Disable rate limiter for socket/localhost (unless RemoteIp is enabled)

4 files changed, 67 insertions, 7 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 213742545..664c101a7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Deprecated `User.Info` embedded schema (fields moved to `User`)
 - Store status data inside Flag activity
 - Deprecated (reorganized as `UserRelationship` entity) User fields with user AP IDs (`blocks`, `mutes`, `muted_reblogs`, `muted_notifications`, `subscribers`).
+- Rate limiter is now disabled for localhost/socket (unless remoteip plug is enabled)
 <details>
   <summary>API Changes</summary>
 
diff --git a/lib/pleroma/plugs/rate_limiter/rate_limiter.ex b/lib/pleroma/plugs/rate_limiter/rate_limiter.ex
index d720508c8..7fb92489c 100644
--- a/lib/pleroma/plugs/rate_limiter/rate_limiter.ex
+++ b/lib/pleroma/plugs/rate_limiter/rate_limiter.ex
@@ -67,6 +67,8 @@ defmodule Pleroma.Plugs.RateLimiter do
   alias Pleroma.Plugs.RateLimiter.LimiterSupervisor
   alias Pleroma.User
 
+  require Logger
+
   def init(opts) do
     limiter_name = Keyword.get(opts, :name)
 
@@ -89,18 +91,39 @@ defmodule Pleroma.Plugs.RateLimiter do
   def call(conn, nil), do: conn
 
   def call(conn, settings) do
-    settings
-    |> incorporate_conn_info(conn)
-    |> check_rate()
-    |> case do
-      {:ok, _count} ->
+    case disabled?() do
+      true ->
+        if Pleroma.Config.get(:env) == :prod,
+          do: Logger.warn("Rate limiter is disabled for localhost/socket")
+
         conn
 
-      {:error, _count} ->
-        render_throttled_error(conn)
+      false ->
+        settings
+        |> incorporate_conn_info(conn)
+        |> check_rate()
+        |> case do
+          {:ok, _count} ->
+            conn
+
+          {:error, _count} ->
+            render_throttled_error(conn)
+        end
     end
   end
 
+  def disabled? do
+    localhost_or_socket =
+      Pleroma.Config.get([Pleroma.Web.Endpoint, :http, :ip])
+      |> Tuple.to_list()
+      |> Enum.join(".")
+      |> String.match?(~r/^local|^127.0.0.1/)
+
+    remote_ip_disabled = not Pleroma.Config.get([Pleroma.Plugs.RemoteIp, :enabled])
+
+    localhost_or_socket and remote_ip_disabled
+  end
+
   def inspect_bucket(conn, name_root, settings) do
     settings =
       settings
diff --git a/test/plugs/rate_limiter_test.exs b/test/plugs/rate_limiter_test.exs
index 49f63c424..f3343abca 100644
--- a/test/plugs/rate_limiter_test.exs
+++ b/test/plugs/rate_limiter_test.exs
@@ -16,6 +16,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
     test "config is required for plug to work" do
       limiter_name = :test_init
       Pleroma.Config.put([:rate_limit, limiter_name], {1, 1})
+      Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
 
       assert %{limits: {1, 1}, name: :test_init, opts: [name: :test_init]} ==
                RateLimiter.init(name: limiter_name)
@@ -23,11 +24,39 @@ defmodule Pleroma.Plugs.RateLimiterTest do
       assert nil == RateLimiter.init(name: :foo)
     end
 
+    test "it is disabled for localhost" do
+      limiter_name = :test_init
+      Pleroma.Config.put([:rate_limit, limiter_name], {1, 1})
+      Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {127, 0, 0, 1})
+      Pleroma.Config.put([Pleroma.Plugs.RemoteIp, :enabled], false)
+
+      assert RateLimiter.disabled?() == true
+    end
+
+    test "it is disabled for socket" do
+      limiter_name = :test_init
+      Pleroma.Config.put([:rate_limit, limiter_name], {1, 1})
+      Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {:local, "/path/to/pleroma.sock"})
+      Pleroma.Config.put([Pleroma.Plugs.RemoteIp, :enabled], false)
+
+      assert RateLimiter.disabled?() == true
+    end
+
+    test "it is enabled for socket when remote ip is enabled" do
+      limiter_name = :test_init
+      Pleroma.Config.put([:rate_limit, limiter_name], {1, 1})
+      Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {:local, "/path/to/pleroma.sock"})
+      Pleroma.Config.put([Pleroma.Plugs.RemoteIp, :enabled], true)
+
+      assert RateLimiter.disabled?() == false
+    end
+
     test "it restricts based on config values" do
       limiter_name = :test_opts
       scale = 80
       limit = 5
 
+      Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
       Pleroma.Config.put([:rate_limit, limiter_name], {scale, limit})
 
       opts = RateLimiter.init(name: limiter_name)
@@ -61,6 +90,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
       limiter_name = :test_bucket_name
 
       Pleroma.Config.put([:rate_limit, limiter_name], {1000, 5})
+      Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
 
       base_bucket_name = "#{limiter_name}:group1"
       opts = RateLimiter.init(name: limiter_name, bucket_name: base_bucket_name)
@@ -75,6 +105,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
     test "`params` option allows different queries to be tracked independently" do
       limiter_name = :test_params
       Pleroma.Config.put([:rate_limit, limiter_name], {1000, 5})
+      Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
 
       opts = RateLimiter.init(name: limiter_name, params: ["id"])
 
@@ -90,6 +121,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
     test "it supports combination of options modifying bucket name" do
       limiter_name = :test_options_combo
       Pleroma.Config.put([:rate_limit, limiter_name], {1000, 5})
+      Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
 
       base_bucket_name = "#{limiter_name}:group1"
       opts = RateLimiter.init(name: limiter_name, bucket_name: base_bucket_name, params: ["id"])
@@ -109,6 +141,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
     test "are restricted based on remote IP" do
       limiter_name = :test_unauthenticated
       Pleroma.Config.put([:rate_limit, limiter_name], [{1000, 5}, {1, 10}])
+      Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
 
       opts = RateLimiter.init(name: limiter_name)
 
@@ -147,6 +180,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
 
       scale = 1000
       limit = 5
+      Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
       Pleroma.Config.put([:rate_limit, limiter_name], [{1, 10}, {scale, limit}])
 
       opts = RateLimiter.init(name: limiter_name)
@@ -179,6 +213,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
     test "diffrerent users are counted independently" do
       limiter_name = :test_authenticated
       Pleroma.Config.put([:rate_limit, limiter_name], [{1, 10}, {1000, 5}])
+      Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
 
       opts = RateLimiter.init(name: limiter_name)
 
diff --git a/test/web/mastodon_api/controllers/account_controller_test.exs b/test/web/mastodon_api/controllers/account_controller_test.exs
index fa08ae4df..14d97e248 100644
--- a/test/web/mastodon_api/controllers/account_controller_test.exs
+++ b/test/web/mastodon_api/controllers/account_controller_test.exs
@@ -766,6 +766,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
     end
 
     test "rate limit", %{conn: conn} do
+      Pleroma.Config.put([Pleroma.Plugs.RemoteIp, :enabled], true)
       app_token = insert(:oauth_token, user: nil)
 
       conn =