- Pleroma API: `POST /api/v1/pleroma/scrobble` to scrobble a media item
- Mastodon API: Add `upload_limit`, `avatar_upload_limit`, `background_upload_limit`, and `banner_upload_limit` to `/api/v1/instance`
- Mastodon API: Add `pleroma.unread_conversation_count` to the Account entity
+- Authentication: Added rate limit for password-authorized actions / login existence checks
### Changed
- **Breaking:** Elixir >=1.8 is now required (was >= 1.7)
config :http_signatures,
adapter: Pleroma.Signature
-config :pleroma, :rate_limit, nil
+config :pleroma, :rate_limit, authentication: {60_000, 15}
config :pleroma, Pleroma.ActivityExpiration, enabled: true
group: :pleroma,
key: :rate_limit,
type: :group,
- description: "Rate limit settings. This is an advanced feature and disabled by default.",
+ description:
+ "Rate limit settings. This is an advanced feature enabled only for :authentication by default.",
children: [
%{
key: :search,
description:
"for fav / unfav or reblog / unreblog actions on the same status by the same user",
suggestions: [{1000, 10}, [{10_000, 10}, {10_000, 50}]]
+ },
+ %{
+ key: :authentication,
+ type: [:tuple, {:list, :tuple}],
+ description: "for authentication create / password check / user existence check requests",
+ suggestions: [{60_000, 15}]
}
]
},
defmodule Pleroma.Web.MongooseIM.MongooseIMController do
use Pleroma.Web, :controller
+
alias Comeonin.Pbkdf2
+ alias Pleroma.Plugs.RateLimiter
alias Pleroma.Repo
alias Pleroma.User
+ plug(RateLimiter, :authentication when action in [:user_exists, :check_password])
+ plug(RateLimiter, {:authentication, params: ["user"]} when action == :check_password)
+
def user_exists(conn, %{"user" => username}) do
with %User{} <- Repo.get_by(User, nickname: username, local: true) do
conn
plug(:fetch_session)
plug(:fetch_flash)
+ plug(Pleroma.Plugs.RateLimiter, :authentication when action == :create_authorization)
action_fallback(Pleroma.Web.OAuth.FallbackController)
projects / akkoma / commitdiff