Rate-limit Devise logins and password resets

Gemfile

@@ -31,6 +31,9 @@ gem "reverse_markdown", "~> 2.0"
 # Force older sprockets
 gem "sprockets", "~> 3.0"
 
+# Allow throttling requests
+gem "rack-attack", "~> 6.5"
+
 group :development, :test do
   # Call 'byebug' anywhere in the code to stop execution and get a debugger console
   gem "byebug", platforms: [:mri, :mingw, :x64_mingw]

config/initializers/rack_attack.rb

@@ -0,0 +1,13 @@
+# Throttle login attempts
+Rack::Attack.throttle("logins/ip", limit: 20, period: 1.hour) do |req|
+  req.ip if req.post? && req.path.start_with?("/users/sign_in")
+end
+
+# Throttle password reset attempts
+Rack::Attack.throttle("password-reset-requests/ip", limit: 20, period: 1.hour) do |req|
+  req.ip if req.post? && req.path.start_with?("/users/password")
+end
+
+ActiveSupport::Notifications.subscribe("rack.attack") do |name, start, finish, request_id, req|
+  Rails.logger.info "Throttled #{req.env["rack.attack.match_discriminator"]}"
+end