Commit Graph

40 Commits

Author SHA1 Message Date
Martin Brennan 9174716737
DEV: Remove Discourse.redis.delete_prefixed (#22103)
This method is a huge footgun in production, since it calls
the Redis KEYS command. From the Redis documentation at
https://redis.io/commands/keys/:

> Warning: consider KEYS as a command that should only be used in
production environments with extreme care. It may ruin performance when
it is executed against large databases. This command is intended for
debugging and special operations, such as changing your keyspace layout.
Don't use KEYS in your regular application code.

Since we were only using `delete_prefixed` in specs (now that we
removed the usage in production in 24ec06ff85)
we can remove this and instead rely on `use_redis_snapshotting` on the
particular tests that need this kind of clearing functionality.
2023-06-16 12:44:35 +10:00
David Taylor 6417173082
DEV: Apply syntax_tree formatting to `lib/*` 2023-01-09 12:10:19 +00:00
Alan Guo Xiang Tan 0da79561c3
DEV: Improve/Fix script/bench.rb (#19646)
1. Fix bug where we were not waiting for all unicorn workers to start up
before running benchmarks.

2. Fix a bug where headers were not used when benchmarking. Admin
benchmarks were basically running as anon user.

3. Disable rate limits when in profile env. We're pretty much going to
hit the rate limit every time as a normal user.

4. Benchmark against topic with a fixed posts count of 100. Previously profiling script was just randomly creating posts
and we would benchmark against a topic with a fixed posts count of 30.
Sometimes, the script fails because no topics with a posts count of 30
exists.

5. Benchmarks are not run against a normal user on top of anon and
admin.

6. Add script option to select tests that should be run.
2022-12-30 07:25:11 +08:00
David Taylor 11c93342dc
DEV: Consolidate Redis evalsha logic into DiscourseRedis::EvalHelper (#15957) 2022-02-15 16:06:12 +00:00
janzenisaac cffc2836cb
DEV: Don't allow users to immediately reinvite (#15722)
- Limit bulk re-invite to 1 time per day
- Move bulk invite by csv behind a site setting (hidden by default)
- Bump invite expiry from 30 -> 90 days

## Updates to rate_limiter
When limiting reinvites I found that **staff** are never limited in any way. So I updated the **rate_limiter** model to allow for a few things:
- add an optional param of `staff_limit`, which (when included and passed values, and the user passes `.staff?`) will override the default `max` & `secs` values and apply them to the user.
- in the case you **do** pass values to `staff_limit` but the user **does not** pass `staff?` the standard `max` & `secs` values will be applied to the user.

This should give us enough flexibility to 
1. continue to apply a strict rate limit to a standard user
2. but also apply a secondary (less strict) limit to staff
2022-02-03 13:07:40 -06:00
Osama Sayegh b86127ad12
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706)
Currently, Discourse rate limits all incoming requests by the IP address they
originate from regardless of the user making the request. This can be
frustrating if there are multiple users using Discourse simultaneously while
sharing the same IP address (e.g. employees in an office).

This commit implements a new feature to make Discourse apply rate limits by
user id rather than IP address for users at or higher than the configured trust
level (1 is the default).

For example, let's say a Discourse instance is configured to allow 200 requests
per minute per IP address, and we have 10 users at trust level 4 using
Discourse simultaneously from the same IP address. Before this feature, the 10
users could only make a total of 200 requests per minute before they got rate
limited. But with the new feature, each user is allowed to make 200 requests
per minute because the rate limits are applied on user id rather than the IP
address.

The minimum trust level for applying user-id-based rate limits can be
configured by the `skip_per_ip_rate_limit_trust_level` global setting. The
default is 1, but it can be changed by either adding the
`DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the
desired value to your `app.yml`, or changing the setting's value in the
`discourse.conf` file.

Requests made with API keys are still rate limited by IP address and the
relevant global settings that control API keys rate limits.

Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters
string that Discourse used to lookup the current user from the database and the
cookie contained no additional information about the user. However, we had to
change the cookie content in this commit so we could identify the user from the
cookie without making a database query before the rate limits logic and avoid
introducing a bottleneck on busy sites.

Besides the 32 characters auth token, the cookie now includes the user id,
trust level and the cookie's generation date, and we encrypt/sign the cookie to
prevent tampering.

Internal ticket number: t54739.
2021-11-17 23:27:30 +03:00
Josh Soref 59097b207f
DEV: Correct typos and spelling mistakes (#12812)
Over the years we accrued many spelling mistakes in the code base. 

This PR attempts to fix spelling mistakes and typos in all areas of the code that are extremely safe to change 

- comments
- test descriptions
- other low risk areas
2021-05-21 11:43:47 +10:00
Dan Ungureanu 1f2f84a6df
FIX: Add Retry-Header to rate limited responses (#11736)
It returned a 429 error code with a 'Retry-After' header if a
RateLimiter::LimitExceeded was raised and unhandled, but the header was
missing if the request was limited in the 'RequestTracker' middleware.
2021-01-19 11:35:46 +02:00
Andrew Prigorshnev 0f1c9a2180
FIX: Use the same time moment for related Redis calls in rate limiter (#11692)
Co-authored-by: Robin Ward <robin.ward@gmail.com>
2021-01-12 15:09:15 -05:00
Andrew Prigorshnev e25dd41aee
FIX: sliding window end time in rate limiter (#11691)
If the sliding window size is N seconds, then a moment at the Nth second
should be considered as the moment outside of the sliding window.

Otherwise, if the sliding window is already full, at the Nth second,
a new call wouldn't be allowed, but a time to wait before the next call
would be equal to zero, which is confusing.

In other words, the end of the time range shouldn't be included in the
sliding window.

Let's say we start at the second 0, and the sliding window size is 10
seconds. In the current version of rate limiter, this sliding window will
be considered as a time range [0, 10] (including the end of the range),
which actually is 11 seconds in length.

After this fix, the time range will be considered as [0, 10)
(excluding the end of the range), which is exactly 10 seconds in length.
2021-01-12 13:26:43 -05:00
Sam 2686d14b9a
PERF: introduce aggressive rate limiting for anonymous (#11129)
Previous to this change our anonymous rate limits acted as a throttle.
New implementation means we now also consider rate limited requests towards
the limit.

This means that if an anonymous user is hammering the server it will not be
able to get any requests through until it subsides with traffic.
2020-11-05 16:36:17 +11:00
Guo Xiang Tan 2e8075bac3
FIX: Ignore Redis readonly errors in `RateLimiter#rollback!`.
This is similar to what we're doing in `RateLimiter#performed!`.
2020-06-11 15:13:11 +08:00
Joffrey JAFFEUX 0d3d2c43a0
DEV: s/\$redis/Discourse\.redis (#8431)
This commit also adds a rubocop rule to prevent global variables.
2019-12-03 10:05:53 +01:00
Krzysztof Kotlarek 427d54b2b0 DEV: Upgrading Discourse to Zeitwerk (#8098)
Zeitwerk simplifies working with dependencies in dev and makes it easier reloading class chains. 

We no longer need to use Rails "require_dependency" anywhere and instead can just use standard 
Ruby patterns to require files.

This is a far reaching change and we expect some followups here.
2019-10-02 14:01:53 +10:00
Sam Saffron 30990006a9 DEV: enable frozen string literal on all files
This reduces chances of errors where consumers of strings mutate inputs
and reduces memory usage of the app.

Test suite passes now, but there may be some stuff left, so we will run
a few sites on a branch prior to merging
2019-05-13 09:31:32 +08:00
Sam aad7df2a1b correct return value 2018-04-25 08:44:07 +10:00
Sam 59cd7894d9 FEATURE: if site is under extreme load show anon view
If a particular path is being hit extremely hard by logged on users,
revert to anonymous cached view.

This will only come into effect if 3 requests queue for longer than 2 seconds
on a *single* path.

This can happen if a URL is shared with the entire forum base and everyone
is logged on
2018-04-18 16:58:57 +10:00
Guo Xiang Tan 81ca3677f7 Add guard for `nil` in our `RateLimiter`. 2018-03-01 13:20:42 +08:00
Guo Xiang Tan 5d9f9c2614 FIX: `RateLimiter` max of zero or less should raise rate limit exceeded. 2018-03-01 13:14:46 +08:00
Sam 4986ebcf24 FEATURE: optional default off global per ip rate limiter 2017-12-11 17:52:57 +11:00
Sam 47c44356f8 FIX: load balanced servers do not share monotonic clock
This means then when a service is load balanced and you reach rate limits
there was a case where they counting was way off

also remove the stub from clock_gettime cause we need to be super careful with
it, so we should probably just stub by hand when needed
2017-12-07 11:48:11 +11:00
Sam 5a9622163d FIX: regression around rate limiter 2017-12-04 21:44:16 +11:00
Sam dd70ef3abf Revert "Revert "PERF: improve speed of rate limiter""
This reverts commit 2373d85239.
2017-12-04 21:23:11 +11:00
Sam 2373d85239 Revert "PERF: improve speed of rate limiter"
This reverts commit a9bcdd7f27.
2017-12-04 21:19:28 +11:00
Sam a9bcdd7f27 PERF: improve speed of rate limiter
Also

- adds a global rate limiter option
- cleans up usage in tests
- fixes freeze_time so it handles clock_gettime
2017-12-04 18:17:30 +11:00
Guo Xiang Tan 5012d46cbd Add rubocop to our build. (#5004) 2017-07-28 10:20:09 +09:00
Robin Ward 5d4ee2ca1d FEATURE: Warn a user when they have few likes remaining 2016-03-18 11:30:29 -04:00
Robin Ward 0b4cb5cf0d Add better error messages for rate limits. 2015-09-24 13:52:46 -04:00
Sam a5b25ad2af FEATURE: scale up likes per day as users increase trust level
tl2 = 1.5 times the likes
tl3 = 2 times the likes
tl4 = 3 times the likes

configurable via tl[234]_additional_likes_per_day_multiplier site setting
2015-04-16 09:44:30 +10:00
Robin Ward f15b0d205f FIX: The "too similar" check happened when trying to make a post a wiki 2015-02-02 12:44:56 -05:00
Robin Ward 6e862e0e59 FIX: Should flush rate limit keys before testing it 2015-01-29 11:45:12 -05:00
Sam e0a82d3088 FIX: rate limit password reset email 2014-08-18 10:55:30 +10:00
Sam 7993845bfa add current_user_provider so people can override current_user bevior cleanly, see
http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 15:11:54 +11:00
Sam bf4bdbefe0 fix redis leak in rate limiter
change key name so there is no overlap with old non-list key
2013-05-28 08:58:45 +10:00
Matt Van Horn d5958f8779 Sliding window rate limiting
Switched the algorithm to use a circular buffer
based on a redis list
2013-05-25 12:37:28 -07:00
Matt Van Horn 247a0b3ea1 small refactor of RateLimiter for clarity 2013-05-24 13:36:33 -07:00
Sam 5ec52bd2e9 :s/moderator?/staff/g ... our naming was kind of crazy, renamed moderator? to staff 2013-05-02 17:22:27 +10:00
Sam 62c60540be pull moderator into own column, rename trust levels 2013-03-19 21:06:11 -07:00
Gosha Arinich cafc75b238 remove trailing whitespaces ❤️ 2013-02-26 07:31:35 +03:00
Robin Ward 21b5628528 Initial release of Discourse 2013-02-05 14:16:51 -05:00