rack-attack 6.3.0 → 6.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cba47e380843d184fd3df1af08b252aca3fc2411de7ccbd62a9b7da6ee933b72
-  data.tar.gz: 0dc5300a553830ca7e1cfa84de814fd743e608b9ec0140fd6b1145c421085ba7
+  metadata.gz: c87eb44c705e3cfd5e5724266185a989cd60c44333ad211f21789a6778f18ac1
+  data.tar.gz: 54761820c0b6dd8ef062d6cce59f1807d98a05e9f00ffa2eadf7e4258a557ed3
 SHA512:
-  metadata.gz: 71fd5eace9c851dab06317f3f4f4f28a2cbc20dd20c663228fbd073a052b4f30c4de87a06109ce9cf6b7395fc547b0c99b6f4e579285a699be40a93a9511452f
-  data.tar.gz: 5139f0be932f94273dba2d8d59ccbcb0e14ca92656b68d126099a124f04160c2c426e72f330b9e3c5dd8ed560f2fb292aa68dde2c32f2238d36c8c7e95422d01
+  metadata.gz: 4a9382dcf4a307716eb77a4d232a081e0354c8f81c78d71076518db9939daed4319fbf605714514438c538f8e0c75c99b90a6f261730d67831af66a0b7208f57
+  data.tar.gz: dc207b3c238721aee545025c12440ae83ab6d924ceaeecaaaaa25b84a546f579d3518476ca2f55d5839fc24170d1a0ae7b95bd424ed57b84c23f74afa271922b

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2016 Kickstarter, PBC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -1,5 +1,5 @@
-__Note__: You are viewing the development version README.
-For the README consistent with the latest released version see https://github.com/kickstarter/rack-attack/blob/6-stable/README.md.
+:warning:  You are viewing the development's branch version of README which might contain documentation for unreleased features.
+For the README consistent with the latest released version see https://github.com/rack/rack-attack/blob/6-stable/README.md.
 
 # Rack::Attack
 
@@ -10,7 +10,7 @@ Protect your Rails and Rack apps from bad clients. Rack::Attack lets you easily
 See the [Backing & Hacking blog post](https://www.kickstarter.com/backing-and-hacking/rack-attack-protection-from-abusive-clients) introducing Rack::Attack.
 
 [![Gem Version](https://badge.fury.io/rb/rack-attack.svg)](https://badge.fury.io/rb/rack-attack)
-[![Build Status](https://travis-ci.org/kickstarter/rack-attack.svg?branch=master)](https://travis-ci.org/kickstarter/rack-attack)
+[![build](https://github.com/rack/rack-attack/actions/workflows/build.yml/badge.svg)](https://github.com/rack/rack-attack/actions/workflows/build.yml)
 [![Code Climate](https://codeclimate.com/github/kickstarter/rack-attack.svg)](https://codeclimate.com/github/kickstarter/rack-attack)
 [![Join the chat at https://gitter.im/rack-attack/rack-attack](https://badges.gitter.im/rack-attack/rack-attack.svg)](https://gitter.im/rack-attack/rack-attack)
 
@@ -37,9 +37,9 @@ See the [Backing & Hacking blog post](https://www.kickstarter.com/backing-and-ha
 - [Customizing responses](#customizing-responses)
   - [RateLimit headers for well-behaved clients](#ratelimit-headers-for-well-behaved-clients)
 - [Logging & Instrumentation](#logging--instrumentation)
+- [Testing](#testing)
 - [How it works](#how-it-works)
   - [About Tracks](#about-tracks)
-- [Testing](#testing)
 - [Performance](#performance)
 - [Motivation](#motivation)
 - [Contributing](#contributing)
@@ -71,12 +71,7 @@ Or install it yourself as:
 
 Then tell your ruby web application to use rack-attack as a middleware.
 
-a) For __rails__ applications with versions >= 5.1 it is used by default. For older rails versions you should enable it explicitly:
-```ruby
-# In config/application.rb
-
-config.middleware.use Rack::Attack
-```
+a) For __rails__ applications it is used by default.
 
 You can disable it permanently (like for specific environment) or temporarily (can be useful for specific test cases) by writing:
 
@@ -140,7 +135,7 @@ E.g.
 # Provided that trusted users use an HTTP request header named APIKey
 Rack::Attack.safelist("mark any authenticated access safe") do |request|
   # Requests are allowed if the return value is truthy
-  request.env["APIKey"] == "secret-string"
+  request.env["HTTP_APIKEY"] == "secret-string"
 end
 
 # Always allow requests from localhost
@@ -263,10 +258,12 @@ Rack::Attack.throttle("requests by ip", limit: 5, period: 2) do |request|
 end
 
 # Throttle login attempts for a given email parameter to 6 reqs/minute
-# Return the email as a discriminator on POST /login requests
+# Return the *normalized* email as a discriminator on POST /login requests
 Rack::Attack.throttle('limit logins per email', limit: 6, period: 60) do |req|
   if req.path == '/login' && req.post?
-    req.params['email']
+    # Normalize the email, using the same logic as your authentication process, to
+    # protect against rate limit bypasses.
+    req.params['email'].to_s.downcase.gsub(/\s+/, "")
   end
 end
 
@@ -315,21 +312,21 @@ Note that `Rack::Attack.cache` is only used for throttling, allow2ban and fail2b
 
 ## Customizing responses
 
-Customize the response of blocklisted and throttled requests using an object that adheres to the [Rack app interface](http://www.rubydoc.info/github/rack/rack/file/SPEC).
+Customize the response of blocklisted and throttled requests using an object that adheres to the [Rack app interface](http://www.rubydoc.info/github/rack/rack/file/SPEC.rdoc).
 
 ```ruby
-Rack::Attack.blocklisted_response = lambda do |env|
+Rack::Attack.blocklisted_responder = lambda do |request|
   # Using 503 because it may make attacker think that they have successfully
   # DOSed the site. Rack::Attack returns 403 for blocklists by default
   [ 503, {}, ['Blocked']]
 end
 
-Rack::Attack.throttled_response = lambda do |env|
+Rack::Attack.throttled_responder = lambda do |request|
   # NB: you have access to the name and other data about the matched throttle
-  #  env['rack.attack.matched'],
-  #  env['rack.attack.match_type'],
-  #  env['rack.attack.match_data'],
-  #  env['rack.attack.match_discriminator']
+  #  request.env['rack.attack.matched'],
+  #  request.env['rack.attack.match_type'],
+  #  request.env['rack.attack.match_data'],
+  #  request.env['rack.attack.match_discriminator']
 
   # Using 503 because it may make attacker think that they have successfully
   # DOSed the site. Rack::Attack returns 429 for throttling by default
@@ -342,7 +339,7 @@ end
 While Rack::Attack's primary focus is minimizing harm from abusive clients, it
 can also be used to return rate limit data that's helpful for well-behaved clients.
 
-If you want to return to user how many seconds to wait until he can start sending requests again, this can be done through enabling `Retry-After` header:
+If you want to return to user how many seconds to wait until they can start sending requests again, this can be done through enabling `Retry-After` header:
 ```ruby
 Rack::Attack.throttled_response_retry_after_header = true
 ```
@@ -377,7 +374,7 @@ Rack::Attack uses the [ActiveSupport::Notifications](http://api.rubyonrails.org/
 
 You can subscribe to `rack_attack` events and log it, graph it, etc.
 
-To get notified about specific type of events, subscribe to the event name followed by the `rack_attack` namesapce.
+To get notified about specific type of events, subscribe to the event name followed by the `rack_attack` namespace.
 E.g. for throttles use:
 
