Rate limiting & refactor

3 years ago · ce05aed461
parent 3035a3ea3d
commit ce05aed461
9 changed files with 69 additions and 28 deletions
--- a/src/TODO.md
+++ b/src/TODO.md
@ -1,6 +1,6 @@
 # TODO
- - Post editing & deleting
+ - Ratelimiting
- - User reviews
+ - User reviews (+rep / -rep)
 - Yardoc 50%
 - Film
--- a/src/app.rb
+++ b/src/app.rb
@ -32,18 +32,7 @@ end
 enable :sessions
 db_init
-before do 
+RATE_LIMITS ||= Hash.new(Hash.new(0))
 	route_auth_needed = request.path_info.start_with?(*AUTH_ROUTES)
 	if !is_logged_in && route_auth_needed then
 		session[:ret] = request.fullpath # TODO: return the user to the previous route
 		session[:status] = 403
 		flash[:error] = AUTH_ERRORS[:needed] 
 		redirect "/login"
 	elsif route_auth_needed && get_current_user.banned?
 		banned
 	end
 end
 not_found do 
 	serve :"404"
@ -68,6 +57,36 @@ def error(ret=back)
 	auth_denied "Internal server error.", 500, ret
 end
 def ratelimit(delta_time, ret="/")
 	auth_denied "Doing that a bit too fast... Please try again in #{delta_time} seconds.", 429, ret
 end
 before do 
 	# Ratelimiting
 	# check if route contains any of the protected ones
 	# and if it is a POST request (dont care about GETs)
 	if request.path_info.start_with?(*RATE_LIMIT_ROUTES_ALL) and request.request_method == "POST" then 
 		RATE_LIMIT_ROUTES.each do |t, cfg|
 			if request.path_info.start_with?(*cfg[:routes]) then
 				dt = Time.now.to_i - RATE_LIMITS[t][request.ip]
 				ratelimit(dt) unless dt > cfg[:time] # send a rate limit response if rate limited
 				RATE_LIMITS[t][request.ip] = Time.now.to_i
 			end
 		end
 	end
 	# Authentication check
 	route_auth_needed = request.path_info.start_with?(*AUTH_ROUTES)
 	if !is_logged_in && route_auth_needed then
 		session[:ret] = request.fullpath # TODO: return the user to the previous route
 		session[:status] = 403
 		flash[:error] = AUTH_ERRORS[:needed] 
 		redirect "/login"
 	elsif route_auth_needed && get_current_user.banned?
 		banned
 	end
 end
 # Routes
 get "/style.css" do
 	sass :"stylesheets/style", style: :compressed
--- a/src/const.rb
+++ b/src/const.rb
@ -78,7 +78,22 @@ TIME_FORMATS = {
 	s: 1
 }
 # Routes that needs auth
 AUTH_ROUTES = %w[/settings /auction /user /admin]
 # Rate limits in seconds for each route category
 RATE_LIMIT_ROUTES = {
 	user: {
 		routes: %w[/user /settings /register /login /logout],
 		time: 1
 	},
 	auction: {
 		routes: %w[/auctions],
 		time: 1
 	}
 }
 RATE_LIMIT_ROUTES_ALL = [] # precompile all of the protected routes
 RATE_LIMIT_ROUTES.each do |t, cfg|
 	RATE_LIMIT_ROUTES_ALL += cfg[:routes]
 end
--- a/src/lib/db_models.rb
+++ b/src/lib/db_models.rb
@ -383,6 +383,15 @@ class Auction < EntityModel
 		Auction.update data, "id = ?", @id
 	end
 	def delete 
 		FileUtils.rm_rf("./public/auctions/#{@id}") # delete all images
 		Auction.delete "id = ?", @id # delete the actual post entry
 		Auction_Category_relation.delete "auction_id = ?", @id
 		Image.delete "auction_id = ?", @id
 		Bid.delete "auction_id = ?", @id 
 	end
 	def poster
 		User.find_by_id @user_id
 	end
--- a/src/routes/auction.rb
+++ b/src/routes/auction.rb
@ -29,7 +29,6 @@ post "/auctions" do
 		flash[:error] = AUCTION_ERRORS[:imagecount]
 		redirect "/auctions/new"
 	end
 	# 
 	# Create the auction
 	newid, resp = Auction.create user_id, title, description, init_price, delta_time
@ -91,12 +90,9 @@ get "/auctions/:id/delete" do
 		auth_denied unless auction.user_id == session[:userid] or get_current_user.admin?
 		# Delete everything related in the db
-		Auction.delete "id = ?", id
+		auction.delete 
 		Auction_Category_relation.delete "auction_id = ?", id
 		Bid.delete "auction_id = ?", id 
 		flash[:success] = "Removed post."
 		redirect "/auctions"
 	else
 		raise Sinatra::NotFound
--- a/src/views/admin/index.slim
+++ b/src/views/admin/index.slim
@ -6,8 +6,6 @@ div
        a.button href="#users" = "Users"
      li
        a.button href="#roles" = "Roles"
      li
        a.button href="#auctions" = "Auctions"
      li
        a.button href="#categories" = "Categories"
--- a/src/views/auction/index.slim
+++ b/src/views/auction/index.slim
@ -5,7 +5,7 @@
      .form-container
        form action="/auctions" method="get"
          label Title
-          input type="search" name="title" placeholder="ex: 'teapot'"
+          input type="search" name="title" placeholder="ex: 'teapot'" value="#{params[:title]}"
          label Price range
          .range-container
@ -25,7 +25,7 @@
                option value="#{category.id}" selected=("selected" if params[:categories] and params[:categories].include?(category.id.to_s)) style="color: #{category.color};" = "#{category.name}" 
          input type="submit" value="Search"
-      a.button href="/auctions" = "Clear Filters"
+        a.button href="/auctions" = "Clear Filters"
    article.post-container.card
      h2 Results
--- a/src/views/auction/view.slim
+++ b/src/views/auction/view.slim
@ -20,6 +20,7 @@
      h2
        span
          | #{auction.title}
      h3
        - if auction.user_id == session_user.id or session_user.admin?
          a.inlbutton href="/auctions/#{auction.id}/edit"
            | [Edit]
--- a/src/views/stylesheets/style.sass
+++ b/src/views/stylesheets/style.sass
@ -474,7 +474,7 @@ ul.list-container
  display: flex
  flex-direction: row
  justify-content: center
-  height: inherit
+  height: 90%
  max-width: 70rem
  a.button
@ -482,10 +482,14 @@ ul.list-container
    border-radius: $border_radius
  aside.card
    display: flex
    //justify-content: center
    flex-direction: column 
    width: 20rem
    margin-right: 4rem 
    margin-top: 4rem
    .form-container
      background: $bg_alt_clr
      padding: 8px
      form
        padding: 0
        width: inherit
@ -544,7 +548,6 @@ article.post-container
 #auctions_new
  display: grid
 #auction-view
  display: grid
  max-width: 70rem