ami/tl-vikunja
1
0
Fork 0
Code

feat: make unauthenticated user routes rate limit configurable

Browse Source
This commit is contained in:
kolaente 2023-11-28 22:27:22 +01:00
parent f26f1326ea
commit c6c465c273
No known key found for this signature in database
GPG Key ID: F40E70337AB24C9B
4 changed files with 25 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config.yml.sample
View File

@ -191,6 +191,10 @@ ratelimit:
# Possible values are "keyvalue", "memory" or "redis". # Possible values are "keyvalue", "memory" or "redis".
# When choosing "keyvalue" this setting follows the one configured in the "keyvalue" section. # When choosing "keyvalue" this setting follows the one configured in the "keyvalue" section.
store: keyvalue store: keyvalue
# The number of requests a user can make from the same IP to all unauthenticated routes (login, register,
# password confirmation, email verification, password reset request) per minute. This limit cannot be disabled.
# You should only change this if you know what you're doing.
noauthlimit: 10
files: files:
# The path where files are stored # The path where files are stored

13
docs/content/doc/setup/config.md
View File

@ -969,6 +969,19 @@ Full path: `ratelimit.store`
Environment path: `VIKUNJA_RATELIMIT_STORE` Environment path: `VIKUNJA_RATELIMIT_STORE`
### noauthlimit
The number of requests a user can make from the same IP to all unauthenticated routes (login, register,
password confirmation, email verification, password reset request) per minute. This limit cannot be disabled.
You should only change this if you know what you're doing.
Default: `10`
Full path: `ratelimit.noauthlimit`
Environment path: `VIKUNJA_RATELIMIT_NOAUTHLIMIT`
--- ---
## files ## files

12
pkg/config/config.go
View File

@ -122,11 +122,12 @@ const (
LogMail Key = `log.mail` LogMail Key = `log.mail`
LogMailLevel Key = `log.maillevel` LogMailLevel Key = `log.maillevel`
RateLimitEnabled Key = `ratelimit.enabled` RateLimitEnabled Key = `ratelimit.enabled`
RateLimitKind Key = `ratelimit.kind` RateLimitKind Key = `ratelimit.kind`
RateLimitPeriod Key = `ratelimit.period` RateLimitPeriod Key = `ratelimit.period`
RateLimitLimit Key = `ratelimit.limit` RateLimitLimit Key = `ratelimit.limit`
RateLimitStore Key = `ratelimit.store` RateLimitStore Key = `ratelimit.store`
RateLimitNoAuthRoutesLimit Key = `ratelimit.noauthlimit`
FilesBasePath Key = `files.basepath` FilesBasePath Key = `files.basepath`
FilesMaxSize Key = `files.maxsize` FilesMaxSize Key = `files.maxsize`
@ -367,6 +368,7 @@ func InitDefaultConfig() {
RateLimitLimit.setDefault(100) RateLimitLimit.setDefault(100)
RateLimitPeriod.setDefault(60) RateLimitPeriod.setDefault(60)
RateLimitStore.setDefault("memory") RateLimitStore.setDefault("memory")
RateLimitNoAuthRoutesLimit.setDefault(10)
// Files // Files
FilesBasePath.setDefault("files") FilesBasePath.setDefault("files")
FilesMaxSize.setDefault("20MB") FilesMaxSize.setDefault("20MB")

2
pkg/routes/routes.go
View File

@ -246,7 +246,7 @@ func registerAPIRoutes(a *echo.Group) {
ur := a.Group("") ur := a.Group("")
rate := limiter.Rate{ rate := limiter.Rate{
Period: 60 * time.Second, Period: 60 * time.Second,
Limit: 10, Limit: config.RateLimitNoAuthRoutesLimit.GetInt64(),
} }
rateLimiter := createRateLimiter(rate) rateLimiter := createRateLimiter(rate)
ur.Use(RateLimit(rateLimiter, "ip")) ur.Use(RateLimit(rateLimiter, "ip"))