I am using rails 5.2.4 and ruby 2.5.8
api authentication with gem knock for jwt token with devise model
using gem rack-attack for this feature
I want to implement two cases followed,
I want to throttle request if user is authenticated
If user is authenticated with given access token in header to get resource object in api then he can allow 60 authenticated request per hour.
Rack::Attack.throttle('login', limit: 60, period: 60.minute) do |req|
begin
# req.params for JSON is not yet available at this step
JSON.parse(req.body.string)['email'] if req.path == '/api/v1/user_token' && req.post?
rescue JSON::ParserError => e
end
end
I want to Allow2Ban(lock) request if user is unauthenticated If user is unauthenticated with given access token in header to get resource object in api then lock out any source IP that generates more than 10 unauthenticated requests within a 5 minute span for 2 hours.
Rack::Attack.blocklist('basic auth crackers') do |req|
Rack::Attack::Allow2Ban.filter(req.ip, :maxretry => 10, :findtime => 5.minute, :bantime => 2.hour) do
# Return true if the authorization header is incorrect
auth = Rack::Auth::Basic::Request.new(req.env)
auth.credentials != [my_username, my_password]
end
end
First case: In the throttle code the request is throttle even if user pass wrong credentials and not getting JWT access token. I want to throttle request if authenticated user hits for more than 60 request per hour. api details:
POST localhost:3000/api/v1/user_token
request raw JSON body(correct credentials): {"auth": {"email": "sean@public.com", "password": "password"}}
Second case:
In the allow2block code the request user is passing access token in header to call http://localhost:3000/api/v1/users. I am not getting how to check if the user has wrong access token or he is unauthenticated.
I am using this middleware for first time and any help appreciated thanks in advance.
