Merge pull request #4715 from techAPJ/login-per-ip
FEATURE: new site setting for max logins per ip per hour/minute
This commit is contained in:
commit
877957ae88
|
@ -158,8 +158,8 @@ class SessionController < ApplicationController
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
RateLimiter.new(nil, "login-hr-#{request.remote_ip}", 30, 1.hour).performed!
|
RateLimiter.new(nil, "login-hr-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_hour, 1.hour).performed!
|
||||||
RateLimiter.new(nil, "login-min-#{request.remote_ip}", 6, 1.minute).performed!
|
RateLimiter.new(nil, "login-min-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_minute, 1.minute).performed!
|
||||||
|
|
||||||
params.require(:login)
|
params.require(:login)
|
||||||
params.require(:password)
|
params.require(:password)
|
||||||
|
|
|
@ -1121,6 +1121,9 @@ en:
|
||||||
max_invites_per_day: "Maximum number of invites a user can send per day."
|
max_invites_per_day: "Maximum number of invites a user can send per day."
|
||||||
max_topic_invitations_per_day: "Maximum number of topic invitations a user can send per day."
|
max_topic_invitations_per_day: "Maximum number of topic invitations a user can send per day."
|
||||||
|
|
||||||
|
max_logins_per_ip_per_hour: "Maximum number of logins allowed per IP address per hour"
|
||||||
|
max_logins_per_ip_per_minute: "Maximum number of logins allowed per IP address per minute"
|
||||||
|
|
||||||
alert_admins_if_errors_per_minute: "Number of errors per minute in order to trigger an admin alert. A value of 0 disables this feature. NOTE: requires restart."
|
alert_admins_if_errors_per_minute: "Number of errors per minute in order to trigger an admin alert. A value of 0 disables this feature. NOTE: requires restart."
|
||||||
alert_admins_if_errors_per_hour: "Number of errors per hour in order to trigger an admin alert. A value of 0 disables this feature. NOTE: requires restart."
|
alert_admins_if_errors_per_hour: "Number of errors per hour in order to trigger an admin alert. A value of 0 disables this feature. NOTE: requires restart."
|
||||||
|
|
||||||
|
|
|
@ -988,6 +988,14 @@ rate_limits:
|
||||||
max_prints_per_hour_per_user:
|
max_prints_per_hour_per_user:
|
||||||
default: 5
|
default: 5
|
||||||
client: true
|
client: true
|
||||||
|
max_logins_per_ip_per_hour:
|
||||||
|
min: 1
|
||||||
|
max: 20000
|
||||||
|
default: 30
|
||||||
|
max_logins_per_ip_per_minute:
|
||||||
|
min: 1
|
||||||
|
max: 20000
|
||||||
|
default: 6
|
||||||
|
|
||||||
developer:
|
developer:
|
||||||
force_hostname:
|
force_hostname:
|
||||||
|
|
|
@ -659,6 +659,23 @@ describe SessionController do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'rate limited' do
|
||||||
|
it 'rate limits login' do
|
||||||
|
SiteSetting.max_logins_per_ip_per_hour = 2
|
||||||
|
RateLimiter.stubs(:disabled?).returns(false)
|
||||||
|
RateLimiter.clear_all!
|
||||||
|
|
||||||
|
2.times do
|
||||||
|
xhr :post, :create, login: user.username, password: 'myawesomepassword'
|
||||||
|
expect(response).to be_success
|
||||||
|
end
|
||||||
|
xhr :post, :create, login: user.username, password: 'myawesomepassword'
|
||||||
|
expect(response).not_to be_success
|
||||||
|
json = JSON.parse(response.body)
|
||||||
|
expect(json["error_type"]).to eq("rate_limit")
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe '.destroy' do
|
describe '.destroy' do
|
||||||
|
|
Loading…
Reference in New Issue