[STABLE] Add Rack::Attack

Gemfile

@@ -13,6 +13,7 @@ gem "rack-cors"
 gem "mysql"
 gem "database_cleaner"
 gem "rollbar"
+gem "rack-attack"
 
 group :development, :test do
   gem "sqlite3"

Gemfile.lock

@@ -102,6 +102,8 @@ GEM
       method_source (~> 0.8.1)
       slop (~> 3.4)
     rack (2.0.1)
+    rack-attack (5.0.1)
+      rack
     rack-cors (0.4.0)
     rack-test (0.6.3)
       rack (>= 1.0)
@@ -209,6 +211,7 @@ DEPENDENCIES
   mysql2
   pg
   pry
+  rack-attack
   rack-cors
   rails (= 5.0.0.1)
   rails-erd

config/initializers/rack_attack.rb

@@ -0,0 +1,22 @@
+class Rack::Attack
+  ### Throttle Spammy Clients ###
+  # Throttle all requests by IP 100 req/min
+  throttle('req/ip', limit: 500, period: 5.minutes) do |req|
+    req.ip
+  end
+
+  ### Prevent Brute-Force Login Attacks ###
+  # Throttle requests to /sign_in by IP address
+  throttle('logins/ip', limit: 5, period: 20.seconds) do |req|
+    if req.path.include?('/sign_in') && req.post?
+      req.ip
+    end
+  end
+end
+
+# Always allow requests from localhost
+# (blacklist & throttles are skipped)
+Rack::Attack.safelist('allow from localhost') do |req|
+  # Requests are allowed if the return value is truthy
+  '127.0.0.1' == req.ip || '::1' == req.ip
+end