rack-attack 6.2.0 → 6.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ac5af22059fcc24c45b9732a806b13ef8a39b3ab425e713d22b7d0b1c9fbae11
-  data.tar.gz: fdd20e74080d4254d7910be3d1f0343580a2cedd79b18f2448fa753acd9259e2
+  metadata.gz: e7d44de650fae1c83d5a3da49dc8f304e44280f72bd209d3f78643b90d573bd8
+  data.tar.gz: a39d0270489617a8c0a49e01868c24cc87311e80457fbc104c86e45d29978f51
 SHA512:
-  metadata.gz: 1f2a7bd75ab8423dde30e482085b19cb5cfbf7347aed13c94da63d31784939075278cc0f891af450bd33e5ef3de4ea092441b26f2519e28ecb5cbe5c6a16d007
-  data.tar.gz: fbe8d0cc86c52be9a028a4fcb2f8f2399af143b6ccd77c7377cbe5f762bb344bdb80833c5e53221ffefad57d04ee132650b38cd5e9d44c5073e475ba894a1a3f
+  metadata.gz: 7d9d965cc672bba8ab2b9f333746e32091363d6b65bf290104c248799a811f272ad8388e7f7b3d870d382e9c80a1003a300f9380c2d8082195972817146a281d
+  data.tar.gz: fbfa381116824ea4de492b66408d15bd708692a74275548c9b167868c0bee566f79a216046213c43a8eb3117b869e86ac99f989e5e4c045c30267db2981b2c6b

data/README.md

@@ -1,5 +1,5 @@
 __Note__: You are viewing the development version README.
-For the README consistent with the latest released version see https://github.com/kickstarter/rack-attack/blob/6-stable/README.md.
+For the README consistent with the latest released version see https://github.com/rack/rack-attack/blob/6-stable/README.md.
 
 # Rack::Attack
 
@@ -10,7 +10,7 @@ Protect your Rails and Rack apps from bad clients. Rack::Attack lets you easily
 See the [Backing & Hacking blog post](https://www.kickstarter.com/backing-and-hacking/rack-attack-protection-from-abusive-clients) introducing Rack::Attack.
 
 [![Gem Version](https://badge.fury.io/rb/rack-attack.svg)](https://badge.fury.io/rb/rack-attack)
-[![Build Status](https://travis-ci.org/kickstarter/rack-attack.svg?branch=master)](https://travis-ci.org/kickstarter/rack-attack)
+[![Build Status](https://travis-ci.org/rack/rack-attack.svg?branch=master)](https://travis-ci.org/rack/rack-attack)
 [![Code Climate](https://codeclimate.com/github/kickstarter/rack-attack.svg)](https://codeclimate.com/github/kickstarter/rack-attack)
 [![Join the chat at https://gitter.im/rack-attack/rack-attack](https://badges.gitter.im/rack-attack/rack-attack.svg)](https://gitter.im/rack-attack/rack-attack)
 
@@ -37,9 +37,9 @@ See the [Backing & Hacking blog post](https://www.kickstarter.com/backing-and-ha
 - [Customizing responses](#customizing-responses)
   - [RateLimit headers for well-behaved clients](#ratelimit-headers-for-well-behaved-clients)
 - [Logging & Instrumentation](#logging--instrumentation)
+- [Testing](#testing)
 - [How it works](#how-it-works)
   - [About Tracks](#about-tracks)
-- [Testing](#testing)
 - [Performance](#performance)
 - [Motivation](#motivation)
 - [Contributing](#contributing)
@@ -140,7 +140,7 @@ E.g.
 # Provided that trusted users use an HTTP request header named APIKey
 Rack::Attack.safelist("mark any authenticated access safe") do |request|
   # Requests are allowed if the return value is truthy
-  request.env["APIKey"] == "secret-string"
+  request.env["HTTP_APIKEY"] == "secret-string"
 end
 
 # Always allow requests from localhost
@@ -263,10 +263,12 @@ Rack::Attack.throttle("requests by ip", limit: 5, period: 2) do |request|
 end
 
 # Throttle login attempts for a given email parameter to 6 reqs/minute
-# Return the email as a discriminator on POST /login requests
+# Return the *normalized* email as a discriminator on POST /login requests
 Rack::Attack.throttle('limit logins per email', limit: 6, period: 60) do |req|
   if req.path == '/login' && req.post?
