submit-social-housing-letti.../config/initializers/rack_attack.rb

require "configuration/configuration_service"
require "configuration/paas_configuration_service"

if Rails.env.development? || Rails.env.test?
  Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
  Rack::Attack.enabled = false
elsif Rails.env.review?
  redis_url = Configuration::PaasConfigurationService.new.redis_uris.to_a[0][1]
  Rack::Attack.cache.store = ActiveSupport::Cache::RedisCacheStore.new(url: redis_url)
else
  redis_url = Configuration::PaasConfigurationService.new.redis_uris[:"dluhc-core-#{Rails.env}-redis"]
  Rack::Attack.cache.store = ActiveSupport::Cache::RedisCacheStore.new(url: redis_url)
end

Rack::Attack.throttle("password reset requests", limit: 5, period: 60.seconds) do |request|
  if request.params["user"].present? && request.path == "/account/password" && request.post?
    request.params["user"]["email"].to_s.downcase.gsub(/\s+/, "")
  end
end

Rack::Attack.throttle("admin password reset requests", limit: 5, period: 60.seconds) do |request|
  if request.params["admin_user"].present? && request.path == "/admin/password" && request.post?
    request.params["admin_user"]["email"].to_s.downcase.gsub(/\s+/, "")
  end
end

Rack::Attack.throttled_responder = lambda do |_env|
  headers = {
    "Location" => "/429",
  }
  [301, headers, []]
end
CLDC-1520: Support external S3 configuration (#835) * Move storage classes into a dedicated module * Move configuration classes into a dedicated module * Refactor configuration service * Implement configuration via env variables 2 years ago			`require "configuration/configuration_service"`
			`require "configuration/paas_configuration_service"`
Fix dependencies at boot time (#359) 3 years ago
CLDC-1015: limit password reset (#356) * Add a failing test (for a wrong reason) * Is that correct? * Add rack attack config for reset password * Add support to read redis configuration * Add PaaS configuration for redis * Add too many requests page * Redirect to the too many requests error page * update manifest Co-authored-by: Stéphane Meny <smeny@users.noreply.github.com> 3 years ago			`if Rails.env.development? \|\| Rails.env.test?`
			`Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new`
			`Rack::Attack.enabled = false`
Add review app pipeline (#993) * Add review app pipeline * disable 2FA on review apps * update infrastructure docs about review apps 2 years ago			`elsif Rails.env.review?`
			`redis_url = Configuration::PaasConfigurationService.new.redis_uris.to_a[0][1]`
			`Rack::Attack.cache.store = ActiveSupport::Cache::RedisCacheStore.new(url: redis_url)`
CLDC-1015: limit password reset (#356) * Add a failing test (for a wrong reason) * Is that correct? * Add rack attack config for reset password * Add support to read redis configuration * Add PaaS configuration for redis * Add too many requests page * Redirect to the too many requests error page * update manifest Co-authored-by: Stéphane Meny <smeny@users.noreply.github.com> 3 years ago			`else`
Revert to f4e6d6d6bb926d900f29ac7a27518194b71f8426 (#887) 2 years ago			`redis_url = Configuration::PaasConfigurationService.new.redis_uris[:"dluhc-core-#{Rails.env}-redis"]`
CLDC-1015: limit password reset (#356) * Add a failing test (for a wrong reason) * Is that correct? * Add rack attack config for reset password * Add support to read redis configuration * Add PaaS configuration for redis * Add too many requests page * Redirect to the too many requests error page * update manifest Co-authored-by: Stéphane Meny <smeny@users.noreply.github.com> 3 years ago			`Rack::Attack.cache.store = ActiveSupport::Cache::RedisCacheStore.new(url: redis_url)`
			`end`

			`Rack::Attack.throttle("password reset requests", limit: 5, period: 60.seconds) do \|request\|`
Update tests for user account routes 3 years ago			`if request.params["user"].present? && request.path == "/account/password" && request.post?`
CLDC-1015: limit password reset (#356) * Add a failing test (for a wrong reason) * Is that correct? * Add rack attack config for reset password * Add support to read redis configuration * Add PaaS configuration for redis * Add too many requests page * Redirect to the too many requests error page * update manifest Co-authored-by: Stéphane Meny <smeny@users.noreply.github.com> 3 years ago			`request.params["user"]["email"].to_s.downcase.gsub(/\s+/, "")`
			`end`
			`end`

Throttle admin password reset (#429) 3 years ago			`Rack::Attack.throttle("admin password reset requests", limit: 5, period: 60.seconds) do \|request\|`
			`if request.params["admin_user"].present? && request.path == "/admin/password" && request.post?`
			`request.params["admin_user"]["email"].to_s.downcase.gsub(/\s+/, "")`
			`end`
			`end`

CLDC-1015: limit password reset (#356) * Add a failing test (for a wrong reason) * Is that correct? * Add rack attack config for reset password * Add support to read redis configuration * Add PaaS configuration for redis * Add too many requests page * Redirect to the too many requests error page * update manifest Co-authored-by: Stéphane Meny <smeny@users.noreply.github.com> 3 years ago			`Rack::Attack.throttled_responder = lambda do \|_env\|`
			`headers = {`
			`"Location" => "/429",`
			`}`
			`[301, headers, []]`
			`end`