 ```ruby
@@ -398,6 +395,20 @@ ActiveSupport::Notifications.subscribe(/rack_attack/) do |name, start, finish, r
 end
 ```
 
+## Testing
+
+A note on developing and testing apps using Rack::Attack - if you are using throttling in particular, you will
+need to enable the cache in your development environment. See [Caching with Rails](http://guides.rubyonrails.org/caching_with_rails.html)
+for more on how to do this.
+
+### Disabling
+
+`Rack::Attack.enabled = false` can be used to either completely disable Rack::Attack in your tests, or to disable/enable for specific test cases only.
+
+### Test case isolation
+
+`Rack::Attack.reset!` can be used in your test suite to clear any Rack::Attack state between different test cases. If you're testing blocklist and safelist configurations, consider using `Rack::Attack.clear_configuration` to unset the values for those lists between test cases.
+
 ## How it works
 
 The Rack::Attack middleware compares each request against *safelists*, *blocklists*, *throttles*, and *tracks* that you define. There are none by default.
@@ -416,9 +427,9 @@ def call(env)
   if safelisted?(req)
     @app.call(env)
   elsif blocklisted?(req)
-    self.class.blocklisted_response.call(env)
+    self.class.blocklisted_responder.call(req)
   elsif throttled?(req)
-    self.class.throttled_response.call(env)
+    self.class.throttled_responder.call(req)
   else
     tracked?(req)
     @app.call(env)
@@ -434,13 +445,6 @@ can cleanly monkey patch helper methods onto the
 
 `Rack::Attack.track` doesn't affect request processing. Tracks are an easy way to log and measure requests matching arbitrary attributes.
 
-
-## Testing
-
-A note on developing and testing apps using Rack::Attack - if you are using throttling in particular, you will
-need to enable the cache in your development environment. See [Caching with Rails](http://guides.rubyonrails.org/caching_with_rails.html)
-for more on how to do this.
-
 ## Performance
 
 The overhead of running Rack::Attack is typically negligible (a few milliseconds per request),

data/lib/rack/attack/base_proxy.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'delegate'
+
+module Rack
+  class Attack
+    class BaseProxy < SimpleDelegator
+      class << self
+        def proxies
+          @@proxies ||= []
+        end
+
+        def inherited(klass)
+          proxies << klass
+        end
+
+        def lookup(store)
+          proxies.find { |proxy| proxy.handle?(store) }
+        end
+
+        def handle?(_store)
+          raise NotImplementedError
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/cache.rb

@@ -12,8 +12,14 @@ module Rack
       end
 
       attr_reader :store
+
       def store=(store)
-        @store = StoreProxy.build(store)
+        @store =
+          if (proxy = BaseProxy.lookup(store))
+            proxy.new(store)
+          else
+            store
+          end
       end
 
       def count(unprefixed_key, period)

data/lib/rack/attack/check.rb

@@ -4,6 +4,7 @@ module Rack
   class Attack
     class Check
       attr_reader :name, :block, :type
+
       def initialize(name, options = {}, &block)
         @name = name
         @block = block

data/lib/rack/attack/configuration.rb

@@ -5,11 +5,11 @@ require "ipaddr"
 module Rack
   class Attack
     class Configuration
-      DEFAULT_BLOCKLISTED_RESPONSE = lambda { |_env| [403, { 'Content-Type' => 'text/plain' }, ["Forbidden\n"]] }
+      DEFAULT_BLOCKLISTED_RESPONDER = lambda { |_req| [403, { 'Content-Type' => 'text/plain' }, ["Forbidden\n"]] }
 
-      DEFAULT_THROTTLED_RESPONSE = lambda do |env|
+      DEFAULT_THROTTLED_RESPONDER = lambda do |req|
         if Rack::Attack.configuration.throttled_response_retry_after_header
-          match_data = env['rack.attack.match_data']
+          match_data = req.env['rack.attack.match_data']
           now = match_data[:epoch_time]
           retry_after = match_data[:period] - (now % match_data[:period])
 
@@ -20,7 +20,21 @@ module Rack
       end
 
       attr_reader :safelists, :blocklists, :throttles, :anonymous_blocklists, :anonymous_safelists
-      attr_accessor :blocklisted_response, :throttled_response, :throttled_response_retry_after_header
+      attr_accessor :blocklisted_responder, :throttled_responder, :throttled_response_retry_after_header
+
+      attr_reader :blocklisted_response, :throttled_response # Keeping these for backwards compatibility
+
