Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FEATURE: Apply rate limits per user instead of IP for trusted users #14706

Merged
merged 29 commits into from
Nov 17, 2021
Merged

FEATURE: Apply rate limits per user instead of IP for trusted users #14706

merged 29 commits into from
Nov 17, 2021

Conversation

OsamaSayegh
Copy link
Member

No description provided.

@davidtaylorhq davidtaylorhq marked this pull request as draft October 25, 2021 09:32
davidtaylorhq
davidtaylorhq reviewed Oct 25, 2021
View reviewed changes
config/discourse_defaults.conf Show resolved Hide resolved
lib/requests_rate_limiter.rb Outdated Show resolved Hide resolved
lib/auth/default_current_user_provider.rb Outdated Show resolved Hide resolved
@OsamaSayegh OsamaSayegh force-pushed the feature/rate-limits-per-user branch 3 times, most recently from 04e797b to 70521b1 Compare November 1, 2021 20:09
@OsamaSayegh OsamaSayegh marked this pull request as ready for review November 2, 2021 12:41
@OsamaSayegh
Copy link
Member Author

Ok @SamSaffron @davidtaylorhq can you please take another look at the PR? As we've discussed, we now store user information (user id and trust level) in the _t cookie and encrypt/sign it.

tgxworld
tgxworld reviewed Nov 8, 2021
View reviewed changes
app/models/user_api_key.rb Outdated Show resolved Hide resolved
tgxworld
tgxworld reviewed Nov 8, 2021
View reviewed changes
app/models/user_api_key.rb Outdated Show resolved Hide resolved
tgxworld
tgxworld requested changes Nov 8, 2021
View reviewed changes
lib/discourse_auth_cookie.rb Outdated Show resolved Hide resolved
@OsamaSayegh
cookie encryption (wip)
04d2194
@OsamaSayegh
cookie encryption done
43bf59a
@OsamaSayegh
remove commented out code
6a5e5b5
@OsamaSayegh
add a comment about dropping support for v0 of our auth cookie
024a940
@OsamaSayegh
tgx feedback part 1
2d77944
@OsamaSayegh
add v0 vs v1 cookie explanation
8d88454
@OsamaSayegh
tgx feedback part 2 and shorten cookie age to 5 minutes
b8e8569
@OsamaSayegh
use rotation time
6be0c86
@OsamaSayegh
3.0 -> 2.9
1a4bf87
@OsamaSayegh
use unique salt per site in multisite
6711000
@OsamaSayegh
implement issued_at idea
409bd02
@OsamaSayegh
serialize cookie as json
97f617c
@OsamaSayegh
use different derived keys for encryption and signing
08a3f29
@OsamaSayegh
rely on rails to do the encryption
20e7ec0
@OsamaSayegh
cookies is a cookie_jar and not a hash
d601f76
@OsamaSayegh
refactor auth_token method in guardian
f116d8c
@OsamaSayegh
check v0 cookie in guardian
0f22e6a
@OsamaSayegh
use token size constant
4898715
@OsamaSayegh
fix failing spec
a1312ed
@OsamaSayegh
fix typo and add multisite specs
005f79d
@OsamaSayegh
add request tracker spec for when cookie is tampered with
5691181
@OsamaSayegh
resolve conflicts
f6e5ad1
@OsamaSayegh
perf: dont initialize cookie jar if there is no cookie
a306ded
@OsamaSayegh
optimizations
e28ec28
@OsamaSayegh
revert refactoring as it impacts perf negatively
07cf8cf
@OsamaSayegh
remove unused method
1370861
@OsamaSayegh
fix hijack spec
848a1b8
@OsamaSayegh OsamaSayegh merged commit b86127a into main Nov 17, 2021
@OsamaSayegh OsamaSayegh deleted the feature/rate-limits-per-user branch November 17, 2021 20:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SamSaffron SamSaffron SamSaffron left review comments

@tgxworld tgxworld tgxworld approved these changes

@davidtaylorhq davidtaylorhq davidtaylorhq approved these changes

Assignees
No one assigned
Labels
⚠ DO NOT MERGE
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@OsamaSayegh @SamSaffron @tgxworld @davidtaylorhq