Make Throttling Configurable (#361)

* Make Throttling Configurable

* Newlines at end of file

Author: pglombardo

Gemfile

@@ -95,8 +95,6 @@ gem 'net-smtp'
 gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
 
 group :production do
-  gem 'rack-timeout'
-  gem 'rack-throttle'
   gem 'pg'
   gem 'sentry-ruby'
   gem 'sentry-rails', '>= 5.0.2'
@@ -105,3 +103,8 @@ end
 group :private do
   gem 'sqlite3'
 end
+
+group :production, :private do
+  gem 'rack-timeout'
+  gem 'rack-throttle'
+end

config/environments/private.rb

@@ -18,6 +18,11 @@
     protocol: Settings.host_protocol
   }
 
+  config.middleware.use Rack::Throttle::Daily,    max: Settings.throttling.daily
+  config.middleware.use Rack::Throttle::Hourly,   max: Settings.throttling.hourly
+  config.middleware.use Rack::Throttle::Minute,   max: Settings.throttling.minute
+  config.middleware.use Rack::Throttle::Second,   max: Settings.throttling.second
+
   config.action_mailer.smtp_settings = {
     address: Settings.mail.smtp_address,
     port: Settings.mail.smtp_port,

config/environments/production.rb

@@ -22,10 +22,10 @@
   # Apache or NGINX already handles this.
   config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
 
-  config.middleware.use Rack::Throttle::Daily,    max: 1000  # requests
-  config.middleware.use Rack::Throttle::Hourly,   max: 100   # requests
-  config.middleware.use Rack::Throttle::Minute,   max: 30    # requests
-  config.middleware.use Rack::Throttle::Second,   max: 2     # requests
+  config.middleware.use Rack::Throttle::Daily,    max: Settings.throttling.daily
+  config.middleware.use Rack::Throttle::Hourly,   max: Settings.throttling.hourly
+  config.middleware.use Rack::Throttle::Minute,   max: Settings.throttling.minute
+  config.middleware.use Rack::Throttle::Second,   max: Settings.throttling.second
 
   # Compress JavaScripts and CSS.
   config.assets.js_compressor = :uglifier

config/settings.yml

@@ -1,13 +1,17 @@
-# Global Application Defaults
+# Global Application Configuration
 
-# This is initially for internal settings.  If all goes well using
-# this new config gem, then we'll migrate entirely to the new Settings
-# format for private instances too.
+# See also https://github.com/pglombardo/PasswordPusher/blob/master/Configuration.md
+# for a further explanation of the larger settings available here.
 
 # Logins are disabled by default since they require an MTA (email) server
 # available to send emails through.
+#
 # For instructions on how to enable logins, see this page:
 # https://github.com/pglombardo/PasswordPusher/discussions/276
+#
+# Environment variable override:
+# PWP__ENABLE_LOGINS='false'
+#
 enable_logins: false
 
 # By default, Password Pusher can be used by anonymous users to push
@@ -24,10 +28,18 @@ allow_anonymous: true
 
 # The domain (without protocol) where this instance is hosted
 # Used in generating fully qualified URLs.
+#
+# Environment variable override:
+# PWP__HOST_DOMAIN='pwpush.com'
+#
 # host_domain: 'pwpush.com'
 
 # The protocol to reach the domain above
 # Used in generating fully qualified URLs.
+#
+# Environment variable override:
+# PWP__HOST_PROTOCOL='https'
+#
 host_protocol: 'https'
 
 # Set the following value to force the base URL of generated links.
@@ -42,23 +54,96 @@ host_protocol: 'https'
 #
 # override_base_url: 'https://pwpush.mydomain.com'
 