+      def blocklisted_response=(responder)
+        warn "[DEPRECATION] Rack::Attack.blocklisted_response is deprecated. "\
+          "Please use Rack::Attack.blocklisted_responder instead."
+        @blocklisted_response = responder
+      end
+
+      def throttled_response=(responder)
+        warn "[DEPRECATION] Rack::Attack.throttled_response is deprecated. "\
+          "Please use Rack::Attack.throttled_responder instead"
+        @throttled_response = responder
+      end
 
       def initialize
         set_defaults
@@ -99,8 +113,12 @@ module Rack
         @anonymous_safelists = []
         @throttled_response_retry_after_header = false
 
-        @blocklisted_response = DEFAULT_BLOCKLISTED_RESPONSE
-        @throttled_response = DEFAULT_THROTTLED_RESPONSE
+        @blocklisted_responder = DEFAULT_BLOCKLISTED_RESPONDER
+        @throttled_responder = DEFAULT_THROTTLED_RESPONDER
+
+        # Deprecated: Keeping these for backwards compatibility
+        @blocklisted_response = nil
+        @throttled_response = nil
       end
     end
   end

data/lib/rack/attack/railtie.rb

@@ -4,9 +4,7 @@ module Rack
   class Attack
     class Railtie < ::Rails::Railtie
       initializer "rack-attack.middleware" do |app|
-        if Gem::Version.new(::Rails::VERSION::STRING) >= Gem::Version.new("5.1")
-          app.middleware.use(Rack::Attack)
-        end
+        app.middleware.use(Rack::Attack)
       end
     end
   end

data/lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
-require 'delegate'
+require 'rack/attack/base_proxy'
 
 module Rack
   class Attack
     module StoreProxy
-      class ActiveSupportRedisStoreProxy < SimpleDelegator
+      class ActiveSupportRedisStoreProxy < BaseProxy
         def self.handle?(store)
           defined?(::Redis) &&
             defined?(::ActiveSupport::Cache::RedisStore) &&

data/lib/rack/attack/store_proxy/dalli_proxy.rb

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
-require 'delegate'
+require 'rack/attack/base_proxy'
 
 module Rack
   class Attack
     module StoreProxy
-      class DalliProxy < SimpleDelegator
+      class DalliProxy < BaseProxy
         def self.handle?(store)
           return false unless defined?(::Dalli)
 

data/lib/rack/attack/store_proxy/mem_cache_store_proxy.rb

@@ -1,17 +1,21 @@
 # frozen_string_literal: true
 
-require 'delegate'
+require 'rack/attack/base_proxy'
 
 module Rack
   class Attack
     module StoreProxy
-      class MemCacheStoreProxy < SimpleDelegator
+      class MemCacheStoreProxy < BaseProxy
         def self.handle?(store)
           defined?(::Dalli) &&
             defined?(::ActiveSupport::Cache::MemCacheStore) &&
             store.is_a?(::ActiveSupport::Cache::MemCacheStore)
         end
 
+        def read(name, options = {})
+          super(name, options.merge!(raw: true))
+        end
+
         def write(name, value, options = {})
           super(name, value, options.merge!(raw: true))
         end

data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb

@@ -1,16 +1,16 @@
 # frozen_string_literal: true
 
-require 'delegate'
+require 'rack/attack/base_proxy'
 
 module Rack
   class Attack
     module StoreProxy
-      class RedisCacheStoreProxy < SimpleDelegator
+      class RedisCacheStoreProxy < BaseProxy
         def self.handle?(store)
           store.class.name == "ActiveSupport::Cache::RedisCacheStore"
         end
 
-        def increment(name, amount = 1, options = {})
+        def increment(name, amount = 1, **options)
           # RedisCacheStore#increment ignores options[:expires_in].
           #
           # So in order to workaround this we use RedisCacheStore#write (which sets expiration) to initialize
@@ -24,6 +24,10 @@ module Rack
           end
         end
 
+        def read(name, options = {})
+          super(name, options.merge!(raw: true))
+        end
+
         def write(name, value, options = {})
           super(name, value, options.merge!(raw: true))
         end

data/lib/rack/attack/store_proxy/redis_proxy.rb

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
-require 'delegate'
+require 'rack/attack/base_proxy'
 
 module Rack
   class Attack
     module StoreProxy
-      class RedisProxy < SimpleDelegator
+      class RedisProxy < BaseProxy
         def initialize(*args)
           if Gem::Version.new(Redis::VERSION) < Gem::Version.new("3")
             warn 'RackAttack requires Redis gem >= 3.0.0.'
