FIX: Delete the invalid auth cookie even if you hit the rate limit

2018-02-09 19:09:54 -05:00 · 2018-02-09 19:09:54 -05:00 · 569e57f0a9
parent 2faa4c2f5f
commit 569e57f0a9
4 changed files with 27 additions and 6 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -159,6 +159,10 @@ class ApplicationController < ActionController::Base
  end

  rescue_from Discourse::InvalidAccess do |e|
+
+    if e.opts[:delete_cookie].present?
+      cookies.delete(e.opts[:delete_cookie])
+    end
    rescue_discourse_actions(
      :invalid_access,
      403,
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@ -48,7 +48,7 @@ class Auth::DefaultCurrentUserProvider
    if auth_token && auth_token.length == 32
      limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN , 60)

-      if request.ip == "127.0.0.1" || request.ip == "::1" || limiter.can_perform?
+      if limiter.can_perform?
        @user_token = UserAuthToken.lookup(auth_token,
                                           seen: true,
                                           user_agent: @env['HTTP_USER_AGENT'],
@ -62,7 +62,11 @@ class Auth::DefaultCurrentUserProvider
        begin
          limiter.performed!
        rescue RateLimiter::LimitExceeded
-          raise Discourse::InvalidAccess
+          raise Discourse::InvalidAccess.new(
+            'Invalid Access',
+            nil,
+            delete_cookie: TOKEN_COOKIE
+          )
        end
      end
    end
--- a/lib/discourse.rb
+++ b/lib/discourse.rb
@ -64,12 +64,12 @@ module Discourse

  # When they don't have permission to do something
  class InvalidAccess < StandardError
-    attr_reader :obj, :custom_message
+    attr_reader :obj, :custom_message, :opts
    def initialize(msg = nil, obj = nil, opts = nil)
      super(msg)

-      opts ||= {}
-      @custom_message = opts[:custom_message] if opts[:custom_message]
+      @opts = opts || {}
+      @custom_message = opts[:custom_message] if @opts[:custom_message]
      @obj = obj
    end
  end
--- a/spec/integration/rate_limiting_spec.rb
+++ b/spec/integration/rate_limiting_spec.rb
@ -2,16 +2,29 @@

 require 'rails_helper'

-describe 'admin rate limit' do
+describe 'rate limiter integration' do

  before do
    RateLimiter.enable
+    RateLimiter.clear_all!
  end

  after do
    RateLimiter.disable
  end

+  it "will clear the token cookie if invalid" do
+    name = Auth::DefaultCurrentUserProvider::TOKEN_COOKIE
+
+    # we try 11 times because the rate limit is 10
+    11.times {
+      cookies[name] = SecureRandom.hex
+      get '/categories.json'
+      expect(response.cookies.has_key?(name)).to eq(true)
+      expect(response.cookies[name]).to be_nil
+    }
+  end
+
  it 'can cleanly limit requests' do
    #request.set_header("action_dispatch.show_exceptions", true)