Browse Source

Add IP-based ratelimit to Stripe donation page

There's still someone trying to use the Tildes donation page to check
stolen credit cards occasionally. The new version of Checkout seems to
be blocking them all successfully, but I might as well not make it easy
on them.
merge-requests/85/head
Deimos 5 years ago
parent
commit
f3eca36c67
  1. 1
      tildes/tildes/lib/ratelimit.py
  2. 2
      tildes/tildes/views/donate.py

1
tildes/tildes/lib/ratelimit.py

@ -284,6 +284,7 @@ _RATE_LIMITED_ACTIONS = (
RateLimitedAction("register", timedelta(hours=1), 50), RateLimitedAction("register", timedelta(hours=1), 50),
RateLimitedAction("topic_post", timedelta(hours=1), 6, max_burst=4), RateLimitedAction("topic_post", timedelta(hours=1), 6, max_burst=4),
RateLimitedAction("comment_post", timedelta(hours=1), 30, max_burst=20), RateLimitedAction("comment_post", timedelta(hours=1), 30, max_burst=20),
RateLimitedAction("donate_stripe", timedelta(hours=1), 5, by_user=False),
) )
# (public) dict to be able to look up the actions by name # (public) dict to be able to look up the actions by name

2
tildes/tildes/views/donate.py

@ -13,6 +13,7 @@ from pyramid.view import view_config
from webargs.pyramidparser import use_kwargs from webargs.pyramidparser import use_kwargs
from tildes.metrics import incr_counter from tildes.metrics import incr_counter
from tildes.views.decorators import rate_limit_view
@view_config( @view_config(
@ -40,6 +41,7 @@ def get_donate_stripe(request: Request) -> dict:
"interval": String(required=True, validate=OneOf(("onetime", "month", "year"))), "interval": String(required=True, validate=OneOf(("onetime", "month", "year"))),
} }
) )
@rate_limit_view("donate_stripe")
def post_donate_stripe( def post_donate_stripe(
request: Request, amount: int, currency: str, interval: str request: Request, amount: int, currency: str, interval: str
) -> dict: ) -> dict:

Loading…
Cancel
Save