Add ratelimiting on login (#4821)

Add two ratelimiters on login (per-IP address and per-userID).
2025-05-03 02:54:52 -04:00 · 2019-03-15 17:46:16 +00:00 · 2019-03-15 17:46:16 +00:00 · 899e523d6d
commit 899e523d6d
parent 3b7ceb2c69
11 changed files with 259 additions and 37 deletions
--- a/synapse/config/ratelimiting.py
+++ b/synapse/config/ratelimiting.py
@ -15,25 +15,30 @@
 from ._base import Config


+class RateLimitConfig(object):
+    def __init__(self, config):
+        self.per_second = config.get("per_second", 0.17)
+        self.burst_count = config.get("burst_count", 3.0)
+
+
 class RatelimitConfig(Config):

    def read_config(self, config):
        self.rc_messages_per_second = config["rc_messages_per_second"]
        self.rc_message_burst_count = config["rc_message_burst_count"]

+        self.rc_registration = RateLimitConfig(config.get("rc_registration", {}))
+
+        rc_login_config = config.get("rc_login", {})
+        self.rc_login_address = RateLimitConfig(rc_login_config.get("address", {}))
+        self.rc_login_account = RateLimitConfig(rc_login_config.get("account", {}))
+
        self.federation_rc_window_size = config["federation_rc_window_size"]
        self.federation_rc_sleep_limit = config["federation_rc_sleep_limit"]
        self.federation_rc_sleep_delay = config["federation_rc_sleep_delay"]
        self.federation_rc_reject_limit = config["federation_rc_reject_limit"]
        self.federation_rc_concurrent = config["federation_rc_concurrent"]

-        self.rc_registration_requests_per_second = config.get(
-            "rc_registration_requests_per_second", 0.17,
-        )
-        self.rc_registration_request_burst_count = config.get(
-            "rc_registration_request_burst_count", 3,
-        )
-
    def default_config(self, **kwargs):
        return """\
        ## Ratelimiting ##
@ -46,6 +51,34 @@ class RatelimitConfig(Config):
        #
        rc_message_burst_count: 10.0

+        # Ratelimiting settings for registration and login.
+        #
+        # Each ratelimiting configuration is made of two parameters:
+        #   - per_second: number of requests a client can send per second.
+        #   - burst_count: number of requests a client can send before being throttled.
+        #
+        # Synapse currently uses the following configurations:
+        #   - one for registration that ratelimits registration requests based on the
+        #     client's IP address.
+        #   - one for login that ratelimits login requests based on the client's IP
+        #     address.
+        #   - one for login that ratelimits login requests based on the account the
+        #     client is attempting to log into.
+        #
+        # The defaults are as shown below.
+        #
+        #rc_registration:
+        #  per_second: 0.17
+        #  burst_count: 3
+        #
+        #rc_login:
+        #  address:
+        #    per_second: 0.17
+        #    burst_count: 3
+        #  account:
+        #    per_second: 0.17
+        #    burst_count: 3
+
        # The federation window size in milliseconds
        #
        federation_rc_window_size: 1000
@ -69,15 +102,4 @@ class RatelimitConfig(Config):
        # single server
        #
        federation_rc_concurrent: 3
-
-        # Number of registration requests a client can send per second.
-        # Defaults to 1/minute (0.17).
-        #
-        #rc_registration_requests_per_second: 0.17
-
-        # Number of registration requests a client can send before being
-        # throttled.
-        # Defaults to 3.
-        #
-        #rc_registration_request_burst_count: 3.0
        """