-    req.params['email']
+    # Normalize the email, using the same logic as your authentication process, to
+    # protect against rate limit bypasses.
+    req.params['email'].to_s.downcase.gsub(/\s+/, "")
   end
 end
 
@@ -342,6 +344,11 @@ end
 While Rack::Attack's primary focus is minimizing harm from abusive clients, it
 can also be used to return rate limit data that's helpful for well-behaved clients.
 
+If you want to return to user how many seconds to wait until they can start sending requests again, this can be done through enabling `Retry-After` header:
+```ruby
+Rack::Attack.throttled_response_retry_after_header = true
+```
+
 Here's an example response that includes conventional `RateLimit-*` headers:
 
 ```ruby
@@ -372,7 +379,7 @@ Rack::Attack uses the [ActiveSupport::Notifications](http://api.rubyonrails.org/
 
 You can subscribe to `rack_attack` events and log it, graph it, etc.
 
-To get notified about specific type of events, subscribe to the event name followed by the `rack_attack` namesapce.
+To get notified about specific type of events, subscribe to the event name followed by the `rack_attack` namespace.
 E.g. for throttles use:
 
 ```ruby
@@ -393,6 +400,20 @@ ActiveSupport::Notifications.subscribe(/rack_attack/) do |name, start, finish, r
 end
 ```
 
+## Testing
+
+A note on developing and testing apps using Rack::Attack - if you are using throttling in particular, you will
+need to enable the cache in your development environment. See [Caching with Rails](http://guides.rubyonrails.org/caching_with_rails.html)
+for more on how to do this.
+
+### Disabling
+
+`Rack::Attack.enabled = false` can be used to either completely disable Rack::Attack in your tests, or to disable/enable for specific test cases only.
+
+### Test case isolation
+
+`Rack::Attack.reset!` can be used in your test suite to clear any Rack::Attack state between different test cases.
+
 ## How it works
 
 The Rack::Attack middleware compares each request against *safelists*, *blocklists*, *throttles*, and *tracks* that you define. There are none by default.
@@ -429,13 +450,6 @@ can cleanly monkey patch helper methods onto the
 
 `Rack::Attack.track` doesn't affect request processing. Tracks are an easy way to log and measure requests matching arbitrary attributes.
 
-
-## Testing
-
-A note on developing and testing apps using Rack::Attack - if you are using throttling in particular, you will
-need to enable the cache in your development environment. See [Caching with Rails](http://guides.rubyonrails.org/caching_with_rails.html)
-for more on how to do this.
-
 ## Performance
 
 The overhead of running Rack::Attack is typically negligible (a few milliseconds per request),

data/lib/rack/attack.rb

@@ -2,9 +2,10 @@
 
 require 'rack'
 require 'forwardable'
+require 'rack/attack/cache'
+require 'rack/attack/configuration'
 require 'rack/attack/path_normalizer'
 require 'rack/attack/request'
-require "ipaddr"
 
 require 'rack/attack/railtie' if defined?(::Rails)
 
@@ -13,8 +14,8 @@ module Rack
     class Error < StandardError; end
     class MisconfiguredStoreError < Error; end
     class MissingStoreError < Error; end
+    class IncompatibleStoreError < Error; end
 
-    autoload :Cache,                'rack/attack/cache'
     autoload :Check,                'rack/attack/check'
     autoload :Throttle,             'rack/attack/throttle'
     autoload :Safelist,             'rack/attack/safelist'
@@ -31,82 +32,8 @@ module Rack
     autoload :Allow2Ban,            'rack/attack/allow2ban'
 
     class << self
-      attr_accessor :enabled, :notifier, :blocklisted_response, :throttled_response,
-                    :anonymous_blocklists, :anonymous_safelists
-
-      def safelist(name = nil, &block)
-        safelist = Safelist.new(name, &block)
-
-        if name
-          safelists[name] = safelist
-        else
-          anonymous_safelists << safelist
-        end
-      end
-
-      def blocklist(name = nil, &block)
-        blocklist = Blocklist.new(name, &block)
-
-        if name
-          blocklists[name] = blocklist
-        else
-          anonymous_blocklists << blocklist
-        end
-      end
-
-      def blocklist_ip(ip_address)
-        anonymous_blocklists << Blocklist.new { |request| IPAddr.new(ip_address).include?(IPAddr.new(request.ip)) }
-      end
-
-      def safelist_ip(ip_address)
-        anonymous_safelists << Safelist.new { |request| IPAddr.new(ip_address).include?(IPAddr.new(request.ip)) }
