Merge pull request #4715 from techAPJ/login-per-ip

FEATURE: new site setting for max logins per ip per hour/minute

app/controllers/session_controller.rb

@@ -158,8 +158,8 @@ class SessionController < ApplicationController
       return
     end
 
-    RateLimiter.new(nil, "login-hr-#{request.remote_ip}", 30, 1.hour).performed!
-    RateLimiter.new(nil, "login-min-#{request.remote_ip}", 6, 1.minute).performed!
+    RateLimiter.new(nil, "login-hr-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_hour, 1.hour).performed!
+    RateLimiter.new(nil, "login-min-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_minute, 1.minute).performed!
 
     params.require(:login)
     params.require(:password)

config/locales/server.en.yml

@@ -1121,6 +1121,9 @@ en:
     max_invites_per_day: "Maximum number of invites a user can send per day."
     max_topic_invitations_per_day: "Maximum number of topic invitations a user can send per day."
 
+    max_logins_per_ip_per_hour: "Maximum number of logins allowed per IP address per hour"
+    max_logins_per_ip_per_minute: "Maximum number of logins allowed per IP address per minute"
+
     alert_admins_if_errors_per_minute: "Number of errors per minute in order to trigger an admin alert. A value of 0 disables this feature. NOTE: requires restart."
     alert_admins_if_errors_per_hour: "Number of errors per hour in order to trigger an admin alert. A value of 0 disables this feature. NOTE: requires restart."
 
@@ -1423,7 +1426,7 @@ en:
     delete_drafts_older_than_n_days: Delete drafts older than (n) days.
 
     bootstrap_mode_min_users: "Minimum number of users required to disable bootstrap mode (set to 0 to disable)"
-    
+
     prevent_anons_from_downloading_files: "Prevent anonymous users from downloading attachments. WARNING: this will prevent any non-image site assets posted as attachments from working."
 
     slug_generation_method: "Choose a slug generation method. 'encoded' will generate percent encoding string. 'none' will disable slug at all."

config/site_settings.yml

@@ -988,6 +988,14 @@ rate_limits:
   max_prints_per_hour_per_user:
     default: 5
     client: true
+  max_logins_per_ip_per_hour:
+    min: 1
+    max: 20000
+    default: 30
+  max_logins_per_ip_per_minute:
+    min: 1
+    max: 20000
+    default: 6
 
 developer:
   force_hostname:

spec/controllers/session_controller_spec.rb

@@ -659,6 +659,23 @@ describe SessionController do
         end
       end
     end
+
+    context 'rate limited' do
+      it 'rate limits login' do
+        SiteSetting.max_logins_per_ip_per_hour = 2
+        RateLimiter.stubs(:disabled?).returns(false)
+        RateLimiter.clear_all!
+
+        2.times do
+          xhr :post, :create, login: user.username, password: 'myawesomepassword'
+          expect(response).to be_success
+        end
+        xhr :post, :create, login: user.username, password: 'myawesomepassword'
+        expect(response).not_to be_success
+        json = JSON.parse(response.body)
+        expect(json["error_type"]).to eq("rate_limit")
+      end
+    end
   end
 
   describe '.destroy' do