From f3eca36c67e833a9e2598d53a326cf9aa7190d88 Mon Sep 17 00:00:00 2001 From: Deimos Date: Thu, 28 Nov 2019 21:02:35 -0700 Subject: [PATCH] Add IP-based ratelimit to Stripe donation page There's still someone trying to use the Tildes donation page to check stolen credit cards occasionally. The new version of Checkout seems to be blocking them all successfully, but I might as well not make it easy on them. --- tildes/tildes/lib/ratelimit.py | 1 + tildes/tildes/views/donate.py | 2 ++ 2 files changed, 3 insertions(+) diff --git a/tildes/tildes/lib/ratelimit.py b/tildes/tildes/lib/ratelimit.py index c4548f2..15d0c0c 100644 --- a/tildes/tildes/lib/ratelimit.py +++ b/tildes/tildes/lib/ratelimit.py @@ -284,6 +284,7 @@ _RATE_LIMITED_ACTIONS = ( RateLimitedAction("register", timedelta(hours=1), 50), RateLimitedAction("topic_post", timedelta(hours=1), 6, max_burst=4), RateLimitedAction("comment_post", timedelta(hours=1), 30, max_burst=20), + RateLimitedAction("donate_stripe", timedelta(hours=1), 5, by_user=False), ) # (public) dict to be able to look up the actions by name diff --git a/tildes/tildes/views/donate.py b/tildes/tildes/views/donate.py index 7b525fe..5a4c897 100644 --- a/tildes/tildes/views/donate.py +++ b/tildes/tildes/views/donate.py @@ -13,6 +13,7 @@ from pyramid.view import view_config from webargs.pyramidparser import use_kwargs from tildes.metrics import incr_counter +from tildes.views.decorators import rate_limit_view @view_config( @@ -40,6 +41,7 @@ def get_donate_stripe(request: Request) -> dict: "interval": String(required=True, validate=OneOf(("onetime", "month", "year"))), } ) +@rate_limit_view("donate_stripe") def post_donate_stripe( request: Request, amount: int, currency: str, interval: str ) -> dict: