From 34930e1a3ec8c5cbd6822b1093daedc8ffe1926b Mon Sep 17 00:00:00 2001
From: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
Date: Wed, 21 Aug 2024 23:56:49 +0200
Subject: [PATCH] Align sign-up rate limits between API and Web UI

---
 config/initializers/rack_attack.rb           | 4 ++--
 spec/config/initializers/rack/attack_spec.rb | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index b4eaab1daa2..75e2193e060 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -86,7 +86,7 @@ class Rack::Attack
     req.throttleable_remote_ip if req.path.start_with?('/media_proxy')
   end
 
-  throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req|
+  throttle('throttle_api_sign_up', limit: 15, period: 15.minutes) do |req|
     req.throttleable_remote_ip if req.post? && req.path == '/api/v1/accounts'
   end
 
@@ -109,7 +109,7 @@ class Rack::Attack
     req.throttleable_remote_ip if req.post? && req.path == '/api/v1/apps'
   end
 
-  throttle('throttle_sign_up_attempts/ip', limit: 25, period: 5.minutes) do |req|
+  throttle('throttle_sign_up_attempts/ip', limit: 15, period: 15.minutes) do |req|
     req.throttleable_remote_ip if req.post? && req.path_matches?('/auth')
   end
 
diff --git a/spec/config/initializers/rack/attack_spec.rb b/spec/config/initializers/rack/attack_spec.rb
index 19de4808983..1aaa9128482 100644
--- a/spec/config/initializers/rack/attack_spec.rb
+++ b/spec/config/initializers/rack/attack_spec.rb
@@ -74,8 +74,8 @@ describe Rack::Attack, type: :request do
   describe 'throttle excessive sign-up requests by IP address' do
     context 'when accessed through the website' do
       let(:throttle) { 'throttle_sign_up_attempts/ip' }
-      let(:limit)  { 25 }
-      let(:period) { 5.minutes }
+      let(:limit)  { 15 }
+      let(:period) { 15.minutes }
       let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }
 
       context 'with exact path' do
@@ -93,8 +93,8 @@ describe Rack::Attack, type: :request do
 
     context 'when accessed through the API' do
       let(:throttle) { 'throttle_api_sign_up' }
-      let(:limit)  { 5 }
-      let(:period) { 30.minutes }
+      let(:limit)  { 15 }
+      let(:period) { 15.minutes }
       let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }
 
       context 'with exact path' do