-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathconfig.ru
More file actions
48 lines (39 loc) · 1.56 KB
/
config.ru
File metadata and controls
48 lines (39 loc) · 1.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# frozen_string_literal: true
require './config/environment'
require 'securerandom'
require 'rack/protection'
require 'rack/attack'
require 'dalli'
require_relative 'lib/aha_secret/version'
ActiveRecord::Migration.check_all_pending!
# Log application version on startup
logger = Logger.new($stdout)
logger.info("AHA-Secret version: #{AhaSecret::VERSION}")
if AppConfig.memcache_url
use Rack::Attack
options = { namespace: 'app_v1', serializer: JSON }
Rack::Attack.cache.store = Dalli::Client.new(AppConfig.memcache_url, options)
Rack::Attack.safelist('allow from localhost') do |req|
# Requests are allowed if the return value is truthy
['127.0.0.1', '::1'].include?(req.ip) && ENV['RACK_ENV'] != 'test'
end
# if you want to test the rate limit configuration locally, you can set the AHA_SECRET_RATE_LIMIT
# and AHA_SECRET_RATE_LIMIT_PERIOD environment variables to low values
# (e.g., 3 requests per minute) and run the spec
# AHA_SECRET_RATE_LIMIT=3 AHA_SECRET_RATE_LIMIT_PERIOD=60 CI=true bundle exec rspec spec/features/rate_limit_feature_spec.rb # rubocop:disable Layout/LineLength
Rack::Attack.throttle(
'requests by ip',
limit: AppConfig.rate_limit,
period: AppConfig.rate_limit_period, &:ip
)
end
use Rack::MethodOverride
use Rack::Session::Cookie,
domain: ->(env) { Rack::Request.new(env).host },
path: '/',
expire_after: 3600 * 24,
secret: AppConfig.session_secret
use Rack::Protection,
use: %i[content_security_policy authenticity_token],
permitted_origins: AppConfig.permitted_origins
run ApplicationController