diff --git a/app/controllers/concerns/rate_limit_headers.rb b/app/controllers/concerns/rate_limit_headers.rb index ac9b58f5dfb..b79c558d815 100644 --- a/app/controllers/concerns/rate_limit_headers.rb +++ b/app/controllers/concerns/rate_limit_headers.rb @@ -44,8 +44,8 @@ module RateLimitHeaders end def api_throttle_data - request.env['rack.attack.throttle_data']['throttle_authenticated_api'] || - request.env['rack.attack.throttle_data']['throttle_unauthenticated_api'] + most_limited_type, = request.env['rack.attack.throttle_data'].min_by { |_, v| v[:limit] } + request.env['rack.attack.throttle_data'][most_limited_type] end def request_time diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb index 41db769293d..b38fb302b2e 100644 --- a/config/initializers/rack_attack.rb +++ b/config/initializers/rack_attack.rb @@ -49,8 +49,8 @@ class Rack::Attack req.api_request? && req.authenticated_user_id end - throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req| - req.ip if req.api_request? && req.unauthenticated? + throttle('throttle_unauthenticated_api', limit: 7_500, period: 5.minutes) do |req| + req.ip if req.api_request? end throttle('protected_paths', limit: 5, period: 5.minutes) do |req|