Rack-attack ignores namespacing

[erem-ifg]

Hi,

I'm using redis-namespace (https://github.com/resque/redis-namespace) too keep my keys in separate namespaces.

I configured Rack-Attack to use my configuration of redis:

Rails.configuration.custom.cache_store_config = :redis_store,
  "redis://#{Rails.configuration.custom.config_redis['url']}:#{Rails.configuration.custom.config_redis['port']}",
  { expires_in: 48.hours, namespace:  Rails.configuration.custom.redis_namespace}
...
Rack::Attack.cache.store = ActiveSupport::Cache.lookup_store(Rails.configuration.custom.cache_store_config)

I'm using allow2ban to prevent bots from hitting my login pages:

Rack::Attack.blacklist('allow2ban scrapers') do |req|
  Rack::Attack::Allow2Ban.filter(req.ip, :maxretry => 20, :findtime => 1.minute, :bantime => 1.hour) do
    protected_paths =
      {
        '/sign_in' => {
          'method' => 'post'
        },
        ...
      }

    p_path = protected_paths.keys.detect { |p| File.fnmatch(p, req.path) }
    p_path.present? && req.public_send((protected_paths[p_path]['method'] + '?').to_sym)
  end
end

these keys are created in the redis store:

127.0.0.1:6379> keys '*'
3) "rack::attack:allow2ban:ban:127.0.0.1"
4) "development/c5308:rack::attack:23508850:allow2ban:count:127.0.0.1"

Number 3 is not namespaced, but the second is.

Plus, when looking for the expiration time, here is what I get:

127.0.0.1:6379> TTL "rack::attack:allow2ban:ban:127.0.0.1"
(integer) 3175

127.0.0.1:6379> TTL "development/c5308:rack::attack:23508850:allow2ban:count:127.0.0.1"
(integer) -1

The second has no expiration date though the same command is sent to Redis.

Ever heard of this behaviour?

Thanks,

[ktheory]

You can set the rack attack key prefix like so:

Rack::Attack.cache.prefix = 'my_app'

Not sure why two different keys are getting created.

[erem-ifg]

I cleared the cache before:

1) "my_app:allow2ban:ban:127.0.0.1"
2) "development/c5308:my_app:23508888:allow2ban:count:127.0.0.1"

I think it's because of the initializer:

Rack::Attack.cache.store = ActiveSupport::Cache.lookup_store(Rails.configuration.custom.cache_store_config)

Somehow it initializes too late and takes the namespace in consideration only now.

[erem-ifg]

Here is some input:

When I replace:

self.setex(key, expires_in, value)

with:

self.set(key, value)
self.expire(key, expires_in)

This is what I get:

127.0.0.1:6379> keys '*'
1) "development/c5308:my_app:allow2ban:ban:127.0.0.1"
2) "development/c5308:my_app:23508906:allow2ban:count:127.0.0.1"

But the expiration time are not set:

127.0.0.1:6379> get "development/c5308:my_app:allow2ban:ban:127.0.0.1"
"\x04\bi\x06" (weird value here)
127.0.0.1:6379> ttl "development/c5308:my_app:allow2ban:ban:127.0.0.1"
(integer) -1
127.0.0.1:6379> get "development/c5308:my_app:23508909:allow2ban:count:127.0.0.1"
"20"
127.0.0.1:6379> ttl "development/c5308:my_app:23508909:allow2ban:count:127.0.0.1"
(integer) -1

[erem-ifg]

Okay, redis-namespace gave me a hard time.
Here is what I did:

# Remove the namespace options
cache_store_config = :redis_store,
  "redis://#{Rails.configuration.custom.config_redis['url']}:#{Rails.configuration.custom.config_redis['port']}"
Rack::Attack.cache.store = ActiveSupport::Cache.lookup_store(cache_store_config)
# Add it back to rack-attack prefix
Rack::Attack.cache.prefix = Rails.configuration.custom.redis_namespace + ':rack:attack'

Thanks @mtparet @ktheory