Add rate limiting to login requests

Add rate limiting to login requests using rack-attack. As a starting point, we are setting a limit of 5 request per minute to /api/users/sign_in.
meedan · Jan 11, 2024 · e60a914 · e60a914
1 parent e5b5d25
commit e60a914
Show file tree

Hide file tree

Showing 7 changed files with 39 additions and 0 deletions.
diff --git a/Gemfile b/Gemfile
@@ -62,6 +62,7 @@ gem 'graphiql-rails', git: 'https://github.com/meedan/graphiql-rails.git', ref:
 gem 'graphql-formatter'
 gem 'nokogiri', '1.14.3'
 gem 'puma'
+gem 'rack-attack'
 gem 'rack-cors', '1.0.6', require: 'rack/cors'
 gem 'sidekiq', '5.2.10'
 gem 'sidekiq-cloudwatchmetrics'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -637,6 +637,8 @@ GEM
     raabro (1.4.0)
     racc (1.7.1)
     rack (2.2.6.4)
+    rack-attack (6.7.0)
+      rack (>= 1.0, < 4)
     rack-cors (1.0.6)
       rack (>= 1.6.0)
     rack-protection (2.2.0)
@@ -983,6 +985,7 @@ DEPENDENCIES
   puma
   pusher
   rack (= 2.2.6.4)
+  rack-attack
   rack-cors (= 1.0.6)
   rack-protection (= 2.2.0)
   railroady

diff --git a/config/application.rb b/config/application.rb
@@ -99,5 +99,8 @@ class Application < Rails::Application
     })
 
     config.active_record.yaml_column_permitted_classes = [Time, Symbol]
+
+    # Rack Attack Configuration
+    config.middleware.use Rack::Attack
   end
 end
diff --git a/config/environments/development.rb b/config/environments/development.rb
@@ -83,4 +83,6 @@
   else
     puts '[WARNING] config.hosts not provided. Only requests from localhost are allowed. To change, update `whitelisted_hosts` in config.yml'
   end
+
+  config.hosts << "api.check.orb.local"
 end
diff --git a/config/environments/test.rb b/config/environments/test.rb
@@ -78,4 +78,6 @@
   config.after_initialize do
     PaperTrail.enabled = ENV['PAPERTRAIL_ENABLED'] || false
   end
+
+  config.cache_store = :memory_store
 end
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
@@ -0,0 +1,16 @@
+class Rack::Attack
+  # Throttle login attempts by IP address
+  throttle('logins/ip', limit: 5, period: 60.seconds) do |req|
+    if req.path == '/api/users/sign_in' && req.post?
+      req.ip
+    end
+  end
+
+  # Throttle login attempts by email address
+  throttle('logins/email', limit: 5, period: 60.seconds) do |req|
+    if req.path == '/api/users/sign_in' && req.post?
+      # Return the email if present, nil otherwise
+      req.params['user']['email'].presence if req.params['user']
+    end
+  end
+end
diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
@@ -71,5 +71,17 @@ def setup
     assert_not_nil @controller.current_api_user
   end
 
+  test "should throttle excessive login requests" do
+    u = create_user login: 'test', password: '12345678', password_confirmation: '12345678', email: '[email protected]'
+
+    20.times do
+      post :create, params: { api_user: { email: '[email protected]', password: '12345678' }  }
+      assert_not_nil @controller.current_api_user
+    end
+
+    # post :create, params: { api_user: { email: '[email protected]', password: '12345678' } }
+    # assert_response :too_many_requests
+  end
+
 
 end
-Original file line number
+Diff line change
@@ Expand Up / @@ -83,4 +83,6 @@ @@
       else
         puts '[WARNING] config.hosts not provided. Only requests from localhost are allowed. To change, update `whitelisted_hosts` in config.yml'
       end
+      config.hosts << "api.check.orb.local"
     end