-      end
-
-      def throttle(name, options, &block)
-        throttles[name] = Throttle.new(name, options, &block)
-      end
-
-      def track(name, options = {}, &block)
-        tracks[name] = Track.new(name, options, &block)
-      end
-
-      def safelists
-        @safelists ||= {}
-      end
-
-      def blocklists
-        @blocklists ||= {}
-      end
-
-      def throttles
-        @throttles ||= {}
-      end
-
-      def tracks
-        @tracks ||= {}
-      end
-
-      def safelisted?(request)
-        anonymous_safelists.any? { |safelist| safelist.matched_by?(request) } ||
-          safelists.any? { |_name, safelist| safelist.matched_by?(request) }
-      end
-
-      def blocklisted?(request)
-        anonymous_blocklists.any? { |blocklist| blocklist.matched_by?(request) } ||
-          blocklists.any? { |_name, blocklist| blocklist.matched_by?(request) }
-      end
-
-      def throttled?(request)
-        throttles.any? do |_name, throttle|
-          throttle.matched_by?(request)
-        end
-      end
-
-      def tracked?(request)
-        tracks.each_value do |track|
-          track.matched_by?(request)
-        end
-      end
+      attr_accessor :enabled, :notifier
+      attr_reader :configuration
 
       def instrument(request)
         if notifier
@@ -122,55 +49,67 @@ module Rack
         @cache ||= Cache.new
       end
 
-      def clear_configuration
-        @safelists = {}
-        @blocklists = {}
-        @throttles = {}
-        @tracks = {}
-        self.anonymous_blocklists = []
-        self.anonymous_safelists = []
-      end
-
       def clear!
         warn "[DEPRECATION] Rack::Attack.clear! is deprecated. Please use Rack::Attack.clear_configuration instead"
-        clear_configuration
-      end
+        @configuration.clear_configuration
+      end
+
+      def reset!
+        cache.reset!
+      end
+
+      extend Forwardable
+      def_delegators(
+        :@configuration,
+        :safelist,
+        :blocklist,
+        :blocklist_ip,
+        :safelist_ip,
+        :throttle,
+        :track,
+        :blocklisted_response,
+        :blocklisted_response=,
+        :throttled_response,
+        :throttled_response=,
+        :throttled_response_retry_after_header,
+        :throttled_response_retry_after_header=,
+        :clear_configuration,
+        :safelists,
+        :blocklists,
+        :throttles,
+        :tracks
+      )
     end
 
     # Set defaults
     @enabled = true
-    @anonymous_blocklists = []
-    @anonymous_safelists = []
     @notifier = ActiveSupport::Notifications if defined?(ActiveSupport::Notifications)
-    @blocklisted_response = lambda { |_env| [403, { 'Content-Type' => 'text/plain' }, ["Forbidden\n"]] }
-    @throttled_response   = lambda do |env|
-      retry_after = (env['rack.attack.match_data'] || {})[:period]
-      [429, { 'Content-Type' => 'text/plain', 'Retry-After' => retry_after.to_s }, ["Retry later\n"]]
-    end
+    @configuration = Configuration.new
+
+    attr_reader :configuration
 
     def initialize(app)
       @app = app
+      @configuration = self.class.configuration
     end
 
     def call(env)
-      return @app.call(env) unless self.class.enabled
+      return @app.call(env) if !self.class.enabled || env["rack.attack.called"]
 
+      env["rack.attack.called"] = true
       env['PATH_INFO'] = PathNormalizer.normalize_path(env['PATH_INFO'])
       request = Rack::Attack::Request.new(env)
 
-      if safelisted?(request)
+      if configuration.safelisted?(request)
         @app.call(env)
-      elsif blocklisted?(request)
-        self.class.blocklisted_response.call(env)
-      elsif throttled?(request)
-        self.class.throttled_response.call(env)
+      elsif configuration.blocklisted?(request)
+        configuration.blocklisted_response.call(env)
+      elsif configuration.throttled?(request)
+        configuration.throttled_response.call(env)
       else
-        tracked?(request)
+        configuration.tracked?(request)
         @app.call(env)
       end
     end
-
-    extend Forwardable
-    def_delegators self, :safelisted?, :blocklisted?, :throttled?, :tracked?
   end
 end

data/lib/rack/attack/cache.rb

@@ -12,6 +12,7 @@ module Rack
       end
 
       attr_reader :store
+
       def store=(store)
         @store = StoreProxy.build(store)
       end
@@ -41,6 +42,17 @@ module Rack
         store.delete("#{prefix}:#{unprefixed_key}")
       end
 
+      def reset!
+        if store.respond_to?(:delete_matched)
+          store.delete_matched("#{prefix}*")
+        else
+          raise(
+            Rack::Attack::IncompatibleStoreError,
+            "Configured store #{store.class.name} doesn't respond to #delete_matched method"
+          )
+        end
+      end
+
       private
 
       def key_and_expiry(unprefixed_key, period)

data/lib/rack/attack/check.rb

@@ -4,6 +4,7 @@ module Rack
   class Attack
     class Check
       attr_reader :name, :block, :type
+
       def initialize(name, options = {}, &block)
         @name = name
         @block = block

data/lib/rack/attack/configuration.rb

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+require "ipaddr"
+
+module Rack
+  class Attack
+    class Configuration
+      DEFAULT_BLOCKLISTED_RESPONSE = lambda { |_env| [403, { 'Content-Type' => 'text/plain' }, ["Forbidden\n"]] }
+
+      DEFAULT_THROTTLED_RESPONSE = lambda do |env|
+        if Rack::Attack.configuration.throttled_response_retry_after_header
+          match_data = env['rack.attack.match_data']
+          now = match_data[:epoch_time]
+          retry_after = match_data[:period] - (now % match_data[:period])
+
+          [429, { 'Content-Type' => 'text/plain', 'Retry-After' => retry_after.to_s }, ["Retry later\n"]]
+        else
+          [429, { 'Content-Type' => 'text/plain' }, ["Retry later\n"]]
+        end
+      end
+
+      attr_reader :safelists, :blocklists, :throttles, :anonymous_blocklists, :anonymous_safelists
+      attr_accessor :blocklisted_response, :throttled_response, :throttled_response_retry_after_header
+
+      def initialize
+        set_defaults
+      end
+
+      def safelist(name = nil, &block)
+        safelist = Safelist.new(name, &block)
+
+        if name
+          @safelists[name] = safelist
+        else
+          @anonymous_safelists << safelist
+        end
+      end
+
+      def blocklist(name = nil, &block)
+        blocklist = Blocklist.new(name, &block)
+
+        if name
+          @blocklists[name] = blocklist
+        else
+          @anonymous_blocklists << blocklist
+        end
+      end
+
+      def blocklist_ip(ip_address)
+        @anonymous_blocklists << Blocklist.new { |request| IPAddr.new(ip_address).include?(IPAddr.new(request.ip)) }
+      end
+
+      def safelist_ip(ip_address)
+        @anonymous_safelists << Safelist.new { |request| IPAddr.new(ip_address).include?(IPAddr.new(request.ip)) }
+      end
+
+      def throttle(name, options, &block)
+        @throttles[name] = Throttle.new(name, options, &block)
+      end
+
+      def track(name, options = {}, &block)
+        @tracks[name] = Track.new(name, options, &block)
+      end
+
+      def safelisted?(request)
+        @anonymous_safelists.any? { |safelist| safelist.matched_by?(request) } ||
+          @safelists.any? { |_name, safelist| safelist.matched_by?(request) }
+      end
+
+      def blocklisted?(request)
+        @anonymous_blocklists.any? { |blocklist| blocklist.matched_by?(request) } ||
+          @blocklists.any? { |_name, blocklist| blocklist.matched_by?(request) }
+      end
+
+      def throttled?(request)
+        @throttles.any? do |_name, throttle|
+          throttle.matched_by?(request)
+        end
+      end
+
+      def tracked?(request)
+        @tracks.each_value do |track|
+          track.matched_by?(request)
+        end
+      end
+
+      def clear_configuration
+        set_defaults
+      end
+
+      private
+
+      def set_defaults
+        @safelists = {}
+        @blocklists = {}
+        @throttles = {}
+        @tracks = {}
+        @anonymous_blocklists = []
+        @anonymous_safelists = []
+        @throttled_response_retry_after_header = false
+
+        @blocklisted_response = DEFAULT_BLOCKLISTED_RESPONSE
+        @throttled_response = DEFAULT_THROTTLED_RESPONSE
+      end
+    end
+  end
+end

data/lib/rack/attack/railtie.rb

@@ -3,17 +3,9 @@
 module Rack
   class Attack
     class Railtie < ::Rails::Railtie
-      initializer 'rack.attack.middleware', after: :load_config_initializers, before: :build_middleware_stack do |app|
+      initializer "rack-attack.middleware" do |app|
         if Gem::Version.new(::Rails::VERSION::STRING) >= Gem::Version.new("5.1")
-          middlewares = app.config.middleware
-          operations = middlewares.send(:operations) + middlewares.send(:delete_operations)
-
-          use_middleware = operations.none? do |operation|
-            middleware = operation[1]
-            middleware.include?(Rack::Attack)
-          end
-
-          middlewares.use(Rack::Attack) if use_middleware
+          app.middleware.use(Rack::Attack)
         end
       end
     end

data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb

@@ -10,38 +10,26 @@ module Rack
           store.class.name == "ActiveSupport::Cache::RedisCacheStore"
         end
 
-        def increment(name, amount = 1, options = {})
+        def increment(name, amount = 1, **options)
           # RedisCacheStore#increment ignores options[:expires_in].
           #
           # So in order to workaround this we use RedisCacheStore#write (which sets expiration) to initialize
           # the counter. After that we continue using the original RedisCacheStore#increment.
-          rescuing do
-            if options[:expires_in] && !read(name)
-              write(name, amount, options)
+          if options[:expires_in] && !read(name)
+            write(name, amount, options)
 
-              amount
-            else
-              super
-            end
+            amount
+          else
+            super
           end
         end
 
-        def read(*_args)
-          rescuing { super }
+        def read(name, options = {})
+          super(name, options.merge!(raw: true))
         end
 
         def write(name, value, options = {})
-          rescuing do
-            super(name, value, options.merge!(raw: true))
-          end
-        end
-
-        private
-
-        def rescuing
-          yield
-        rescue Redis::BaseError
-          nil
+          super(name, value, options.merge!(raw: true))
         end
       end
     end

data/lib/rack/attack/store_proxy/redis_proxy.rb

@@ -31,27 +31,36 @@ module Rack
         end
 
         def increment(key, amount, options = {})
-          count = nil
-
           rescuing do
             pipelined do
-              count = incrby(key, amount)
+              incrby(key, amount)
               expire(key, options[:expires_in]) if options[:expires_in]
-            end
+            end.first
           end
-
-          count.value if count
         end
 
         def delete(key, _options = {})
           rescuing { del(key) }
         end
 
+        def delete_matched(matcher, _options = nil)
+          cursor = "0"
+
+          rescuing do
+            # Fetch keys in batches using SCAN to avoid blocking the Redis server.
+            loop do
+              cursor, keys = scan(cursor, match: matcher, count: 1000)
+              del(*keys) unless keys.empty?
+              break if cursor == "0"
+            end
+          end
+        end
+
         private
 
         def rescuing
           yield
-        rescue Redis::BaseError
+        rescue Redis::BaseConnectionError
           nil
         end
       end

data/lib/rack/attack/throttle.rb

@@ -6,6 +6,7 @@ module Rack
       MANDATORY_OPTIONS = [:limit, :period].freeze
 
       attr_reader :name, :limit, :period, :block, :type
+
       def initialize(name, options, &block)
         @name = name
         @block = block
@@ -23,34 +24,50 @@ module Rack
 
       def matched_by?(request)
         discriminator = block.call(request)
+
         return false unless discriminator
 
-        current_period = period.respond_to?(:call) ? period.call(request) : period
-        current_limit  = limit.respond_to?(:call) ? limit.call(request) : limit
-        key            = "#{name}:#{discriminator}"
-        count          = cache.count(key, current_period)
-        epoch_time     = cache.last_epoch_time
+        current_period  = period_for(request)
+        current_limit   = limit_for(request)
+        count           = cache.count("#{name}:#{discriminator}", current_period)
 
         data = {
           discriminator: discriminator,
           count: count,
           period: current_period,
           limit: current_limit,
-          epoch_time: epoch_time
+          epoch_time: cache.last_epoch_time
         }
 
-        (request.env['rack.attack.throttle_data'] ||= {})[name] = data
-
         (count > current_limit).tap do |throttled|
+          annotate_request_with_throttle_data(request, data)
           if throttled
-            request.env['rack.attack.matched']             = name
-            request.env['rack.attack.match_discriminator'] = discriminator
-            request.env['rack.attack.match_type']          = type
-            request.env['rack.attack.match_data']          = data
+            annotate_request_with_matched_data(request, data)
             Rack::Attack.instrument(request)
           end
         end
       end
+
+      private
+
+      def period_for(request)
+        period.respond_to?(:call) ? period.call(request) : period
+      end
+
+      def limit_for(request)
+        limit.respond_to?(:call) ? limit.call(request) : limit
+      end
+
+      def annotate_request_with_throttle_data(request, data)
+        (request.env['rack.attack.throttle_data'] ||= {})[name] = data
+      end
+
+      def annotate_request_with_matched_data(request, data)
+        request.env['rack.attack.matched']             = name
+        request.env['rack.attack.match_discriminator'] = data[:discriminator]
+        request.env['rack.attack.match_type']          = type
+        request.env['rack.attack.match_data']          = data
+      end
     end
   end
 end

data/lib/rack/attack/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   class Attack
-    VERSION = '6.2.0'
+    VERSION = '6.4.0'
   end
 end

data/spec/acceptance/rails_middleware_spec.rb

@@ -18,12 +18,6 @@ if defined?(Rails)
         assert_equal 1, @app.middleware.count(Rack::Attack)
       end
 
-      it "is not added when it was added explicitly" do
-        @app.config.middleware.use(Rack::Attack)
-        @app.initialize!
-        assert_equal 1, @app.middleware.count(Rack::Attack)
-      end
-
       it "is not added when it was explicitly deleted" do
         @app.config.middleware.delete(Rack::Attack)
         @app.initialize!

data/spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb

@@ -21,6 +21,6 @@ if should_run
       Rack::Attack.cache.store.clear
     end
 
-    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
   end
 end

data/spec/acceptance/stores/active_support_redis_cache_store_spec.rb

@@ -20,6 +20,6 @@ if should_run
       Rack::Attack.cache.store.clear
     end
 
-    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
   end
 end

data/spec/acceptance/throttling_spec.rb

@@ -20,7 +20,7 @@ describe "#throttle" do
     get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
 
     assert_equal 429, last_response.status
-    assert_equal "60", last_response.headers["Retry-After"]
+    assert_nil last_response.headers["Retry-After"]
     assert_equal "Retry later\n", last_response.body
 
     get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
@@ -34,6 +34,24 @@ describe "#throttle" do
     end
   end
 
+  it "returns correct Retry-After header if enabled" do
+    Rack::Attack.throttled_response_retry_after_header = true
+
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+
+    Timecop.freeze(Time.at(0)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 200, last_response.status
+    end
+
+    Timecop.freeze(Time.at(25)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal "35", last_response.headers["Retry-After"]
+    end
+  end
+
   it "supports limit to be dynamic" do
     # Could be used to have different rate limits for authorized
     # vs general requests

data/spec/integration/offline_spec.rb

@@ -13,7 +13,11 @@ OfflineExamples = Minitest::SharedExamples.new do
   end
 
   it 'should count' do
-    @cache.send(:do_count, 'rack::attack::cache-test-key', 1)
+    @cache.count('cache-test-key', 1)
+  end
+
+  it 'should delete' do
+    @cache.delete('cache-test-key')
   end
 end
 
@@ -29,6 +33,18 @@ if defined?(::ActiveSupport::Cache::RedisStore)
   end
 end
 
+if defined?(Redis) && defined?(ActiveSupport::Cache::RedisCacheStore) && Redis::VERSION >= '4'
+  describe 'when Redis is offline' do
+    include OfflineExamples
+
+    before do
+      @cache = Rack::Attack::Cache.new
+      # Use presumably unused port for Redis client
+      @cache.store = ActiveSupport::Cache::RedisCacheStore.new(host: '127.0.0.1', port: 3333)
+    end
+  end
+end
+
 if defined?(::Dalli)
   describe 'when Memcached is offline' do
     include OfflineExamples
@@ -45,3 +61,32 @@ if defined?(::Dalli)
     end
   end
 end
+
+if defined?(::Dalli) && defined?(::ActiveSupport::Cache::MemCacheStore)
+  describe 'when Memcached is offline' do
+    include OfflineExamples
+
+    before do
+      Dalli.logger.level = Logger::FATAL
+
+      @cache = Rack::Attack::Cache.new
+      @cache.store = ActiveSupport::Cache::MemCacheStore.new('127.0.0.1:22122')
+    end
+
+    after do
+      Dalli.logger.level = Logger::INFO
+    end
+  end
+end
+
+if defined?(Redis)
+  describe 'when Redis is offline' do
+    include OfflineExamples
+
+    before do
+      @cache = Rack::Attack::Cache.new
+      # Use presumably unused port for Redis client
+      @cache.store = Redis.new(host: '127.0.0.1', port: 3333)
+    end
+  end
+end

data/spec/rack_attack_spec.rb

@@ -99,4 +99,26 @@ describe 'Rack::Attack' do
       end
     end
   end
+
+  describe 'reset!' do
+    it 'raises an error when is not supported by cache store' do
+      Rack::Attack.cache.store = Class.new
+      assert_raises(Rack::Attack::IncompatibleStoreError) do
+        Rack::Attack.reset!
