mirror of
https://github.com/penpot/penpot.git
synced 2025-01-24 15:39:50 -05:00
🎉 Add ratelimit for login handler.
Will prevent DOS on executing resource demanding handler such as login.
This commit is contained in:
parent
a8f84aa93d
commit
2420f7de9e
3 changed files with 68 additions and 2 deletions
|
@ -27,6 +27,9 @@
|
|||
io.vertx/vertx-pg-client {:mvn/version "3.8.4"}
|
||||
;; end verx deps
|
||||
|
||||
io.github.resilience4j/resilience4j-core {:mvn/version "1.2.0"}
|
||||
io.github.resilience4j/resilience4j-ratelimiter {:mvn/version "1.2.0"}
|
||||
|
||||
lambdaisland/uri {:mvn/version "1.1.0"}
|
||||
|
||||
danlentz/clj-uuid {:mvn/version "0.1.9"}
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
[uxbox.http.session :as session]
|
||||
[uxbox.http.handlers :as handlers]
|
||||
[uxbox.http.debug :as debug]
|
||||
[uxbox.http.ratelimit :as rl]
|
||||
[uxbox.http.ws :as ws]
|
||||
[vertx.core :as vc]
|
||||
[vertx.http :as vh]
|
||||
|
@ -44,6 +45,18 @@
|
|||
interceptors/format-response-body
|
||||
(vxi/errors errors/handle)]
|
||||
|
||||
login-handler (rl/ratelimit handlers/login-handler
|
||||
{:limit 10
|
||||
:period 1000
|
||||
:timeout 200
|
||||
:name "login-handler"})
|
||||
|
||||
echo-handler (rl/ratelimit handlers/echo-handler
|
||||
{:limit 100
|
||||
:period 1000
|
||||
:timeout 1000
|
||||
:name "echo-handler"})
|
||||
|
||||
routes [["/sub/:file-id" {:interceptors [(vxi/cookies)
|
||||
(vxi/cors cors-opts)
|
||||
interceptors/format-response-body
|
||||
|
@ -51,8 +64,8 @@
|
|||
:get ws/handler}]
|
||||
|
||||
["/api" {:interceptors interceptors}
|
||||
["/echo" {:all handlers/echo-handler}]
|
||||
["/login" {:post handlers/login-handler}]
|
||||
["/echo" {:all echo-handler}]
|
||||
["/login" {:post login-handler}]
|
||||
["/logout" {:post handlers/logout-handler}]
|
||||
["/register" {:post handlers/register-handler}]
|
||||
["/debug"
|
||||
|
|
50
backend/src/uxbox/http/ratelimit.clj
Normal file
50
backend/src/uxbox/http/ratelimit.clj
Normal file
|
@ -0,0 +1,50 @@
|
|||
;; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
;; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;;
|
||||
;; This Source Code Form is "Incompatible With Secondary Licenses", as
|
||||
;; defined by the Mozilla Public License, v. 2.0.
|
||||
;;
|
||||
;; Copyright (c) 2016-2019 Andrey Antukh <niwi@niwi.nz>
|
||||
|
||||
(ns uxbox.http.ratelimit
|
||||
"Rate limit"
|
||||
(:require
|
||||
[clojure.spec.alpha :as s]
|
||||
[uxbox.common.exceptions :as ex]
|
||||
[uxbox.core :refer [system]]
|
||||
[vertx.core :as vc]
|
||||
[promesa.core :as p]
|
||||
[promesa.exec :as pe])
|
||||
(:import
|
||||
io.github.resilience4j.ratelimiter.RateLimiter
|
||||
io.github.resilience4j.ratelimiter.RateLimiterConfig
|
||||
io.github.resilience4j.ratelimiter.RateLimiterRegistry
|
||||
java.util.concurrent.CompletableFuture
|
||||
java.util.function.Supplier
|
||||
java.time.Duration))
|
||||
|
||||
;; --- Rate Limiter
|
||||
|
||||
(def ^:private registry (RateLimiterRegistry/ofDefaults))
|
||||
|
||||
(defn- opts->rate-limiter-config
|
||||
[{:keys [limit period timeout] :as opts}]
|
||||
(let [custom (RateLimiterConfig/custom)]
|
||||
(.limitRefreshPeriod custom (Duration/ofMillis period))
|
||||
(.limitForPeriod custom limit)
|
||||
(.timeoutDuration custom (Duration/ofMillis timeout))
|
||||
(.build custom)))
|
||||
|
||||
(defn ratelimit
|
||||
[f {:keys [name] :as opts}]
|
||||
(let [config (opts->rate-limiter-config opts)
|
||||
rl (.rateLimiter registry name config)]
|
||||
(fn [& args]
|
||||
(let [ctx (vc/get-or-create-context system)]
|
||||
(-> (pe/run! #(when-not (.acquirePermission rl 1)
|
||||
(ex/raise :type :ratelimit
|
||||
:code :timeout
|
||||
:context {:name name})))
|
||||
(vc/handle-on-context)
|
||||
(p/bind (fn [_] (p/do! (apply f args)))))))))
|
Loading…
Add table
Reference in a new issue