Merge branch '1260-rate-limited-auth-actions' into 'develop'

[#1260] Rate-limiting for create authentication and related requests

Closes #1260

See merge request pleroma/pleroma!1681

2 files changed, 6 insertions, 0 deletions

diff --git a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
index b786a521b..6ed181cff 100644
--- a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
+++ b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
@@ -4,10 +4,15 @@
 
 defmodule Pleroma.Web.MongooseIM.MongooseIMController do
   use Pleroma.Web, :controller
+
   alias Comeonin.Pbkdf2
+  alias Pleroma.Plugs.RateLimiter
   alias Pleroma.Repo
   alias Pleroma.User
 
+  plug(RateLimiter, :authentication when action in [:user_exists, :check_password])
+  plug(RateLimiter, {:authentication, params: ["user"]} when action == :check_password)
+
   def user_exists(conn, %{"user" => username}) do
     with %User{} <- Repo.get_by(User, nickname: username, local: true) do
       conn
diff --git a/lib/pleroma/web/oauth/oauth_controller.ex b/lib/pleroma/web/oauth/oauth_controller.ex
index 3c17a2095..03c9a5027 100644
--- a/lib/pleroma/web/oauth/oauth_controller.ex
+++ b/lib/pleroma/web/oauth/oauth_controller.ex
@@ -24,6 +24,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
 
   plug(:fetch_session)
   plug(:fetch_flash)
+  plug(Pleroma.Plugs.RateLimiter, :authentication when action == :create_authorization)
 
   action_fallback(Pleroma.Web.OAuth.FallbackController)