+
+# Configure the application throttling limits.
+#
+# Throttling enforces a minimum time interval
+# between subsequent HTTP requests from a particular client, as
+# well as by defining a maximum number of allowed HTTP requests
+# per a given time period (per minute, hourly, or daily).
+#
+# See https://github.com/dryruby/rack-throttle#throttling-strategies
+# for a description of function.
+#
+throttling:
+  # ..maximum number of allowed HTTP requests per day
+  #
+  # Default: 1000
+  #
+  # Environment Variable Override: PWP__THROTTLING__DAILY='1000'
+  daily: 1000
+
+  # ..maximum number of allowed HTTP requests per hour
+  #
+  # Default: 100
+  #
+  # Environment Variable Override: PWP__THROTTLING__HOURLY='100'
+  hourly: 100
+
+  # ..maximum number of allowed HTTP requests per minute
+  #
+  # Default: 30
+  #
+  # Environment Variable Override: PWP__THROTTLING__MINUTE='30'
+  minute: 30
+
+  # ..maximum number of allowed HTTP requests per second
+  #
+  # Default: 2
+  #
+  # Environment Variable Override: PWP__THROTTLING__SECOND='2'
+  second: 2
+
+
 # When logins are enabled, an SMTP server is required to send emails to users
 # for things such as forgot password, unlock account, confirm account etc.
 # If `enable_logins` is set to true above, the following _are required_ to be
 # filled out with valid values.
 mail:
+  # Email delivery errors will be shown in the application
+  # Environment Variable Override: PWP__MAIL__RAISE_DELIVERY_ERRORS='false'
   raise_delivery_errors: false
+
+  # Allows you to use a remote mail server. Just change it from its default "localhost" setting.
+  # Environment Variable Override: PWP__MAIL__SMTP_ADDRESS='smtp.example.com'
   # smtp_address: smtp.example.com
+
+  # If your mail server requires authentication, set the username in this setting.
+  # Environment Variable Override: PWP__MAIL__SMTP_USER_NAME='apikey'
   # smtp_user_name: 'apikey'
+
+  # If your mail server requires authentication, set the password in this setting.
+  # Environment Variable Override: PWP__MAIL__SMTP_PASSWORD='something@&#$'
   # smtp_password: ''
+
+  # Port of the SMTP server
+  # Environment Variable Override: PWP__MAIL__SMTP_PORT='587'
   smtp_port: 587
+
+  # If your mail server requires authentication, you need to specify the
+  # authentication type here. This is a string and one of :plain (will send
+  # the password in the clear), :login (will send password Base64 encoded)
+  # or :cram_md5 (combines a Challenge/Response mechanism to exchange
+  # information and a cryptographic Message Digest 5 algorithm to hash
+  # important information)
+  # Environment Variable Override: PWP__MAIL__SMTP_AUTHENTICATION='plain'
   smtp_authentication: 'plain'
+
+  # Use STARTTLS when connecting to your SMTP server and fail if unsupported.
+  # Environment Variable Override: PWP__MAIL__SMTP_STARTTLS='true'
   smtp_starttls: true
+
+  # Number of seconds to wait while attempting to open a connection.
+  # Environment Variable Override: PWP__MAIL__SMTP_OPEN_TIMEOUT='10'
   smtp_open_timeout: 10
+
+  # Number of seconds to wait until timing-out a read(2) call.
+  # Environment Variable Override: PWP__MAIL__SMTP_READ_TIMEOUT='10'
   smtp_read_timeout: 10
 
   # Configure the e-mail address which will be shown as 'From' in emails
   # See config/initializers/devise.rb where this is used
+  # Environment Variable Override: PWP__MAIL__MAILER_SENDER='"Password Pusher" <[email protected]>'
   # mailer_sender: '"Password Pusher" <[email protected]>'
 
 # List of supported languages indexed by language code.  This is used
@@ -85,7 +170,9 @@ language_codes:
 
 # The default language for the application.  This must be one of the
 # valid/supported language codes from the list above.
+#
 # Example: default_locale: :es
+#
 # Environment Variable Override: PWP__DEFAULT_LOCALE='es'
 default_locale: :en
 

gemfiles/Gemfile-mysql

@@ -96,8 +96,6 @@ gem 'net-smtp'
 gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
 
 group :production do
-  gem 'rack-timeout'
-  gem 'rack-throttle'
   gem 'sentry-ruby'
   gem 'sentry-rails'
   gem 'mysql2'
@@ -106,3 +104,8 @@ end
 group :private do
   gem 'sqlite3'
 end
+
+group :production, :private do
+  gem 'rack-timeout'
+  gem 'rack-throttle'
+end