+      end
+    end
+
+    if defined?(Redis)
+      it 'should delete rack attack keys' do
+        redis = Redis.new
+        redis.set('key', 'value')
+        redis.set("#{Rack::Attack.cache.prefix}::key", 'value')
+        Rack::Attack.cache.store = redis
+        Rack::Attack.reset!
+
+        _(redis.get('key')).must_equal 'value'
+        _(redis.get("#{Rack::Attack.cache.prefix}::key")).must_be_nil
+      end
+    end
+  end
 end

data/spec/rack_attack_throttle_spec.rb

@@ -57,10 +57,6 @@ describe 'Rack::Attack.throttle' do
 
       _(last_request.env['rack.attack.match_discriminator']).must_equal('1.2.3.4')
     end
-
-    it 'should set a Retry-After header' do
-      _(last_response.headers['Retry-After']).must_equal @period.to_s
-    end
   end
 end
 

data/spec/spec_helper.rb

@@ -30,22 +30,19 @@ class MiniTest::Spec
 
   before do
     Rails.cache = nil
-    @_original_throttled_response = Rack::Attack.throttled_response
-    @_original_blocklisted_response = Rack::Attack.blocklisted_response
   end
 
   after do
     Rack::Attack.clear_configuration
     Rack::Attack.instance_variable_set(:@cache, nil)
-
-    Rack::Attack.throttled_response = @_original_throttled_response
-    Rack::Attack.blocklisted_response = @_original_blocklisted_response
   end
 
   def app
     Rack::Builder.new do
       # Use Rack::Lint to test that rack-attack is complying with the rack spec
       use Rack::Lint
+      # Intentionally added twice to test idempotence property
+      use Rack::Attack
       use Rack::Attack
       use Rack::Lint
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-attack
 version: !ruby/object:Gem::Version
-  version: 6.2.0
+  version: 6.4.0
 platform: ruby
 authors:
 - Aaron Suggs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-12 00:00:00.000000000 Z
+date: 2021-01-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -126,14 +126,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.75.0
+        version: 0.89.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.75.0
+        version: 0.89.1
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -185,7 +185,7 @@ dependencies:
         version: '4.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -195,7 +195,7 @@ dependencies:
         version: '4.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
 description: A rack middleware for throttling and blocking abusive requests
 email: aaron@ktheory.com
 executables: []
@@ -204,12 +204,12 @@ extra_rdoc_files: []
 files:
 - README.md
 - Rakefile
-- bin/setup
 - lib/rack/attack.rb
 - lib/rack/attack/allow2ban.rb
 - lib/rack/attack/blocklist.rb
 - lib/rack/attack/cache.rb
 - lib/rack/attack/check.rb
+- lib/rack/attack/configuration.rb
 - lib/rack/attack/fail2ban.rb
 - lib/rack/attack/path_normalizer.rb
 - lib/rack/attack/railtie.rb
@@ -267,13 +267,13 @@ files:
 - spec/rack_attack_track_spec.rb
 - spec/spec_helper.rb
 - spec/support/cache_store_helper.rb
-homepage: https://github.com/kickstarter/rack-attack
+homepage: https://github.com/rack/rack-attack
 licenses:
 - MIT
 metadata:
-  bug_tracker_uri: https://github.com/kickstarter/rack-attack/issues
-  changelog_uri: https://github.com/kickstarter/rack-attack/blob/master/CHANGELOG.md
-  source_code_uri: https://github.com/kickstarter/rack-attack
+  bug_tracker_uri: https://github.com/rack/rack-attack/issues
+  changelog_uri: https://github.com/rack/rack-attack/blob/master/CHANGELOG.md
+  source_code_uri: https://github.com/rack/rack-attack
