trabajo-afectivo/config/initializers/rack_attack.rb

# Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/

#
# Throttle password reset requests
#
API_V1_USERS__PASSWORD_RESET_PATH = '/api/v1/users/password_reset'.freeze
Rack::Attack.throttle('limit password reset requests per username', limit: 3, period: 60) do |req|
  if req.path == API_V1_USERS__PASSWORD_RESET_PATH && req.post?
    # Normalize to protect against rate limit bypasses.
    req.params['username'].to_s.downcase.gsub(%r{\s+}, '')
  end
end
Rack::Attack.throttle('limit password reset requests per source IP address', limit: 3, period: 60) do |req|
  if req.path == API_V1_USERS__PASSWORD_RESET_PATH && req.post?
    req.ip
  end
end
Maintenance: Improved password reset handling. (cherry picked from commit 8ea7b6630951b603a97bd38128de3f915a549b4d) 2022-03-31 08:35:43 +00:00			`# Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/`

			`#`
			`# Throttle password reset requests`
			`#`
			`API_V1_USERS__PASSWORD_RESET_PATH = '/api/v1/users/password_reset'.freeze`
			`Rack::Attack.throttle('limit password reset requests per username', limit: 3, period: 60) do \|req\|`
			`if req.path == API_V1_USERS__PASSWORD_RESET_PATH && req.post?`
			`# Normalize to protect against rate limit bypasses.`
			`req.params['username'].to_s.downcase.gsub(%r{\s+}, '')`
			`end`
			`end`
			`Rack::Attack.throttle('limit password reset requests per source IP address', limit: 3, period: 60) do \|req\|`
			`if req.path == API_V1_USERS__PASSWORD_RESET_PATH && req.post?`
			`req.ip`
			`end`
			`end`