Browse Source

Add rate-limiting to donate endpoint

Someone has been spamming the donation form to test credit card info
lately, with a bunch of $1 charges that almost all get rejected by
Stripe.

They don't seem to change IP addresses most of the time, so this should
make a little harder for them to do, anyway.
merge-requests/74/head
Deimos 5 years ago
parent
commit
7728ee587c
  1. 1
      tildes/tildes/lib/ratelimit.py
  2. 3
      tildes/tildes/views/donate.py

1
tildes/tildes/lib/ratelimit.py

@ -281,6 +281,7 @@ class RateLimitedAction:
# the actual list of actions with rate-limit restrictions
# each action must have a unique name to prevent key collisions
_RATE_LIMITED_ACTIONS = (
RateLimitedAction("donate", timedelta(hours=1), 5, max_burst=5, by_user=False),
RateLimitedAction("login", timedelta(hours=1), 20),
RateLimitedAction("login_two_factor", timedelta(hours=1), 20),
RateLimitedAction("register", timedelta(hours=1), 50),

3
tildes/tildes/views/donate.py

@ -12,6 +12,8 @@ from pyramid.security import NO_PERMISSION_REQUIRED
from pyramid.view import view_config
from webargs.pyramidparser import use_kwargs
from tildes.views.decorators import rate_limit_view
@view_config(
route_name="donate_stripe",
@ -28,6 +30,7 @@ from webargs.pyramidparser import use_kwargs
"currency": String(required=True, validate=OneOf(("CAD", "USD"))),
}
)
@rate_limit_view("donate")
def post_donate_stripe(
request: Request, stripe_token: str, donator_email: str, amount: int, currency: str
) -> dict:

Loading…
Cancel
Save