rack attack, devise password

chaskiq · Feb 7, 2022 · 3553a2c · 3553a2c
1 parent 9ec995c
commit 3553a2c
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 2 deletions.
diff --git a/Gemfile b/Gemfile
@@ -162,3 +162,5 @@ end
 gem "php_serialize", "~> 1.2"
 gem "scout_apm", "~> 2.6"
 gem "tzinfo-data", platforms: %i[mingw mswin x64_mingw jruby]
+
+gem "rack-attack", "~> 6.6"
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -398,6 +398,8 @@ GEM
     raabro (1.4.0)
     racc (1.6.0)
     rack (2.2.3)
+    rack-attack (6.6.0)
+      rack (>= 1.0, < 3)
     rack-cors (1.1.1)
       rack (>= 2.0.0)
     rack-mini-profiler (2.3.1)
@@ -650,6 +652,7 @@ DEPENDENCIES
   php_serialize (~> 1.2)
   pry
   puma (~> 5.5)
+  rack-attack (~> 6.6)
   rack-cors (~> 1.0)
   rack-mini-profiler (~> 2.0)
   rails (= 6.1.4.1)

diff --git a/app/models/agent.rb b/app/models/agent.rb
@@ -63,6 +63,14 @@ class Agent < ApplicationRecord
 
   has_one_attached :avatar
 
+  validate :password_complexity
+
+  def password_complexity
+    # https://github.com/heartcombo/devise/wiki/How-To:-Set-up-simple-password-complexity-requirements
+    return if password.blank? || password =~ /(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-])/
+    errors.add :password, 'Complexity requirement not met. Please use: 1 uppercase, 1 lowercase, 1 digit and 1 special character'
+  end
+
   def self.from_omniauth(auth)
     where(provider: auth.provider, uid: auth.uid).first_or_create do |user|
       user.email = auth.info.email

diff --git a/config.ru b/config.ru
@@ -2,6 +2,9 @@
 
 # This file is used by Rack-based servers to start the application.
 
+require "rack/attack"
+use Rack::Attack
+
 require_relative "config/environment"
 
 require_relative "lib/rack/health_check"

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -118,10 +118,10 @@
   # config.pepper = 'be5e846150463f904a28f7164ae786b549b1a15684b2dcd650de310b343379819b336af0e92ecbb101947ba79cb37c63878287ff24e36410183396d7b74f829b'
 
   # Send a notification to the original email when the user's email is changed.
-  # config.send_email_changed_notification = false
+  config.send_email_changed_notification = true
 
   # Send a notification email when the user's password is changed.
-  # config.send_password_change_notification = false
+  config.send_password_change_notification = true
 
   # ==> Configuration for :invitable
   # The period the generated invitation token is valid.

diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
@@ -0,0 +1,7 @@
+Rack::Attack.throttle("logins/ip", limit: 20, period: 1.hour) do |req|
+  req.ip if req.post? && req.path.start_with?("/oauth/token.json")
+end
+
+ActiveSupport::Notifications.subscribe("rack.attack") do |name, start, finish, request_id, req|
+  puts "Throttled #{req.env["rack.attack.match_discriminator"]}"
+end