LeadMagnet/leadchat
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

chore: Limit widget endpoint with rack attack (#6465)

Browse Source 
ref: https://github.com/chatwoot/chatwoot/issues/1007#issuecomment-1427156094
This commit is contained in:
Sojan Jose
2023-02-16 10:11:40 +05:30
committed by GitHub
parent 7044eda281
commit 0888596b83
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
config/initializers/rack_attack.rb
View File

@@ -104,6 +104,11 @@ class Rack::Attack
throttle('api/v1/widget/contacts', limit: 60, period: 1.hour) do |req| throttle('api/v1/widget/contacts', limit: 60, period: 1.hour) do |req|
req.ip if req.path_without_extentions == '/api/v1/widget/contacts' && (req.patch? || req.put?) req.ip if req.path_without_extentions == '/api/v1/widget/contacts' && (req.patch? || req.put?)
end end
## Prevent Conversation Bombing through multiple sessions
throttle('widget?website_token={website_token}&cw_conversation={x-auth-token}', limit: 5, period: 1.hour) do |req|
req.ip if req.path_without_extentions == '/widget' && ActionDispatch::Request.new(req.env).params['cw_conversation'].blank?
end
end end
# Log blocked events # Log blocked events