• Magdalena Frankiewicz's avatar
    Make rate limiting of /users/:id configurable · cd6ddb36
    Magdalena Frankiewicz authored
    In order to better discriminate between short bursts of legitimate
    requests and sustained misuse such as user enumeration attacks, we
    increase both the rate limit and the interval to 300 per 10 minutes
    (instead of 10 per minute).
    
    Additionally, the limit is now configurable in `ApplicationSetting`, so
    it can be set per-instance. This is important also in order to avoid
    hitting the limit on staging when running tests.
    
    Enable changing the limit via UI or API
    Admin users can set the rate limit via the UI (under Admin Area >
    Settings > Network) or via the `/application/settings` API.
    
    Allow configuring a user allowlist
    
    Changelog: changed
    cd6ddb36
application_setting.rb 28.7 KB