From 2df83276e034515a5fa9c1c5a74cb4162c896df2 Mon Sep 17 00:00:00 2001
From: Sojan Jose <sojan@pepalo.com>
Date: Tue, 15 Aug 2023 17:44:25 -0700
Subject: [PATCH] chore: Ability to disable rack attack on widget endpoints
 (#7729)

---
 config/initializers/rack_attack.rb | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index 5f1463db6..87d4456f4 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -105,19 +105,24 @@ class Rack::Attack
   ###-----------Widget API Throttling---------------###
   ###-----------------------------------------------###
 
-  ## Prevent Conversation Bombing on Widget APIs ###
-  throttle('api/v1/widget/conversations', limit: 6, period: 12.hours) do |req|
-    req.ip if req.path_without_extentions == '/api/v1/widget/conversations' && req.post?
-  end
+  # Rack attack on widget APIs can be disabled by setting ENABLE_RACK_ATTACK_WIDGET_API to false
+  # For clients using the widgets in specific conditions like inside and iframe
+  # TODO: Deprecate this feature in future after finding a better solution
+  if ActiveModel::Type::Boolean.new.cast(ENV.fetch('ENABLE_RACK_ATTACK_WIDGET_API', true))
+    ## Prevent Conversation Bombing on Widget APIs ###
+    throttle('api/v1/widget/conversations', limit: 6, period: 12.hours) do |req|
+      req.ip if req.path_without_extentions == '/api/v1/widget/conversations' && req.post?
+    end
 
-  ## Prevent Contact update Bombing in Widget API ###
-  throttle('api/v1/widget/contacts', limit: 60, period: 1.hour) do |req|
-    req.ip if req.path_without_extentions == '/api/v1/widget/contacts' && (req.patch? || req.put?)
-  end
+    ## Prevent Contact update Bombing in Widget API ###
+    throttle('api/v1/widget/contacts', limit: 60, period: 1.hour) do |req|
+      req.ip if req.path_without_extentions == '/api/v1/widget/contacts' && (req.patch? || req.put?)
+    end
 
-  ## Prevent Conversation Bombing through multiple sessions
-  throttle('widget?website_token={website_token}&cw_conversation={x-auth-token}', limit: 5, period: 1.hour) do |req|
-    req.ip if req.path_without_extentions == '/widget' && ActionDispatch::Request.new(req.env).params['cw_conversation'].blank?
+    ## Prevent Conversation Bombing through multiple sessions
+    throttle('widget?website_token={website_token}&cw_conversation={x-auth-token}', limit: 5, period: 1.hour) do |req|
+      req.ip if req.path_without_extentions == '/widget' && ActionDispatch::Request.new(req.env).params['cw_conversation'].blank?
+    end
   end
 
   ##-----------------------------------------------##
@@ -127,7 +132,7 @@ class Rack::Attack
   ###-----------------------------------------------###
 
   ## Prevent Abuse of Converstion Transcript APIs ###
-  throttle('/api/v1/accounts/:account_id/conversations/:conversation_id/transcript', limit: 20, period: 1.hour) do |req|
+  throttle('/api/v1/accounts/:account_id/conversations/:conversation_id/transcript', limit: 30, period: 1.hour) do |req|
     match_data = %r{/api/v1/accounts/(?<account_id>\d+)/conversations/(?<conversation_id>\d+)/transcript}.match(req.path)
     match_data[:account_id] if match_data.present?
   end