FEATURE: Add global admin api key rate limiter (#12527)

2024-11-22 11:23:25 +08:00 · 2021-06-03 10:52:43 +01:00 · 2021-06-03 10:52:43 +01:00 · 4134173bbf
commit 4134173bbf
parent 58b30fb510
4 changed files with 21 additions and 11 deletions
--- a/config/discourse_defaults.conf
+++ b/config/discourse_defaults.conf
@ -225,7 +225,7 @@ s3_install_cors_rule =
 max_user_api_reqs_per_minute = 20
 max_user_api_reqs_per_day = 2880

-max_admin_api_reqs_per_key_per_minute = 60
+max_admin_api_reqs_per_minute = 60

 max_reqs_per_ip_per_minute = 200
 max_reqs_per_ip_per_10_seconds = 50
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@ -131,7 +131,7 @@ class Auth::DefaultCurrentUserProvider
      raise Discourse::InvalidAccess.new(I18n.t('invalid_api_credentials'), nil, custom_message: "invalid_api_credentials") unless current_user
      raise Discourse::InvalidAccess if current_user.suspended? || !current_user.active
      @env[API_KEY_ENV] = true
-      rate_limit_admin_api_requests(api_key)
+      rate_limit_admin_api_requests!
    end

    # user api key handling
@ -377,15 +377,23 @@ class Auth::DefaultCurrentUserProvider
    !!@env[HEADER_API_KEY]
  end

-  def rate_limit_admin_api_requests(api_key)
+  def rate_limit_admin_api_requests!
    return if Rails.env == "profile"

-    RateLimiter.new(
+    limit = GlobalSetting.max_admin_api_reqs_per_minute.to_i
+    if GlobalSetting.respond_to?(:max_admin_api_reqs_per_key_per_minute)
+      Discourse.deprecate("DISCOURSE_MAX_ADMIN_API_REQS_PER_KEY_PER_MINUTE is deprecated. Please use DISCOURSE_MAX_ADMIN_API_REQS_PER_MINUTE")
+      limit = [ GlobalSetting.max_admin_api_reqs_per_key_per_minute.to_i, limit].max
+    end
+
+    global_limit = RateLimiter.new(
      nil,
-      "admin_api_min_#{ApiKey.hash_key(api_key)}",
-      GlobalSetting.max_admin_api_reqs_per_key_per_minute,
+      "admin_api_min",
+      limit,
      60
-    ).performed!
+    )
+
+    global_limit.performed!
  end

  def can_write?
--- a/spec/components/auth/default_current_user_provider_spec.rb
+++ b/spec/components/auth/default_current_user_provider_spec.rb
@ -195,10 +195,11 @@ describe Auth::DefaultCurrentUserProvider do
        RateLimiter.enable
      end

-      it "rate limits api requests per api key" do
-        global_setting :max_admin_api_reqs_per_key_per_minute, 3
+      it "rate limits admin api requests" do
+        global_setting :max_admin_api_reqs_per_minute, 3

        freeze_time
+        RateLimiter.new(nil, "admin_api_min", 3, 60).clear!

        api_key = ApiKey.create!(created_by_id: -1)
        params = { "HTTP_API_KEY" => api_key.key, "HTTP_API_USERNAME" => user.username.downcase }
--- a/spec/integration/rate_limiting_spec.rb
+++ b/spec/integration/rate_limiting_spec.rb
@ -49,12 +49,13 @@ describe 'rate limiter integration' do

  it 'can cleanly limit requests and sets a Retry-After header' do
    freeze_time
-    #request.set_header("action_dispatch.show_exceptions", true)
+
+    RateLimiter.clear_all!

    admin = Fabricate(:admin)
    api_key = Fabricate(:api_key, user: admin)

-    global_setting :max_admin_api_reqs_per_key_per_minute, 1
+    global_setting :max_admin_api_reqs_per_minute, 1

    get '/admin/api/keys.json', headers: {
      HTTP_API_KEY: api_key.key,