Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting

to the API

Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting
a9e40a3d · Eugen Rochko · 17122df8 · a9e40a3d · a9e40a3d · a9e40a3d
--- a/config/initializers/rack-attack.rb
+++ b/config/initializers/rack-attack.rb
 class Rack::Attack
-  throttle('get-req/ip', limit: 300, period: 5.minutes) do |req|
+  # Rate limits for the API
-    req.ip if req.get?
+  throttle('api', limit: 150, period: 5.minutes) do |req|
+    req.ip if req.path.match(/\A\/api\//)
  end
-  throttle('post-req/ip', limit: 100, period: 5.minutes) do |req|
+  self.throttled_response = lambda do |env|
-    req.ip if req.post?
+    now        = Time.now.utc
+    match_data = env['rack.attack.match_data']
+    headers = {
+      'X-RateLimit-Limit'     => match_data[:limit].to_s,
+      'X-RateLimit-Remaining' => '0',
+      'X-RateLimit-Reset'     => (now + (match_data[:period] - now.to_i % match_data[:period])).to_s
+    }
+    [429, headers, [{ error: 'Throttled' }.to_json]]
  end
 end
--- a/config/locales/doorkeeper.en.yml
+++ b/config/locales/doorkeeper.en.yml
@@ -15,6 +15,10 @@ en:
              secured_uri: 'must be an HTTPS/SSL URI.'
  doorkeeper:
+    scopes:
+      read: read your account's data
+      write: post on your behalf
+      follow: follow, block, unblock and unfollow accounts
    applications:
      confirmations:
        destroy: 'Are you sure?'

--- a/config/routes.rb
+++ b/config/routes.rb
@@ -7,7 +7,9 @@ Rails.application.routes.draw do
    mount Sidekiq::Web => '/sidekiq'
  end
-  use_doorkeeper
+  use_doorkeeper do
+    controllers authorizations: 'oauth/authorizations'
+  end
  get '.well-known/host-meta', to: 'xrd#host_meta', as: :host_meta
  get '.well-known/webfinger', to: 'xrd#webfinger', as: :webfinger

--- a/db/seeds.rb
+++ b/db/seeds.rb
-web_app = Doorkeeper::Application.new(name: 'Web', superapp: true, redirect_uri: Doorkeeper.configuration.native_redirect_uri)
+web_app = Doorkeeper::Application.new(name: 'Web', superapp: true, redirect_uri: Doorkeeper.configuration.native_redirect_uri, scopes: 'read write follow')
 web_app.save!
--- a/lib/tasks/mastodon.rake
+++ b/lib/tasks/mastodon.rake
@@ -2,9 +2,7 @@ namespace :mastodon do
  namespace :media do
    desc 'Removes media attachments that have not been assigned to any status for longer than a day'
    task clear: :environment do
-      MediaAttachment.where(status_id: nil).where('created_at < ?', 1.day.ago).find_each do |m|
+      MediaAttachment.where(status_id: nil).where('created_at < ?', 1.day.ago).find_each(&:destroy)
-        m.destroy
-      end
    end
  end