Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Rate-limit Devise logins and password resets
  • Loading branch information
mvz committed Oct 23, 2021
1 parent aa39c56 commit 503a856
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 0 deletions.
3 changes: 3 additions & 0 deletions Gemfile
Expand Up @@ -31,6 +31,9 @@ gem "reverse_markdown", "~> 2.0"
# Force older sprockets
gem "sprockets", "~> 3.0"

# Allow throttling requests
gem "rack-attack", "~> 6.5"

group :development, :test do
# Call 'byebug' anywhere in the code to stop execution and get a debugger console
gem "byebug", platforms: [:mri, :mingw, :x64_mingw]
Expand Down
13 changes: 13 additions & 0 deletions config/initializers/rack_attack.rb
@@ -0,0 +1,13 @@
# Throttle login attempts
Rack::Attack.throttle("logins/ip", limit: 20, period: 1.hour) do |req|
req.ip if req.post? && req.path.start_with?("/users/sign_in")
end

# Throttle password reset attempts
Rack::Attack.throttle("password-reset-requests/ip", limit: 20, period: 1.hour) do |req|
req.ip if req.post? && req.path.start_with?("/users/password")
end

ActiveSupport::Notifications.subscribe("rack.attack") do |name, start, finish, request_id, req|
Rails.logger.info "Throttled #{req.env["rack.attack.match_discriminator"]}"
end

0 comments on commit 503a856

Please sign in to comment.