matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-08-07 17:03:01 +03:00
Code Activity

fixup! Add configuration for rate-limiting of logins, replacing hardcoded limits

Browse Source
This commit is contained in:
Olivier 'reivilibre
2024-08-07 15:14:26 +01:00
parent 11abd7a458
commit 8df3ec459f
2 changed files with 6 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
crates/config/src/sections/rate_limiting.rs
View File

@@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and // See the License for the specific language governing permissions and
// limitations under the License. // limitations under the License.
use std::{num::NonZero, time::Duration}; use std::{num::NonZeroU32, time::Duration};
use governor::Quota; use governor::Quota;
use schemars::JsonSchema; use schemars::JsonSchema;
@@ -54,8 +54,7 @@ pub struct LoginRateLimitingConfig {
pub struct RateLimiterConfiguration { pub struct RateLimiterConfiguration {
/// A one-off burst of actions that the user can perform /// A one-off burst of actions that the user can perform
/// in one go without waiting. /// in one go without waiting.
/// Replenishes at the rate. pub burst: NonZeroU32,
pub burst: u32,
/// How quickly the allowance replenishes, in number of actions per second. /// How quickly the allowance replenishes, in number of actions per second.
/// Can be fractional to replenish slower. /// Can be fractional to replenish slower.
pub per_second: f64, pub per_second: f64,
@@ -82,10 +81,6 @@ impl ConfigurationSection for RateLimitingConfig {
// Check one limiter's configuration for errors // Check one limiter's configuration for errors
let error_on_limiter = let error_on_limiter =
|limiter: &RateLimiterConfiguration| -> Option<figment::error::Error> { |limiter: &RateLimiterConfiguration| -> Option<figment::error::Error> {
if limiter.burst == 0 {
return Some(figment::error::Error::custom("`burst` must not be zero, as this would mean the action could never be performed"));
}
let recip = limiter.per_second.recip(); let recip = limiter.per_second.recip();
// period must be at least 1 nanosecond according to the governor library // period must be at least 1 nanosecond according to the governor library
if recip < 1.0e-9 || !recip.is_finite() { if recip < 1.0e-9 || !recip.is_finite() {
@@ -120,21 +115,20 @@ impl RateLimiterConfiguration {
if !reciprocal.is_finite() { if !reciprocal.is_finite() {
return None; return None;
} }
let burst = NonZero::new(self.burst)?; Some(Quota::with_period(Duration::from_secs_f64(reciprocal))?.allow_burst(self.burst))
Some(Quota::with_period(Duration::from_secs_f64(reciprocal))?.allow_burst(burst))
} }
} }
fn default_login_per_address() -> RateLimiterConfiguration { fn default_login_per_address() -> RateLimiterConfiguration {
RateLimiterConfiguration { RateLimiterConfiguration {
burst: 3, burst: NonZeroU32::new(3).unwrap(),
per_second: 3.0 / 60.0, per_second: 3.0 / 60.0,
} }
} }
fn default_login_per_account() -> RateLimiterConfiguration { fn default_login_per_account() -> RateLimiterConfiguration {
RateLimiterConfiguration { RateLimiterConfiguration {
burst: 1800, burst: NonZeroU32::new(1800).unwrap(),
per_second: 1800.0 / 3600.0, per_second: 1800.0 / 3600.0,
} }
} }

2
docs/config.schema.json
View File

@@ -1726,7 +1726,7 @@
"description": "A one-off burst of actions that the user can perform in one go without waiting. Replenishes at the rate.", "description": "A one-off burst of actions that the user can perform in one go without waiting. Replenishes at the rate.",
"type": "integer", "type": "integer",
"format": "uint32", "format": "uint32",
"minimum": 0.0 "minimum": 1.0
}, },
"per_second": { "per_second": {
"description": "How quickly the allowance replenishes, in number of actions per second. Can be fractional to replenish slower.", "description": "How quickly the allowance replenishes, in number of actions per second. Can be fractional to replenish slower.",