Release 145

UKGovernmentBEIS · Jan 25, 2024 · 50b9241 · 50b9241
2 parents b8250d1 + 565f3cd
commit 50b9241
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@
 
 [Full changelog][unreleased]
 
+## Release 145 - 2024-01-25
+
+[Full changelog][145]
+
+- Configure rack-attack to prevent brute force login attacks
+
 ## Release 144 - 2024-01-24
 
 [Full changelog][144]
@@ -1661,7 +1667,8 @@
 - Planned start and end dates are mandatory
 - Actual start and end dates must not be in the future
 
-[unreleased]: https://github.com/UKGovernmentBEIS/beis-report-official-development-assistance/compare/release-144...HEAD
+[unreleased]: https://github.com/UKGovernmentBEIS/beis-report-official-development-assistance/compare/release-145...HEAD
+[145]: https://github.com/UKGovernmentBEIS/beis-report-official-development-assistance/compare/release-144...release-145
 [144]: https://github.com/UKGovernmentBEIS/beis-report-official-development-assistance/compare/release-143...release-144
 [143]: https://github.com/UKGovernmentBEIS/beis-report-official-development-assistance/compare/release-142...release-143
 [142]: https://github.com/UKGovernmentBEIS/beis-report-official-development-assistance/compare/release-141...release-142

diff --git a/Gemfile b/Gemfile
@@ -29,6 +29,7 @@ gem "puma", "~> 6.4"
 gem "pundit"
 gem "rollbar"
 gem "rails", "~> 6.1.7"
+gem "rack-attack"
 gem "rollout"
 gem "rollout-ui"
 gem "redis", "< 5"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -315,6 +315,8 @@ GEM
       rspec-support (~> 3.12)
     racc (1.7.3)
     rack (2.2.8)
+    rack-attack (6.7.0)
+      rack (>= 1.0, < 4)
     rack-protection (2.2.4)
       rack
     rack-session (1.0.2)
@@ -573,6 +575,7 @@ DEPENDENCIES
   puma (~> 6.4)
   pundit
   pundit-matchers (~> 3.1.2)
+  rack-attack
   rails (~> 6.1.7)
   rails-controller-testing
   rails_layout

diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
@@ -0,0 +1,9 @@
+### Prevent Brute-Force Login Attacks ###
+# Throttle POST requests to /users/sign_in by IP address
+#
+# Key: "rack::attack:#{Time.now.to_i/:period}:logins/ip:#{req.ip}"
+Rack::Attack.throttle("logins/ip", limit: ENV.fetch("LOGIN_ATTEMPTS_COUNT_BEFORE_THROTTLE", 5), period: ENV.fetch("LOGIN_ATTEMPTS_INTERVAL_BEFORE_THROTTLE", 300)) do |request|
+  if request.path.start_with?("/users/sign_in") && request.post?
+    request.ip
+  end
+end