chore: Rate limits on widget conversation endpoints (#3162)

- Limit widget conversation creation to 6 per 12 hours - Enable rack attack by default
2021-10-07 18:06:43 +05:30 · 2021-10-07 18:06:43 +05:30 · 8c192559fe
commit 8c192559fe
parent 700721ea6d
2 changed files with 12 additions and 2 deletions
--- a/.env.example
+++ b/.env.example
@ -169,7 +169,7 @@ USE_INBOX_AVATAR_FOR_BOT=true

 ## Rack Attack configuration
 ## To prevent and throttle abusive requests
-# ENABLE_RACK_ATTACK=false
+# ENABLE_RACK_ATTACK=true


 ## Running chatwoot as an API only server
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@ -52,6 +52,16 @@ class Rack::Attack
    req.ip if req.path == '/api/v1/accounts' && req.post?
  end

+  ## Prevent Conversation Bombing on Widget APIs ###
+  throttle('api/v1/widget/conversations', limit: 6, period: 12.hours) do |req|
+    req.ip if req.path == '/api/v1/widget/conversations' && req.post?
+  end
+
+  ## Prevent Contact update Bombing in Widget API ###
+  throttle('api/v1/widget/contacts', limit: 60, period: 1.hour) do |req|
+    req.ip if req.path == '/api/v1/widget/contacts' && (req.patch? || req.put?)
+  end
+
  # ref: https://github.com/rack/rack-attack/issues/399
  throttle('login/email', limit: 20, period: 5.minutes) do |req|
    if req.path == '/auth/sign_in' && req.post?
@ -75,4 +85,4 @@ ActiveSupport::Notifications.subscribe('throttle.rack_attack') do |_name, _start
  Rails.logger.info "[Rack::Attack][Blocked] remote_ip: \"#{payload[:request].remote_ip}\", path: \"#{payload[:request].path}\""
 end

-Rack::Attack.enabled = ActiveModel::Type::Boolean.new.cast(ENV.fetch('ENABLE_RACK_ATTACK', false))
+Rack::Attack.enabled = ActiveModel::Type::Boolean.new.cast(ENV.fetch('ENABLE_RACK_ATTACK', true))