Obfuscate filenames better, double rate limits

lolsob-rspec
Eugen Rochko 2017-03-14 15:59:21 +01:00
parent b6dff981a2
commit 453d65e6da
3 changed files with 8 additions and 4 deletions

View File

@ -13,6 +13,10 @@ module ObfuscateFilename
file = params.dig(*path)
return if file.nil?
file.original_filename = 'media' + File.extname(file.original_filename)
file.original_filename = secure_token + File.extname(file.original_filename)
end
def secure_token(length = 16)
SecureRandom.hex(length / 2)
end
end

View File

@ -1,6 +1,6 @@
class Rack::Attack
# Rate limits for the API
throttle('api', limit: 150, period: 5.minutes) do |req|
throttle('api', limit: 300, period: 5.minutes) do |req|
req.ip if req.path.match(/\A\/api\/v/)
end
@ -11,7 +11,7 @@ class Rack::Attack
headers = {
'X-RateLimit-Limit' => match_data[:limit].to_s,
'X-RateLimit-Remaining' => '0',
'X-RateLimit-Reset' => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6)
'X-RateLimit-Reset' => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6),
}
[429, headers, [{ error: 'Throttled' }.to_json]]

View File

@ -1,4 +1,4 @@
Push notifications
==================
**Note: This push notification design turned out to not be fully operational on the side of Firebase. A different approach is in consideration**
See <https://github.com/Gargron/tusky-api> for an example of how to create push notifications for a mobile app. It involves using the Mastodon streaming API on behalf of the app's users, as a sort of proxy.