Excluding logged in users from rate-limiting #2686
Comments
|
Hello @olegbliaher, thanks for contributing to the Password Pusher community! We will respond as soon as possible. |
|
Hi @olegbliaher - I can do that. But if you want it to apply to all logged in users, there might be a better solution rather than by IP: throttle("req/minute/ip", limit: 120, period: 1.minute) do |req|
req.ip if req.session[:warden] && req.session[:warden]["user.user.id"].nil? && !req.path.start_with?("/assets")
endNeeds testing though. |
|
Hi @pglombardo, thank you for the very swift response! Personally, I'd prefer excluding all logged-in users, instead of dealing with IP-addresses and ranges. Your suggestion looks perfect. |
|
Sounds good - I have a couple other things in progress right but hopefully I can add this over the weekend. I'll update once the addition is out. Thanks for pointing this out! |
|
Hi again, I would just like to point out that if you could add support for excluding IP-addresses/ranges, we would find usage to that in my organization as well :) |
Checklist
issues.discussions.β Question
Is it possible to exclude logged in users from rate-limits?
π Additional context
Running pwpush 1.47.1 with Caddy.
I also noticed I can configure
safelist_ip-addresses viaconfig/initializers/rack_attack.rb. Would be nice if it would be possible to specify those IP-addresses as an environment variable.The text was updated successfully, but these errors were encountered: