references/openproject
1
0
Fork 0
mirror of https://github.com/opf/openproject.git synced 2026-06-14 03:30:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add rack-attack throttler for all logins

Browse Source 
We have a built-in bruteforce protection for built-in users. When users
are being created from LDAP on-the-fly, these limits cannot apply, as we
do not have a user object yet.

Instead, we can provide a more generous throttler to block attempts
This commit is contained in:
Oliver Günther
2026-05-29 09:07:41 +02:00
parent 33198e8d68
commit b5350cccf7
6 changed files with 217 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config/initializers/rack-attack.rb
+9 -3
View File
@@ -40,9 +40,15 @@ Rails.application.reloader.to_prepare do
regex.any? { |i| i =~ req.path }
end
Rack::Attack.blocklisted_responder = lambda do |_env|
# All blacklisted routes would return a 404.
[404, {}, ["Not found"]]
# Route blocklist returns 404.
# All other blocklists (for example, login ban)
# use the RateLimiting dispatcher set up by set_defaults!
Rack::Attack.blocklisted_responder = lambda do |request|
if request.env["rack.attack.matched"] == "block forbidden routes"
[404, {}, ["Not found"]]
else
OpenProject::RateLimiting.blocklisted_response(request)
end
end
end
end