From 9d85e8b43eb3e4d6f76ed5a86d1c396a0d80dfb6 Mon Sep 17 00:00:00 2001
From: i5heu <i5heu@i5h.eu>
Date: Mon, 27 May 2024 12:29:01 +0000
Subject: [PATCH 1/2] Increase rate-limit for authenticated users on media
 proxy endpoints

---
 config/initializers/rack_attack.rb | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index fa1bdca544..0e6659f16c 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -82,8 +82,12 @@ class Rack::Attack
     req.authenticated_user_id if req.post? && req.path.match?(%r{\A/api/v\d+/media\z}i)
   end
 
-  throttle('throttle_media_proxy', limit: 30, period: 10.minutes) do |req|
-    req.throttleable_remote_ip if req.path.start_with?('/media_proxy')
+  throttle('throttle_authenticated_media_proxy', limit: 200, period: 10.minutes) do |req|
+    req.authenticated_user_id if req.path.start_with?('/media_proxy')
+  end
+
+  throttle('throttle_unauthenticated_media_proxy', limit: 30, period: 10.minutes) do |req|
+    req.throttleable_remote_ip if req.path.start_with?('/media_proxy') && req.unauthenticated?
   end
 
   throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req|

From 3434768ab71d550ee34a0f4cfec46c070e546288 Mon Sep 17 00:00:00 2001
From: Mia Heidenstedt <i5heu@i5h.eu>
Date: Thu, 24 Apr 2025 18:55:52 +0200
Subject: [PATCH 2/2] Fix recognition of authenticated users

---
 config/initializers/rack_attack.rb | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index 3bf4879305..cabb996c5e 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -82,12 +82,16 @@ class Rack::Attack
     req.authenticated_user_id if req.post? && req.path.match?(%r{\A/api/v\d+/media\z}i)
   end
 
-  throttle('throttle_authenticated_media_proxy', limit: 200, period: 10.minutes) do |req|
-    req.authenticated_user_id if req.path.start_with?('/media_proxy')
+  throttle('throttle_media_proxy_authenticated', limit: 200, period: 10.minutes) do |req|
+    if req.path.start_with?('/media_proxy') && (req.authenticated_user_id || req.warden_user_id)
+      req.authenticated_user_id || req.warden_user_id
+    end
   end
-
-  throttle('throttle_unauthenticated_media_proxy', limit: 30, period: 10.minutes) do |req|
-    req.throttleable_remote_ip if req.path.start_with?('/media_proxy') && req.unauthenticated?
+  
+  throttle('throttle_media_proxy_unauthenticated', limit: 30, period: 1.hour) do |req|
+    if req.path.start_with?('/media_proxy') && !req.authenticated_user_id && !req.warden_user_id
+      req.throttleable_remote_ip
+    end
   end
 
   throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req|