From c6c465c273037fd2c1f02360e647366834ab0cde Mon Sep 17 00:00:00 2001 From: kolaente Date: Tue, 28 Nov 2023 22:27:22 +0100 Subject: [PATCH] feat: make unauthenticated user routes rate limit configurable --- config.yml.sample | 4 ++++ docs/content/doc/setup/config.md | 13 +++++++++++++ pkg/config/config.go | 12 +++++++----- pkg/routes/routes.go | 2 +- 4 files changed, 25 insertions(+), 6 deletions(-) diff --git a/config.yml.sample b/config.yml.sample index 954118d9cd4..578f349e88a 100644 --- a/config.yml.sample +++ b/config.yml.sample @@ -191,6 +191,10 @@ ratelimit: # Possible values are "keyvalue", "memory" or "redis". # When choosing "keyvalue" this setting follows the one configured in the "keyvalue" section. store: keyvalue + # The number of requests a user can make from the same IP to all unauthenticated routes (login, register, + # password confirmation, email verification, password reset request) per minute. This limit cannot be disabled. + # You should only change this if you know what you're doing. + noauthlimit: 10 files: # The path where files are stored diff --git a/docs/content/doc/setup/config.md b/docs/content/doc/setup/config.md index b1030685077..dc71c8a88ca 100644 --- a/docs/content/doc/setup/config.md +++ b/docs/content/doc/setup/config.md @@ -969,6 +969,19 @@ Full path: `ratelimit.store` Environment path: `VIKUNJA_RATELIMIT_STORE` +### noauthlimit + +The number of requests a user can make from the same IP to all unauthenticated routes (login, register, +password confirmation, email verification, password reset request) per minute. This limit cannot be disabled. +You should only change this if you know what you're doing. + +Default: `10` + +Full path: `ratelimit.noauthlimit` + +Environment path: `VIKUNJA_RATELIMIT_NOAUTHLIMIT` + + --- ## files diff --git a/pkg/config/config.go b/pkg/config/config.go index 50e93e0aaf0..467e438640f 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -122,11 +122,12 @@ const ( LogMail Key = `log.mail` LogMailLevel Key = `log.maillevel` - RateLimitEnabled Key = `ratelimit.enabled` - RateLimitKind Key = `ratelimit.kind` - RateLimitPeriod Key = `ratelimit.period` - RateLimitLimit Key = `ratelimit.limit` - RateLimitStore Key = `ratelimit.store` + RateLimitEnabled Key = `ratelimit.enabled` + RateLimitKind Key = `ratelimit.kind` + RateLimitPeriod Key = `ratelimit.period` + RateLimitLimit Key = `ratelimit.limit` + RateLimitStore Key = `ratelimit.store` + RateLimitNoAuthRoutesLimit Key = `ratelimit.noauthlimit` FilesBasePath Key = `files.basepath` FilesMaxSize Key = `files.maxsize` @@ -367,6 +368,7 @@ func InitDefaultConfig() { RateLimitLimit.setDefault(100) RateLimitPeriod.setDefault(60) RateLimitStore.setDefault("memory") + RateLimitNoAuthRoutesLimit.setDefault(10) // Files FilesBasePath.setDefault("files") FilesMaxSize.setDefault("20MB") diff --git a/pkg/routes/routes.go b/pkg/routes/routes.go index 318e4b9a48d..e9133c8e1ba 100644 --- a/pkg/routes/routes.go +++ b/pkg/routes/routes.go @@ -246,7 +246,7 @@ func registerAPIRoutes(a *echo.Group) { ur := a.Group("") rate := limiter.Rate{ Period: 60 * time.Second, - Limit: 10, + Limit: config.RateLimitNoAuthRoutesLimit.GetInt64(), } rateLimiter := createRateLimiter(rate) ur.Use(RateLimit(rateLimiter, "ip"))