@@ -15,7 +15,7 @@ module Rack
         end
 
         def self.handle?(store)
-          defined?(::Redis) && store.is_a?(::Redis)
+          defined?(::Redis) && store.class == ::Redis
         end
 
         def read(key)

data/lib/rack/attack/store_proxy/redis_store_proxy.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'delegate'
+require 'rack/attack/store_proxy/redis_proxy'
 
 module Rack
   class Attack

data/lib/rack/attack/throttle.rb

@@ -6,6 +6,7 @@ module Rack
       MANDATORY_OPTIONS = [:limit, :period].freeze
 
       attr_reader :name, :limit, :period, :block, :type
+
       def initialize(name, options, &block)
         @name = name
         @block = block
@@ -22,8 +23,7 @@ module Rack
       end
 
       def matched_by?(request)
-        discriminator = block.call(request)
-
+        discriminator = discriminator_for(request)
         return false unless discriminator
 
         current_period  = period_for(request)
@@ -49,6 +49,14 @@ module Rack
 
       private
 
+      def discriminator_for(request)
+        discriminator = block.call(request)
+        if discriminator && Rack::Attack.throttle_discriminator_normalizer
+          discriminator = Rack::Attack.throttle_discriminator_normalizer.call(discriminator)
+        end
+        discriminator
+      end
+
       def period_for(request)
         period.respond_to?(:call) ? period.call(request) : period
       end

data/lib/rack/attack/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   class Attack
-    VERSION = '6.3.0'
+    VERSION = '6.6.0'
   end
 end

data/lib/rack/attack.rb

@@ -6,6 +6,12 @@ require 'rack/attack/cache'
 require 'rack/attack/configuration'
 require 'rack/attack/path_normalizer'
 require 'rack/attack/request'
+require 'rack/attack/store_proxy/dalli_proxy'
+require 'rack/attack/store_proxy/mem_cache_store_proxy'
+require 'rack/attack/store_proxy/redis_proxy'
+require 'rack/attack/store_proxy/redis_store_proxy'
+require 'rack/attack/store_proxy/redis_cache_store_proxy'
+require 'rack/attack/store_proxy/active_support_redis_store_proxy'
 
 require 'rack/attack/railtie' if defined?(::Rails)
 
@@ -21,18 +27,11 @@ module Rack
     autoload :Safelist,             'rack/attack/safelist'
     autoload :Blocklist,            'rack/attack/blocklist'
     autoload :Track,                'rack/attack/track'
-    autoload :StoreProxy,           'rack/attack/store_proxy'
-    autoload :DalliProxy,           'rack/attack/store_proxy/dalli_proxy'
-    autoload :MemCacheStoreProxy,   'rack/attack/store_proxy/mem_cache_store_proxy'
-    autoload :RedisProxy,           'rack/attack/store_proxy/redis_proxy'
-    autoload :RedisStoreProxy,      'rack/attack/store_proxy/redis_store_proxy'
-    autoload :RedisCacheStoreProxy, 'rack/attack/store_proxy/redis_cache_store_proxy'
-    autoload :ActiveSupportRedisStoreProxy, 'rack/attack/store_proxy/active_support_redis_store_proxy'
     autoload :Fail2Ban,             'rack/attack/fail2ban'
     autoload :Allow2Ban,            'rack/attack/allow2ban'
 
     class << self
-      attr_accessor :enabled, :notifier
+      attr_accessor :enabled, :notifier, :throttle_discriminator_normalizer
       attr_reader :configuration
 
       def instrument(request)
@@ -67,6 +66,10 @@ module Rack
         :safelist_ip,
         :throttle,
         :track,
+        :throttled_responder,
+        :throttled_responder=,
+        :blocklisted_responder,
+        :blocklisted_responder=,
         :blocklisted_response,
         :blocklisted_response=,
         :throttled_response,
@@ -84,6 +87,9 @@ module Rack
     # Set defaults
     @enabled = true
     @notifier = ActiveSupport::Notifications if defined?(ActiveSupport::Notifications)
+    @throttle_discriminator_normalizer = lambda do |discriminator|
+      discriminator.to_s.strip.downcase
+    end
     @configuration = Configuration.new
 
     attr_reader :configuration
@@ -103,9 +109,19 @@ module Rack
       if configuration.safelisted?(request)
         @app.call(env)
       elsif configuration.blocklisted?(request)
-        configuration.blocklisted_response.call(env)
+        # Deprecated: Keeping blocklisted_response for backwards compatibility
+        if configuration.blocklisted_response
+          configuration.blocklisted_response.call(env)
+        else
+          configuration.blocklisted_responder.call(request)
+        end
       elsif configuration.throttled?(request)
