Fix rate-limiting incorrectly triggering a session cookie on most endpoints (#30483)

2024-11-20 03:25:17 +01:00 · 2024-05-30 14:56:18 +02:00 · 2024-05-30 14:56:18 +02:00 · 95ebcff98e
commit 95ebcff98e
parent d770b61a74
1 changed files with 2 additions and 2 deletions
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@ -30,7 +30,7 @@ class Rack::Attack
    end

    def authenticated_user_id
-      authenticated_token&.resource_owner_id || warden_user_id
+      authenticated_token&.resource_owner_id
    end

    def authenticated_token_id
@ -138,7 +138,7 @@ class Rack::Attack
  end

  throttle('throttle_password_change/account', limit: 10, period: 10.minutes) do |req|
-    req.authenticated_user_id if req.put? || (req.patch? && req.path_matches?('/auth'))
+    req.warden_user_id if req.put? || (req.patch? && req.path_matches?('/auth'))
  end

  self.throttled_responder = lambda do |request|