Merge pull request from GHSA-q3rg-xx5v-4mxh

2024-05-30 14:14:04 +02:00
parent e292a28933
commit 020228ddba
3 changed files with 41 additions and 10 deletions
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -30,13 +30,17 @@ class Rack::Attack
    end

    def authenticated_user_id
-      authenticated_token&.resource_owner_id
+      authenticated_token&.resource_owner_id || warden_user_id
    end

    def authenticated_token_id
      authenticated_token&.id
    end

+    def warden_user_id
+      @env['warden']&.user&.id
+    end
+
    def unauthenticated?
      !authenticated_user_id
    end
@@ -137,6 +141,10 @@ class Rack::Attack
    req.session[:attempt_user_id] || req.params.dig('user', 'email').presence if req.post? && req.path_matches?('/auth/sign_in')
  end

+  throttle('throttle_password_change/account', limit: 10, period: 10.minutes) do |req|
+    req.authenticated_user_id if req.put? || (req.patch? && req.path_matches?('/auth'))
+  end
+
  self.throttled_responder = lambda do |request|
    now        = Time.now.utc
    match_data = request.env['rack.attack.match_data']