-        configuration.throttled_response.call(env)
+        # Deprecated: Keeping throttled_response for backwards compatibility
+        if configuration.throttled_response
+          configuration.throttled_response.call(env)
+        else
+          configuration.throttled_responder.call(request)
+        end
       else
         configuration.tracked?(request)
         @app.call(env)

data/spec/acceptance/customizing_blocked_response_spec.rb

@@ -14,7 +14,7 @@ describe "Customizing block responses" do
 
     assert_equal 403, last_response.status
 
-    Rack::Attack.blocklisted_response = lambda do |_env|
+    Rack::Attack.blocklisted_responder = lambda do |_req|
       [503, {}, ["Blocked"]]
     end
 
@@ -28,9 +28,9 @@ describe "Customizing block responses" do
     matched = nil
     match_type = nil
 
-    Rack::Attack.blocklisted_response = lambda do |env|
-      matched = env['rack.attack.matched']
-      match_type = env['rack.attack.match_type']
+    Rack::Attack.blocklisted_responder = lambda do |req|
+      matched = req.env['rack.attack.matched']
+      match_type = req.env['rack.attack.match_type']
 
       [503, {}, ["Blocked"]]
     end
@@ -40,4 +40,21 @@ describe "Customizing block responses" do
     assert_equal "block 1.2.3.4", matched
     assert_equal :blocklist, match_type
   end
+
+  it "supports old style" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 403, last_response.status
+
+    silence_warnings do
+      Rack::Attack.blocklisted_response = lambda do |_env|
+        [503, {}, ["Blocked"]]
+      end
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 503, last_response.status
+    assert_equal "Blocked", last_response.body
+  end
 end

data/spec/acceptance/customizing_throttled_response_spec.rb

@@ -20,7 +20,7 @@ describe "Customizing throttled response" do
 
     assert_equal 429, last_response.status
 
-    Rack::Attack.throttled_response = lambda do |_env|
+    Rack::Attack.throttled_responder = lambda do |_req|
       [503, {}, ["Throttled"]]
     end
 
@@ -36,11 +36,11 @@ describe "Customizing throttled response" do
     match_data = nil
     match_discriminator = nil
 
-    Rack::Attack.throttled_response = lambda do |env|
-      matched = env['rack.attack.matched']
-      match_type = env['rack.attack.match_type']
-      match_data = env['rack.attack.match_data']
-      match_discriminator = env['rack.attack.match_discriminator']
+    Rack::Attack.throttled_responder = lambda do |req|
+      matched = req.env['rack.attack.matched']
+      match_type = req.env['rack.attack.match_type']
+      match_data = req.env['rack.attack.match_data']
+      match_discriminator = req.env['rack.attack.match_discriminator']
 
       [429, {}, ["Throttled"]]
     end
@@ -58,4 +58,25 @@ describe "Customizing throttled response" do
     get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
     assert_equal 3, match_data[:count]
   end
+
+  it "supports old style" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 429, last_response.status
+
+    silence_warnings do
+      Rack::Attack.throttled_response = lambda do |_req|
+        [503, {}, ["Throttled"]]
+      end
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 503, last_response.status
+    assert_equal "Throttled", last_response.body
+  end
 end

data/spec/acceptance/rails_middleware_spec.rb

@@ -12,24 +12,9 @@ if defined?(Rails)
       end
     end
 
-    if Gem::Version.new(Rails::VERSION::STRING) >= Gem::Version.new("5.1")
-      it "is used by default" do
-        @app.initialize!
-        assert_equal 1, @app.middleware.count(Rack::Attack)
-      end
-
-      it "is not added when it was explicitly deleted" do
-        @app.config.middleware.delete(Rack::Attack)
-        @app.initialize!
-        refute @app.middleware.include?(Rack::Attack)
-      end
-    end
-
-    if Gem::Version.new(Rails::VERSION::STRING) < Gem::Version.new("5.1")
-      it "is not used by default" do
-        @app.initialize!
-        assert_equal 0, @app.middleware.count(Rack::Attack)
-      end
+    it "is used by default" do
+      @app.initialize!
+      assert @app.middleware.include?(Rack::Attack)
     end
   end
 end

data/spec/acceptance/stores/active_support_dalli_store_spec.rb

@@ -2,7 +2,11 @@
 
 require_relative "../../spec_helper"
 
-if defined?(::Dalli)
+should_run =
+  defined?(::Dalli) &&
+  Gem::Version.new(::Dalli::VERSION) < Gem::Version.new("3")
+
+if should_run
