Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting

to the API
2016-10-22 19:38:47 +02:00
parent 17122df80d
commit a9e40a3d80
26 changed files with 195 additions and 99 deletions
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@ -12,7 +12,7 @@ Rails.application.configure do

  # Full error reports are disabled and caching is turned on.
  config.consider_all_requests_local       = false
-  config.action_controller.perform_caching = false
+  config.action_controller.perform_caching = true

  # Disable serving static files from the `/public` folder by default since
  # Apache or NGINX already handles this.
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@ -50,8 +50,8 @@ Doorkeeper.configure do
  # Define access token scopes for your provider
  # For more information go to
  # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
-  # default_scopes  :public
-  # optional_scopes :write, :follow
+  default_scopes  :read
+  optional_scopes :write, :follow

  # Change the way client credentials are retrieved from the request object.
  # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
--- a/config/initializers/rabl_init.rb
+++ b/config/initializers/rabl_init.rb
@ -1,5 +1,5 @@
 Rabl.configure do |config|
-  config.cache_all_output  = true
+  config.cache_all_output  = false
  config.cache_sources     = !!Rails.env.production?
  config.include_json_root = false
  config.view_paths        = [Rails.root.join('app/views')]
--- a/config/initializers/rack-attack.rb
+++ b/config/initializers/rack-attack.rb
@ -1,9 +1,19 @@
 class Rack::Attack
-  throttle('get-req/ip', limit: 300, period: 5.minutes) do |req|
-    req.ip if req.get?
+  # Rate limits for the API
+  throttle('api', limit: 150, period: 5.minutes) do |req|
+    req.ip if req.path.match(/\A\/api\//)
  end

-  throttle('post-req/ip', limit: 100, period: 5.minutes) do |req|
-    req.ip if req.post?
+  self.throttled_response = lambda do |env|
+    now        = Time.now.utc
+    match_data = env['rack.attack.match_data']
+
+    headers = {
+      'X-RateLimit-Limit'     => match_data[:limit].to_s,
+      'X-RateLimit-Remaining' => '0',
+      'X-RateLimit-Reset'     => (now + (match_data[:period] - now.to_i % match_data[:period])).to_s
+    }
+
+    [429, headers, [{ error: 'Throttled' }.to_json]]
  end
 end
--- a/config/locales/doorkeeper.en.yml
+++ b/config/locales/doorkeeper.en.yml
@ -15,6 +15,10 @@ en:
              secured_uri: 'must be an HTTPS/SSL URI.'

  doorkeeper:
+    scopes:
+      read: read your account's data
+      write: post on your behalf
+      follow: follow, block, unblock and unfollow accounts
    applications:
      confirmations:
        destroy: 'Are you sure?'
--- a/config/routes.rb
+++ b/config/routes.rb
@ -7,7 +7,9 @@ Rails.application.routes.draw do
    mount Sidekiq::Web => '/sidekiq'
  end

-  use_doorkeeper
+  use_doorkeeper do
+    controllers authorizations: 'oauth/authorizations'
+  end

  get '.well-known/host-meta', to: 'xrd#host_meta', as: :host_meta
  get '.well-known/webfinger', to: 'xrd#webfinger', as: :webfinger