chore: Ability to disable rack attack on widget endpoints (#7729)

chatwoot · Aug 16, 2023 · 2df8327 · 2df8327
1 parent 7b68a76
commit 2df8327
Showing 1 changed file with 17 additions and 12 deletions.
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
@@ -105,19 +105,24 @@ def path_without_extentions
   ###-----------Widget API Throttling---------------###
   ###-----------------------------------------------###
 
-  ## Prevent Conversation Bombing on Widget APIs ###
-  throttle('api/v1/widget/conversations', limit: 6, period: 12.hours) do |req|
-    req.ip if req.path_without_extentions == '/api/v1/widget/conversations' && req.post?
-  end
+  # Rack attack on widget APIs can be disabled by setting ENABLE_RACK_ATTACK_WIDGET_API to false
+  # For clients using the widgets in specific conditions like inside and iframe
+  # TODO: Deprecate this feature in future after finding a better solution
+  if ActiveModel::Type::Boolean.new.cast(ENV.fetch('ENABLE_RACK_ATTACK_WIDGET_API', true))
+    ## Prevent Conversation Bombing on Widget APIs ###
+    throttle('api/v1/widget/conversations', limit: 6, period: 12.hours) do |req|
+      req.ip if req.path_without_extentions == '/api/v1/widget/conversations' && req.post?
+    end
 
-  ## Prevent Contact update Bombing in Widget API ###
-  throttle('api/v1/widget/contacts', limit: 60, period: 1.hour) do |req|
-    req.ip if req.path_without_extentions == '/api/v1/widget/contacts' && (req.patch? || req.put?)
-  end
+    ## Prevent Contact update Bombing in Widget API ###
+    throttle('api/v1/widget/contacts', limit: 60, period: 1.hour) do |req|
+      req.ip if req.path_without_extentions == '/api/v1/widget/contacts' && (req.patch? || req.put?)
+    end
 
-  ## Prevent Conversation Bombing through multiple sessions
-  throttle('widget?website_token={website_token}&cw_conversation={x-auth-token}', limit: 5, period: 1.hour) do |req|
-    req.ip if req.path_without_extentions == '/widget' && ActionDispatch::Request.new(req.env).params['cw_conversation'].blank?
+    ## Prevent Conversation Bombing through multiple sessions
+    throttle('widget?website_token={website_token}&cw_conversation={x-auth-token}', limit: 5, period: 1.hour) do |req|
+      req.ip if req.path_without_extentions == '/widget' && ActionDispatch::Request.new(req.env).params['cw_conversation'].blank?
+    end
   end
 
   ##-----------------------------------------------##
@@ -127,7 +132,7 @@ def path_without_extentions
   ###-----------------------------------------------###
 
   ## Prevent Abuse of Converstion Transcript APIs ###
-  throttle('/api/v1/accounts/:account_id/conversations/:conversation_id/transcript', limit: 20, period: 1.hour) do |req|
+  throttle('/api/v1/accounts/:account_id/conversations/:conversation_id/transcript', limit: 30, period: 1.hour) do |req|
     match_data = %r{/api/v1/accounts/(?<account_id>\d+)/conversations/(?<conversation_id>\d+)/transcript}.match(req.path)
     match_data[:account_id] if match_data.present?
   end