1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Plugs.RateLimiter do
10 A keyword list of rate limiters where a key is a limiter name and value is the limiter configuration.
11 The basic configuration is a tuple where:
13 * The first element: `scale` (Integer). The time scale in milliseconds.
14 * The second element: `limit` (Integer). How many requests to limit in the time scale provided.
16 It is also possible to have different limits for unauthenticated and authenticated users: the keyword value must be a
17 list of two tuples where the first one is a config for unauthenticated users and the second one is for authenticated.
19 To disable a limiter set its value to `nil`.
23 config :pleroma, :rate_limit,
25 two: [{10_000, 10}, {10_000, 50}],
28 Here we have three limiters:
30 * `one` which is not over 10req/1s
31 * `two` which has two limits: 10req/10s for unauthenticated users and 50req/10s for authenticated users
32 * `foobar` which is disabled
38 plug(Pleroma.Plugs.RateLimiter, name: :limiter_name)
39 plug(Pleroma.Plugs.RateLimiter, options) # :name is a required option
43 * `name` required, always used to fetch the limit values from the config
44 * `bucket_name` overrides name for counting purposes (e.g. to have a separate limit for a set of actions)
45 * `params` appends values of specified request params (e.g. ["id"]) to bucket name
49 plug(Pleroma.Plugs.RateLimiter, [name: :one] when action == :one)
50 plug(Pleroma.Plugs.RateLimiter, [name: :two] when action in [:two, :three])
53 Pleroma.Plugs.RateLimiter,
54 [name: :status_id_action, bucket_name: "status_id_action:fav_unfav", params: ["id"]]
55 when action in ~w(fav_status unfav_status)a
58 or inside a router pipeline:
62 plug(Pleroma.Plugs.RateLimiter, name: :one)
66 import Pleroma.Web.TranslationHelpers
70 alias Pleroma.Plugs.RateLimiter.LimiterSupervisor
76 def init(plug_opts) do
80 def call(conn, plug_opts) do
84 action_settings = action_settings(plug_opts)
85 handle(conn, action_settings)
89 defp handle_disabled(conn) do
91 "Rate limiter disabled due to forwarded IP not being found. Please ensure your reverse proxy is providing the X-Forwarded-For header or disable the RemoteIP plug/rate limiter."
97 defp handle(conn, nil), do: conn
99 defp handle(conn, action_settings) do
101 |> incorporate_conn_info(conn)
108 render_throttled_error(conn)
112 def disabled?(conn) do
113 if Map.has_key?(conn.assigns, :remote_ip_found),
114 do: !conn.assigns.remote_ip_found,
118 @inspect_bucket_not_found {:error, :not_found}
120 def inspect_bucket(conn, bucket_name_root, plug_opts) do
121 with %{name: _} = action_settings <- action_settings(plug_opts) do
122 action_settings = incorporate_conn_info(action_settings, conn)
123 bucket_name = make_bucket_name(%{action_settings | name: bucket_name_root})
124 key_name = make_key_name(action_settings)
125 limit = get_limits(action_settings)
127 case Cachex.get(bucket_name, key_name) do
128 {:error, :no_cache} ->
129 @inspect_bucket_not_found
135 {value, limit - value}
138 _ -> @inspect_bucket_not_found
142 def action_settings(plug_opts) do
143 with limiter_name when is_atom(limiter_name) <- plug_opts[:name],
144 limits when not is_nil(limits) <- Config.get([:rate_limit, limiter_name]) do
145 bucket_name_root = Keyword.get(plug_opts, :bucket_name, limiter_name)
148 name: bucket_name_root,
155 defp check_rate(action_settings) do
156 bucket_name = make_bucket_name(action_settings)
157 key_name = make_key_name(action_settings)
158 limit = get_limits(action_settings)
160 case Cachex.get_and_update(bucket_name, key_name, &increment_value(&1, limit)) do
167 {:error, :no_cache} ->
168 initialize_buckets!(action_settings)
169 check_rate(action_settings)
173 defp increment_value(nil, _limit), do: {:commit, 1}
175 defp increment_value(val, limit) when val >= limit, do: {:ignore, val}
177 defp increment_value(val, _limit), do: {:commit, val + 1}
179 defp incorporate_conn_info(action_settings, %{
180 assigns: %{user: %User{id: user_id}},
183 Map.merge(action_settings, %{
186 conn_info: "#{user_id}"
190 defp incorporate_conn_info(action_settings, %{params: params} = conn) do
191 Map.merge(action_settings, %{
194 conn_info: "#{ip(conn)}"
198 defp ip(%{remote_ip: remote_ip}) do
204 defp render_throttled_error(conn) do
206 |> render_error(:too_many_requests, "Throttled")
210 defp make_key_name(action_settings) do
212 |> attach_selected_params(action_settings)
213 |> attach_identity(action_settings)
216 defp get_scale(_, {scale, _}), do: scale
218 defp get_scale(:anon, [{scale, _}, {_, _}]), do: scale
220 defp get_scale(:user, [{_, _}, {scale, _}]), do: scale
222 defp get_limits(%{limits: {_scale, limit}}), do: limit
224 defp get_limits(%{mode: :user, limits: [_, {_, limit}]}), do: limit
226 defp get_limits(%{limits: [{_, limit}, _]}), do: limit
228 defp make_bucket_name(%{mode: :user, name: bucket_name_root}),
229 do: user_bucket_name(bucket_name_root)
231 defp make_bucket_name(%{mode: :anon, name: bucket_name_root}),
232 do: anon_bucket_name(bucket_name_root)
234 defp attach_selected_params(input, %{conn_params: conn_params, opts: plug_opts}) do
237 |> Keyword.get(:params, [])
239 |> Enum.map(&Map.get(conn_params, &1, ""))
242 [input, params_string]
244 |> String.replace_leading(":", "")
247 defp initialize_buckets!(%{name: _name, limits: nil}), do: :ok
249 defp initialize_buckets!(%{name: name, limits: limits}) do
251 LimiterSupervisor.add_or_return_limiter(anon_bucket_name(name), get_scale(:anon, limits))
254 LimiterSupervisor.add_or_return_limiter(user_bucket_name(name), get_scale(:user, limits))
259 defp attach_identity(base, %{mode: :user, conn_info: conn_info}),
260 do: "user:#{base}:#{conn_info}"
262 defp attach_identity(base, %{mode: :anon, conn_info: conn_info}),
263 do: "ip:#{base}:#{conn_info}"
265 defp user_bucket_name(bucket_name_root), do: "user:#{bucket_name_root}" |> String.to_atom()
266 defp anon_bucket_name(bucket_name_root), do: "anon:#{bucket_name_root}" |> String.to_atom()