From 48145e8e2370b735c5d6062a969578386bb5a124 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Thu, 25 Sep 2014 10:06:44 +1000
Subject: [PATCH] SECURITY: rate limit user/password login

---
 app/controllers/session_controller.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb
index 3b82651bd13..dcbf678e3c5 100644
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@@ -51,6 +51,9 @@ class SessionController < ApplicationController
       return
     end
 
+    RateLimiter.new(nil, "login-hr-#{request.remote_ip}", 30, 1.hour).performed!
+    RateLimiter.new(nil, "login-min-#{request.remote_ip}", 6, 1.minute).performed!
+
     params.require(:login)
     params.require(:password)