feat: make unauthenticated user routes rate limit configurable

2023-11-28 22:27:22 +01:00 · 2023-11-28 22:27:22 +01:00 · c6c465c273
parent f26f1326ea
commit c6c465c273
4 changed files with 25 additions and 6 deletions
--- a/config.yml.sample
+++ b/config.yml.sample
@ -191,6 +191,10 @@ ratelimit:
  # Possible values are "keyvalue", "memory" or "redis".
  # When choosing "keyvalue" this setting follows the one configured in the "keyvalue" section.
  store: keyvalue
+  # The number of requests a user can make from the same IP to all unauthenticated routes (login, register, 
+  # password confirmation, email verification, password reset request) per minute. This limit cannot be disabled.
+  # You should only change this if you know what you're doing.
+  noauthlimit: 10

 files:
  # The path where files are stored
--- a/docs/content/doc/setup/config.md
+++ b/docs/content/doc/setup/config.md
@ -969,6 +969,19 @@ Full path: `ratelimit.store`
 Environment path: `VIKUNJA_RATELIMIT_STORE`


+### noauthlimit
+
+The number of requests a user can make from the same IP to all unauthenticated routes (login, register, 
+password confirmation, email verification, password reset request) per minute. This limit cannot be disabled.
+You should only change this if you know what you're doing.
+
+Default: `10`
+
+Full path: `ratelimit.noauthlimit`
+
+Environment path: `VIKUNJA_RATELIMIT_NOAUTHLIMIT`
+
+
 ---

 ## files
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@ -122,11 +122,12 @@ const (
 	LogMail          Key = `log.mail`
 	LogMailLevel     Key = `log.maillevel`

-	RateLimitEnabled Key = `ratelimit.enabled`
-	RateLimitKind    Key = `ratelimit.kind`
-	RateLimitPeriod  Key = `ratelimit.period`
-	RateLimitLimit   Key = `ratelimit.limit`
-	RateLimitStore   Key = `ratelimit.store`
+	RateLimitEnabled           Key = `ratelimit.enabled`
+	RateLimitKind              Key = `ratelimit.kind`
+	RateLimitPeriod            Key = `ratelimit.period`
+	RateLimitLimit             Key = `ratelimit.limit`
+	RateLimitStore             Key = `ratelimit.store`
+	RateLimitNoAuthRoutesLimit Key = `ratelimit.noauthlimit`

 	FilesBasePath Key = `files.basepath`
 	FilesMaxSize  Key = `files.maxsize`
@ -367,6 +368,7 @@ func InitDefaultConfig() {
 	RateLimitLimit.setDefault(100)
 	RateLimitPeriod.setDefault(60)
 	RateLimitStore.setDefault("memory")
+	RateLimitNoAuthRoutesLimit.setDefault(10)
 	// Files
 	FilesBasePath.setDefault("files")
 	FilesMaxSize.setDefault("20MB")
--- a/pkg/routes/routes.go
+++ b/pkg/routes/routes.go
@ -246,7 +246,7 @@ func registerAPIRoutes(a *echo.Group) {
 	ur := a.Group("")
 	rate := limiter.Rate{
 		Period: 60 * time.Second,
-		Limit:  10,
+		Limit:  config.RateLimitNoAuthRoutesLimit.GetInt64(),
 	}
 	rateLimiter := createRateLimiter(rate)
 	ur.Use(RateLimit(rateLimiter, "ip"))