e6a5f12f12ba2a61ab2bc2cfb8a7f1a63
2019-03-12 19:16:42 -04:00
def header_api_key?
!!@env[HEADER_API_KEY]
end
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
def can_write?
@can_write ||= !Discourse.pg_readonly_mode?
end
def admin_api_key_limiter
return @admin_api_key_limiter if @admin_api_key_limiter
DEV: Extract global admin api rate limiting into a dedicated method. * We have a use case for overriding the rate limiting logic in a plugin.
2018-09-04 04:35:49 -04:00
FEATURE: Add global admin api key rate limiter (#12527)
2021-06-03 05:52:43 -04:00
limit = GlobalSetting.max_admin_api_reqs_per_minute.to_i
if GlobalSetting.respond_to?(:max_admin_api_reqs_per_key_per_minute)
DEV: Let's always give a drop_from param to deprecate (#14901) So that we know when deprecations can be removed in the future.
2021-11-12 09:52:59 -05:00
Discourse.deprecate(
"DISCOURSE_MAX_ADMIN_API_REQS_PER_KEY_PER_MINUTE is deprecated. Please use DISCOURSE_MAX_ADMIN_API_REQS_PER_MINUTE",
drop_from: "2.9.0",
)
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
limit = [GlobalSetting.max_admin_api_reqs_per_key_per_minute.to_i, limit].max
FEATURE: Add global admin api key rate limiter (#12527)
2021-06-03 05:52:43 -04:00
end
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
@admin_api_key_limiter =
RateLimiter.new(nil, "admin_api_min", limit, 60, error_code: "admin_api_key_rate_limit")
end
FEATURE: Add global admin api key rate limiter (#12527)
2021-06-03 05:52:43 -04:00
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
def user_api_key_limiter_60_secs
@user_api_key_limiter_60_secs ||=
RateLimiter.new(
nil,
"user_api_min_#{@hashed_user_api_key}",
GlobalSetting.max_user_api_reqs_per_minute,
60,
error_code: "user_api_key_limiter_60_secs",
)
DEV: Extract global admin api rate limiting into a dedicated method. * We have a use case for overriding the rate limiting logic in a plugin.
2018-09-04 04:35:49 -04:00
end
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
def user_api_key_limiter_1_day
@user_api_key_limiter_1_day ||=
RateLimiter.new(
nil,
"user_api_day_#{@hashed_user_api_key}",
GlobalSetting.max_user_api_reqs_per_day,
86_400,
error_code: "user_api_key_limiter_1_day",
)
FIX: Handle PG readonly mode in `Auth::DefaultCurrentUserProvider`. Avoid writing to the DB when PG is in readonly mode.
2020-07-21 01:43:28 -04:00
end
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
def find_auth_token
return @auth_token if defined?(@auth_token)
@auth_token =
begin
if v0 = self.class.find_v0_auth_cookie(@request)
v0
elsif v1 = self.class.find_v1_auth_cookie(@env)
v1[:token] if v1[:issued_at] >= SiteSetting.maximum_session_age.hours.ago.to_i
end
end
end
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
end