Add rate limiting for events actions

Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2022-12-02 23:11:08 +01:00 · 2022-12-02 23:11:08 +01:00 · a9da110ac6
commit a9da110ac6
parent f21ec80ea2
4 changed files with 20 additions and 0 deletions
--- a/config/config.exs
+++ b/config/config.exs
@ -691,6 +691,7 @@
  relation_id_action: {60_000, 2},
  statuses_actions: {10_000, 15},
  status_id_action: {60_000, 3},
+  events_actions: {10_000, 15},
  password_reset: {1_800_000, 5},
  account_confirmation_resend: {8_640_000, 5},
  ap_routes: {60_000, 15}
--- a/config/description.exs
+++ b/config/description.exs
@ -2621,6 +2621,13 @@
          "For fav / unfav or reblog / unreblog actions on the same status by the same user",
        suggestions: [{1000, 10}, [{10_000, 10}, {10_000, 50}]]
      },
+      %{
+        key: :events_actions,
+        type: [:tuple, {:list, :tuple}],
+        description:
+          "For create / update / join / leave actions on any statuses",
+        suggestions: [{1000, 10}, [{10_000, 10}, {10_000, 50}]]
+      },
      %{
        key: :authentication,
        type: [:tuple, {:list, :tuple}],
--- a/docs/configuration/cheatsheet.md
+++ b/docs/configuration/cheatsheet.md
@ -477,6 +477,7 @@ Supported rate limiters:
 * `:relation_id_action` - Following/Unfollowing for a specific user.
 * `:statuses_actions` - Status actions such as: (un)repeating, (un)favouriting, creating, deleting.
 * `:status_id_action` - (un)Repeating/(un)Favouriting a particular status.
+* `:events_actions` - Events actions such as: creating, joining, leaving.
 * `:authentication` - Authentication actions, i.e getting an OAuth token.
 * `:password_reset` - Requesting password reset emails.
 * `:account_confirmation_resend` - Requesting resending account confirmation emails.
--- a/lib/pleroma/web/pleroma_api/controllers/event_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/event_controller.ex
@ -22,6 +22,7 @@ defmodule Pleroma.Web.PleromaAPI.EventController do
  alias Pleroma.Web.MastodonAPI.StatusView
  alias Pleroma.Web.PleromaAPI.EventView
  alias Pleroma.Web.Plugs.OAuthScopesPlug
+  alias Pleroma.Web.Plugs.RateLimiter

  plug(Pleroma.Web.ApiSpec.CastAndValidate)

@ -68,6 +69,16 @@ defmodule Pleroma.Web.PleromaAPI.EventController do
    when action in [:export_ics]
  )

+  @rate_limited_event_actions ~w(create update join leave)a
+
+  plug(
+    RateLimiter,
+    [name: :status_id_action, bucket_name: "status_id_action:join_leave", params: [:id]]
+    when action in ~w(join leave)a
+  )
+
+  plug(RateLimiter, [name: :events_actions] when action in @rate_limited_event_actions)
+
  plug(Pleroma.Web.Plugs.SetApplicationPlug, [] when action in [:create, :update])

  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)