70e293ba94
This also fixes CVE-2024-0227 for 2FA brute force See: https://blog.inhq.net/posts/totp-CVE-2024-0227/
26 lines
692 B
Ruby
26 lines
692 B
Ruby
# frozen_string_literal: true
|
|
|
|
module Rack
|
|
class Attack
|
|
class Request
|
|
def throttleable_ip
|
|
parsed = IPAddr.new(ip)
|
|
|
|
if parsed.ipv6? && !parsed.ipv4_mapped?
|
|
# Throttle all requests from the same /64 IPv6 subnet
|
|
parsed.mask(64)
|
|
else
|
|
parsed
|
|
end.to_s
|
|
end
|
|
end
|
|
|
|
throttle("logins/ip", limit: 20, period: 5.minutes) do |req|
|
|
req.throttleable_ip if req.post? && req.path.start_with?("/users/sign_in")
|
|
end
|
|
|
|
throttle("otp/user_id", limit: 20, period: 1.hour) do |req|
|
|
req.session[:otp_user_id] if req.post? && req.path.start_with?("/users/sign_in") && req.session[:otp_user_id]
|
|
end
|
|
end
|
|
end
|