Merge pull request #1034 from publify/throttle-password-reset-mails

Rate-limit Devise logins and password resets
publify · Oct 23, 2021 · f74c2ec · f74c2ec
2 parents aa39c56 + badfedb
commit f74c2ec
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/Gemfile b/Gemfile
@@ -31,6 +31,9 @@ gem "reverse_markdown", "~> 2.0"
 # Force older sprockets
 gem "sprockets", "~> 3.0"
 
+# Allow throttling requests
+gem "rack-attack", "~> 6.5"
+
 group :development, :test do
   # Call 'byebug' anywhere in the code to stop execution and get a debugger console
   gem "byebug", platforms: [:mri, :mingw, :x64_mingw]

diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+# Throttle login attempts
+Rack::Attack.throttle("logins/ip", limit: 20, period: 1.hour) do |req|
+  req.ip if req.post? && req.path.start_with?("/users/sign_in")
+end
+
+# Throttle password reset attempts
+Rack::Attack.throttle("password-reset-requests/ip", limit: 20, period: 1.hour) do |req|
+  req.ip if req.post? && req.path.start_with?("/users/password")
+end
+
+ActiveSupport::Notifications.
+  subscribe("rack.attack") do |_name, _start, _finish, _request_id, req|
+  Rails.logger.info "Throttled #{req.env["rack.attack.match_discriminator"]}"
+end