   require_relative "../../support/cache_store_helper"
   require "active_support/cache/dalli_store"
   require "timecop"

data/spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb

@@ -21,6 +21,6 @@ if should_run
       Rack::Attack.cache.store.clear
     end
 
-    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
   end
 end

data/spec/acceptance/stores/active_support_redis_cache_store_spec.rb

@@ -20,6 +20,6 @@ if should_run
       Rack::Attack.cache.store.clear
     end
 
-    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
   end
 end

data/spec/rack_attack_spec.rb

@@ -64,15 +64,15 @@ describe 'Rack::Attack' do
       end
     end
 
-    describe '#blocklisted_response' do
+    describe '#blocklisted_responder' do
       it 'should exist' do
-        _(Rack::Attack.blocklisted_response).must_respond_to :call
+        _(Rack::Attack.blocklisted_responder).must_respond_to :call
       end
     end
 
-    describe '#throttled_response' do
+    describe '#throttled_responder' do
       it 'should exist' do
-        _(Rack::Attack.throttled_response).must_respond_to :call
+        _(Rack::Attack.throttled_responder).must_respond_to :call
       end
     end
   end

data/spec/rack_attack_throttle_spec.rb

@@ -144,3 +144,47 @@ describe 'Rack::Attack.throttle with block retuning nil' do
     end
   end
 end
+
+describe 'Rack::Attack.throttle with throttle_discriminator_normalizer' do
+  before do
+    @period = 60
+    @emails = [
+      "person@example.com",
+      "PERSON@example.com ",
+      " person@example.com\r\n  ",
+    ]
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+    Rack::Attack.throttle('logins/email', limit: 4, period: @period) do |req|
+      if req.path == '/login' && req.post?
+        req.params['email']
+      end
+    end
+  end
+
+  it 'should not differentiate requests when throttle_discriminator_normalizer is enabled' do
+    post_logins
+    key = "rack::attack:#{Time.now.to_i / @period}:logins/email:person@example.com"
+    _(Rack::Attack.cache.store.read(key)).must_equal 3
+  end
+
+  it 'should differentiate requests when throttle_discriminator_normalizer is disabled' do
+    begin
+      prev = Rack::Attack.throttle_discriminator_normalizer
+      Rack::Attack.throttle_discriminator_normalizer = nil
+
+      post_logins
+      @emails.each do |email|
+        key = "rack::attack:#{Time.now.to_i / @period}:logins/email:#{email}"
+        _(Rack::Attack.cache.store.read(key)).must_equal 1
+      end
+    ensure
+      Rack::Attack.throttle_discriminator_normalizer = prev
+    end
+  end
+
+  def post_logins
+    @emails.each do |email|
+      post '/login', email: email
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-attack
 version: !ruby/object:Gem::Version
-  version: 6.3.0
+  version: 6.6.0
 platform: ruby
 authors:
 - Aaron Suggs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-26 00:00:00.000000000 Z
+date: 2022-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -126,14 +126,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.78.0
+        version: 0.89.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.78.0
+        version: 0.89.1
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -185,7 +185,7 @@ dependencies:
         version: '4.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '7.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -195,18 +195,19 @@ dependencies:
         version: '4.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '7.1'
 description: A rack middleware for throttling and blocking abusive requests
 email: aaron@ktheory.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- LICENSE
 - README.md
 - Rakefile
-- bin/setup
 - lib/rack/attack.rb
 - lib/rack/attack/allow2ban.rb
+- lib/rack/attack/base_proxy.rb
 - lib/rack/attack/blocklist.rb
 - lib/rack/attack/cache.rb
 - lib/rack/attack/check.rb
@@ -216,7 +217,6 @@ files:
 - lib/rack/attack/railtie.rb
 - lib/rack/attack/request.rb
 - lib/rack/attack/safelist.rb
-- lib/rack/attack/store_proxy.rb
 - lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb
 - lib/rack/attack/store_proxy/dalli_proxy.rb
 - lib/rack/attack/store_proxy/mem_cache_store_proxy.rb
@@ -268,13 +268,13 @@ files:
 - spec/rack_attack_track_spec.rb
 - spec/spec_helper.rb
 - spec/support/cache_store_helper.rb
-homepage: https://github.com/kickstarter/rack-attack
+homepage: https://github.com/rack/rack-attack
 licenses:
 - MIT
