Align sign-up rate limits between API and Web UI

6 months ago · 34930e1a3e
parent 19a1acb38b
commit 34930e1a3e
2 changed files with 6 additions and 6 deletions
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@ -86,7 +86,7 @@ class Rack::Attack
    req.throttleable_remote_ip if req.path.start_with?('/media_proxy')
  end

-  throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req|
+  throttle('throttle_api_sign_up', limit: 15, period: 15.minutes) do |req|
    req.throttleable_remote_ip if req.post? && req.path == '/api/v1/accounts'
  end

@ -109,7 +109,7 @@ class Rack::Attack
    req.throttleable_remote_ip if req.post? && req.path == '/api/v1/apps'
  end

-  throttle('throttle_sign_up_attempts/ip', limit: 25, period: 5.minutes) do |req|
+  throttle('throttle_sign_up_attempts/ip', limit: 15, period: 15.minutes) do |req|
    req.throttleable_remote_ip if req.post? && req.path_matches?('/auth')
  end

--- a/spec/config/initializers/rack/attack_spec.rb
+++ b/spec/config/initializers/rack/attack_spec.rb
@ -74,8 +74,8 @@ describe Rack::Attack, type: :request do
  describe 'throttle excessive sign-up requests by IP address' do
    context 'when accessed through the website' do
      let(:throttle) { 'throttle_sign_up_attempts/ip' }
-      let(:limit)  { 25 }
-      let(:period) { 5.minutes }
+      let(:limit)  { 15 }
+      let(:period) { 15.minutes }
      let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }

      context 'with exact path' do
@ -93,8 +93,8 @@ describe Rack::Attack, type: :request do

    context 'when accessed through the API' do
      let(:throttle) { 'throttle_api_sign_up' }
-      let(:limit)  { 5 }
-      let(:period) { 30.minutes }
+      let(:limit)  { 15 }
+      let(:period) { 15.minutes }
      let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }

      context 'with exact path' do