FIX: prevent DDoS with lots of _oneboxable_ links

FIX: ensure the onebox route is only allowed to logged in users FIX: only allow 1 outgoing onebox preview per user FIX: client should only do 1 preview at a time
2025-02-25 18:55:32 -06:00 · 2016-12-20 00:31:10 +01:00
parent 6965079108
commit 52cd9972bb
6 changed files with 151 additions and 52 deletions
--- a/app/controllers/onebox_controller.rb
+++ b/app/controllers/onebox_controller.rb
@@ -1,16 +1,32 @@
 require_dependency 'oneboxer'

 class OneboxController < ApplicationController
+  before_filter :ensure_logged_in

  def show
-    result = Oneboxer.preview(params[:url], invalidate_oneboxes: params[:refresh] == 'true')
-    result.strip! if result.present?
+    params.require(:user_id)

-    # If there is no result, return a 404
-    if result.blank?
+    preview = Oneboxer.cached_preview(params[:url])
+    preview.strip! if preview.present?
+
+    return render(text: preview) if preview.present?
+
+    # only 1 outgoing preview per user
+    return render(nothing: true, status: 429) if Oneboxer.is_previewing?(params[:user_id])
+
+    Oneboxer.preview_onebox!(params[:user_id])
+
+    preview = Oneboxer.preview(params[:url], invalidate_oneboxes: params[:refresh] == 'true')
+    preview.strip! if preview.present?
+
+    Scheduler::Defer.later("Onebox previewed") {
+      Oneboxer.onebox_previewed!(params[:user_id])
+    }
+
+    if preview.blank?
      render nothing: true, status: 404
    else
-      render text: result
+      render text: preview
    end
  end