FIX: Delete the invalid auth cookie even if you hit the rate limit

2025-02-25 18:55:32 -06:00 · 2018-02-09 19:09:54 -05:00
parent 2faa4c2f5f
commit 569e57f0a9
4 changed files with 27 additions and 6 deletions
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@@ -48,7 +48,7 @@ class Auth::DefaultCurrentUserProvider
    if auth_token && auth_token.length == 32
      limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN , 60)

-      if request.ip == "127.0.0.1" || request.ip == "::1" || limiter.can_perform?
+      if limiter.can_perform?
        @user_token = UserAuthToken.lookup(auth_token,
                                           seen: true,
                                           user_agent: @env['HTTP_USER_AGENT'],
@@ -62,7 +62,11 @@ class Auth::DefaultCurrentUserProvider
        begin
          limiter.performed!
        rescue RateLimiter::LimitExceeded
-          raise Discourse::InvalidAccess
+          raise Discourse::InvalidAccess.new(
+            'Invalid Access',
+            nil,
+            delete_cookie: TOKEN_COOKIE
+          )
        end
      end
    end