 post_install_message: 
 rdoc_options:
 - "--charset=UTF-8"
@@ -283,57 +283,57 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.2.6
 signing_key: 
 specification_version: 4
 summary: Block & throttle abusive requests
 test_files:
-- spec/integration/offline_spec.rb
-- spec/rack_attack_path_normalizer_spec.rb
-- spec/acceptance/safelisting_subnet_spec.rb
-- spec/acceptance/rails_middleware_spec.rb
-- spec/acceptance/track_throttle_spec.rb
-- spec/acceptance/cache_store_config_for_fail2ban_spec.rb
-- spec/acceptance/cache_store_config_with_rails_spec.rb
-- spec/acceptance/cache_store_config_for_allow2ban_spec.rb
-- spec/acceptance/safelisting_ip_spec.rb
-- spec/acceptance/track_spec.rb
-- spec/acceptance/blocking_subnet_spec.rb
-- spec/acceptance/blocking_ip_spec.rb
 - spec/acceptance/allow2ban_spec.rb
-- spec/acceptance/throttling_spec.rb
+- spec/acceptance/blocking_ip_spec.rb
 - spec/acceptance/blocking_spec.rb
+- spec/acceptance/blocking_subnet_spec.rb
+- spec/acceptance/cache_store_config_for_allow2ban_spec.rb
+- spec/acceptance/cache_store_config_for_fail2ban_spec.rb
+- spec/acceptance/cache_store_config_for_throttle_spec.rb
+- spec/acceptance/cache_store_config_with_rails_spec.rb
+- spec/acceptance/customizing_blocked_response_spec.rb
 - spec/acceptance/customizing_throttled_response_spec.rb
 - spec/acceptance/extending_request_object_spec.rb
-- spec/acceptance/safelisting_spec.rb
-- spec/acceptance/cache_store_config_for_throttle_spec.rb
 - spec/acceptance/fail2ban_spec.rb
+- spec/acceptance/rails_middleware_spec.rb
+- spec/acceptance/safelisting_ip_spec.rb
+- spec/acceptance/safelisting_spec.rb
+- spec/acceptance/safelisting_subnet_spec.rb
+- spec/acceptance/stores/active_support_dalli_store_spec.rb
 - spec/acceptance/stores/active_support_mem_cache_store_pooled_spec.rb
-- spec/acceptance/stores/active_support_redis_cache_store_spec.rb
-- spec/acceptance/stores/active_support_memory_store_spec.rb
-- spec/acceptance/stores/active_support_redis_store_spec.rb
 - spec/acceptance/stores/active_support_mem_cache_store_spec.rb
+- spec/acceptance/stores/active_support_memory_store_spec.rb
 - spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb
+- spec/acceptance/stores/active_support_redis_cache_store_spec.rb
+- spec/acceptance/stores/active_support_redis_store_spec.rb
 - spec/acceptance/stores/connection_pool_dalli_client_spec.rb
-- spec/acceptance/stores/active_support_dalli_store_spec.rb
-- spec/acceptance/stores/redis_store_spec.rb
 - spec/acceptance/stores/dalli_client_spec.rb
 - spec/acceptance/stores/redis_spec.rb
-- spec/acceptance/customizing_blocked_response_spec.rb
-- spec/spec_helper.rb
+- spec/acceptance/stores/redis_store_spec.rb
+- spec/acceptance/throttling_spec.rb
+- spec/acceptance/track_spec.rb
+- spec/acceptance/track_throttle_spec.rb
 - spec/allow2ban_spec.rb
-- spec/rack_attack_instrumentation_spec.rb
+- spec/fail2ban_spec.rb
+- spec/integration/offline_spec.rb
 - spec/rack_attack_dalli_proxy_spec.rb
+- spec/rack_attack_instrumentation_spec.rb
+- spec/rack_attack_path_normalizer_spec.rb
+- spec/rack_attack_request_spec.rb
 - spec/rack_attack_spec.rb
 - spec/rack_attack_throttle_spec.rb
-- spec/rack_attack_request_spec.rb
-- spec/fail2ban_spec.rb
 - spec/rack_attack_track_spec.rb
+- spec/spec_helper.rb
 - spec/support/cache_store_helper.rb

data/bin/setup

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-IFS=$'\n\t'
-set -vx
-
-bundle install
-
-# Do any other automated setup that you need to do here