 metadata:
-  bug_tracker_uri: https://github.com/kickstarter/rack-attack/issues
-  changelog_uri: https://github.com/kickstarter/rack-attack/blob/master/CHANGELOG.md
-  source_code_uri: https://github.com/kickstarter/rack-attack
+  bug_tracker_uri: https://github.com/rack/rack-attack/issues
+  changelog_uri: https://github.com/rack/rack-attack/blob/master/CHANGELOG.md
+  source_code_uri: https://github.com/rack/rack-attack
 post_install_message: 
 rdoc_options:
 - "--charset=UTF-8"
@@ -284,57 +284,57 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.3.6
 signing_key: 
 specification_version: 4
 summary: Block & throttle abusive requests
 test_files:
-- spec/integration/offline_spec.rb
-- spec/rack_attack_path_normalizer_spec.rb
-- spec/acceptance/safelisting_subnet_spec.rb
-- spec/acceptance/rails_middleware_spec.rb
-- spec/acceptance/track_throttle_spec.rb
-- spec/acceptance/cache_store_config_for_fail2ban_spec.rb
-- spec/acceptance/cache_store_config_with_rails_spec.rb
-- spec/acceptance/cache_store_config_for_allow2ban_spec.rb
-- spec/acceptance/safelisting_ip_spec.rb
-- spec/acceptance/track_spec.rb
-- spec/acceptance/blocking_subnet_spec.rb
-- spec/acceptance/blocking_ip_spec.rb
 - spec/acceptance/allow2ban_spec.rb
-- spec/acceptance/throttling_spec.rb
+- spec/acceptance/blocking_ip_spec.rb
 - spec/acceptance/blocking_spec.rb
+- spec/acceptance/blocking_subnet_spec.rb
+- spec/acceptance/cache_store_config_for_allow2ban_spec.rb
+- spec/acceptance/cache_store_config_for_fail2ban_spec.rb
+- spec/acceptance/cache_store_config_for_throttle_spec.rb
+- spec/acceptance/cache_store_config_with_rails_spec.rb
+- spec/acceptance/customizing_blocked_response_spec.rb
 - spec/acceptance/customizing_throttled_response_spec.rb
 - spec/acceptance/extending_request_object_spec.rb
-- spec/acceptance/safelisting_spec.rb
-- spec/acceptance/cache_store_config_for_throttle_spec.rb
 - spec/acceptance/fail2ban_spec.rb
+- spec/acceptance/rails_middleware_spec.rb
+- spec/acceptance/safelisting_ip_spec.rb
+- spec/acceptance/safelisting_spec.rb
+- spec/acceptance/safelisting_subnet_spec.rb
+- spec/acceptance/stores/active_support_dalli_store_spec.rb
 - spec/acceptance/stores/active_support_mem_cache_store_pooled_spec.rb
-- spec/acceptance/stores/active_support_redis_cache_store_spec.rb
-- spec/acceptance/stores/active_support_memory_store_spec.rb
-- spec/acceptance/stores/active_support_redis_store_spec.rb
 - spec/acceptance/stores/active_support_mem_cache_store_spec.rb
+- spec/acceptance/stores/active_support_memory_store_spec.rb
 - spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb
+- spec/acceptance/stores/active_support_redis_cache_store_spec.rb
+- spec/acceptance/stores/active_support_redis_store_spec.rb
 - spec/acceptance/stores/connection_pool_dalli_client_spec.rb
-- spec/acceptance/stores/active_support_dalli_store_spec.rb
-- spec/acceptance/stores/redis_store_spec.rb
 - spec/acceptance/stores/dalli_client_spec.rb
 - spec/acceptance/stores/redis_spec.rb
-- spec/acceptance/customizing_blocked_response_spec.rb
-- spec/spec_helper.rb
+- spec/acceptance/stores/redis_store_spec.rb
+- spec/acceptance/throttling_spec.rb
+- spec/acceptance/track_spec.rb
+- spec/acceptance/track_throttle_spec.rb
 - spec/allow2ban_spec.rb
-- spec/rack_attack_instrumentation_spec.rb
+- spec/fail2ban_spec.rb
+- spec/integration/offline_spec.rb
 - spec/rack_attack_dalli_proxy_spec.rb
+- spec/rack_attack_instrumentation_spec.rb
+- spec/rack_attack_path_normalizer_spec.rb
+- spec/rack_attack_request_spec.rb
 - spec/rack_attack_spec.rb
 - spec/rack_attack_throttle_spec.rb
-- spec/rack_attack_request_spec.rb
-- spec/fail2ban_spec.rb
 - spec/rack_attack_track_spec.rb
+- spec/spec_helper.rb
 - spec/support/cache_store_helper.rb

data/bin/setup

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-IFS=$'\n\t'
-set -vx
-
-bundle install
-
-# Do any other automated setup that you need to do here

data/lib/rack/attack/store_proxy.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-module Rack
-  class Attack
-    module StoreProxy
-      PROXIES = [
-        DalliProxy,
-        MemCacheStoreProxy,
-        RedisStoreProxy,
-        RedisProxy,
-        RedisCacheStoreProxy,
-        ActiveSupportRedisStoreProxy
-      ].freeze
-
-      def self.build(store)
-        klass = PROXIES.find { |proxy| proxy.handle?(store) }
-        klass ? klass.new(store) : store
-      end
-    end
-  end
-end