Add rate-limiting to donate endpoint

Someone has been spamming the donation form to test credit card info lately, with a bunch of $1 charges that almost all get rejected by Stripe. They don't seem to change IP addresses most of the time, so this should make a little harder for them to do, anyway.
5 years ago · 7728ee587c
2 changed files with 4 additions and 0 deletions
--- a/tildes/tildes/lib/ratelimit.py
+++ b/tildes/tildes/lib/ratelimit.py
@ -281,6 +281,7 @@ class RateLimitedAction:
 # the actual list of actions with rate-limit restrictions
 # each action must have a unique name to prevent key collisions
 _RATE_LIMITED_ACTIONS = (
    RateLimitedAction("donate", timedelta(hours=1), 5, max_burst=5, by_user=False),
    RateLimitedAction("login", timedelta(hours=1), 20),
    RateLimitedAction("login_two_factor", timedelta(hours=1), 20),
    RateLimitedAction("register", timedelta(hours=1), 50),
--- a/tildes/tildes/views/donate.py
+++ b/tildes/tildes/views/donate.py
@ -12,6 +12,8 @@ from pyramid.security import NO_PERMISSION_REQUIRED
 from pyramid.view import view_config
 from webargs.pyramidparser import use_kwargs
 from tildes.views.decorators import rate_limit_view
@view_config(
    route_name="donate_stripe",
@ -28,6 +30,7 @@ from webargs.pyramidparser import use_kwargs
        "currency": String(required=True, validate=OneOf(("CAD", "USD"))),
    }
 )
@rate_limit_view("donate")
 def post_donate_stripe(
    request: Request, stripe_token: str, donator_email: str, amount: int, currency: str
 ) -> dict: