Merge branch '1260-rate-limited-auth-actions' into 'develop' - pleroma - My custom branche(s) on git.pleroma.social/pleroma/pleroma

commit: 15592f1abe117761b90846e02194a35982f3bebf
parent: b4f3c16885a489c40de82e5ef321caafa4b10c81
Author: Haelwenn <contact+git.pleroma.social@hacktivis.me>
Date:   Mon,  7 Oct 2019 09:16:42 +0000

Merge branch '1260-rate-limited-auth-actions' into 'develop'

[#1260] Rate-limiting for create authentication and related requests

Closes #1260

See merge request pleroma/pleroma!1681
Diffstat:
M CHANGELOG.md 1 +
M config/config.exs 2 +-
M config/description.exs 9 ++++++++-
M lib/pleroma/web/mongooseim/mongoose_im_controller.ex 5 +++++
M lib/pleroma/web/oauth/oauth_controller.ex 1 +

5 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Mastodon API: Add `upload_limit`, `avatar_upload_limit`, `background_upload_limit`, and `banner_upload_limit` to `/api/v1/instance`
 - Mastodon API: Add `pleroma.unread_conversation_count` to the Account entity
 - OAuth: support for hierarchical permissions / [Mastodon 2.4.3 OAuth permissions](https://docs.joinmastodon.org/api/permissions/)
+- Authentication: Added rate limit for password-authorized actions / login existence checks
 
 ### Changed
 - **Breaking:** Elixir >=1.8 is now required (was >= 1.7)
diff --git a/config/config.exs b/config/config.exs
@@ -588,7 +588,7 @@ config :pleroma, :env, Mix.env()
 config :http_signatures,
   adapter: Pleroma.Signature
 
-config :pleroma, :rate_limit, nil
+config :pleroma, :rate_limit, authentication: {60_000, 15}
 
 config :pleroma, Pleroma.ActivityExpiration, enabled: true
 
diff --git a/config/description.exs b/config/description.exs
@@ -2290,7 +2290,8 @@ config :pleroma, :config_description, [
     group: :pleroma,
     key: :rate_limit,
     type: :group,
-    description: "Rate limit settings. This is an advanced feature and disabled by default.",
+    description:
+      "Rate limit settings. This is an advanced feature enabled only for :authentication by default.",
     children: [
       %{
         key: :search,
@@ -2329,6 +2330,12 @@ config :pleroma, :config_description, [
         description:
           "for fav / unfav or reblog / unreblog actions on the same status by the same user",
         suggestions: [{1000, 10}, [{10_000, 10}, {10_000, 50}]]
+      },
+      %{
+        key: :authentication,
+        type: [:tuple, {:list, :tuple}],
+        description: "for authentication create / password check / user existence check requests",
+        suggestions: [{60_000, 15}]
       }
     ]
   },
diff --git a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
@@ -4,10 +4,15 @@
 
 defmodule Pleroma.Web.MongooseIM.MongooseIMController do
   use Pleroma.Web, :controller
+
   alias Comeonin.Pbkdf2
+  alias Pleroma.Plugs.RateLimiter
   alias Pleroma.Repo
   alias Pleroma.User
 
+  plug(RateLimiter, :authentication when action in [:user_exists, :check_password])
+  plug(RateLimiter, {:authentication, params: ["user"]} when action == :check_password)
+
   def user_exists(conn, %{"user" => username}) do
     with %User{} <- Repo.get_by(User, nickname: username, local: true) do
       conn
diff --git a/lib/pleroma/web/oauth/oauth_controller.ex b/lib/pleroma/web/oauth/oauth_controller.ex
@@ -24,6 +24,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
 
   plug(:fetch_session)
   plug(:fetch_flash)
+  plug(Pleroma.Plugs.RateLimiter, :authentication when action == :create_authorization)
 
   action_fallback(Pleroma.Web.OAuth.FallbackController)

M	CHANGELOG.md	1	+
M	config/config.exs	2	+-
M	config/description.exs	9	++++++++-
M	lib/pleroma/web/mongooseim/mongoose_im_controller.ex	5	+++++
M	lib/pleroma/web/oauth/oauth_controller.ex	1	+