Skip to content

E
edx-platform
Commit 819977d5 by Ahsan Ulhaq
Options

Rate limited /oauth2/access_token/ 

There has been some reports about attack on /oauth2/access_token/.
This cause LMS to be down. This is being resolved by rate limiting the
endpoint.
LEARNER-3393
parent 93c3f5f9
Showing with 11 additions and 1 deletions
lms/envs/common.py
......@@ -3456,3 +3456,6 @@ ACE_ROUTING_KEY = LOW_PRIORITY_QUEUE
# Initialize to 'unknown', but read from JSON in aws.py
EDX_PLATFORM_REVISION = 'unknown'
############### Settings for Django Rate limit #####################
RATELIMIT_ENABLE = True
openedx/core/djangoapps/oauth_dispatch/views.py
......@@ -17,6 +17,8 @@ from edx_oauth2_provider import views as dop_views # django-oauth2-provider vie
from jwkest.jwk import RSAKey
from oauth2_provider import models as dot_models # django-oauth-toolkit
from oauth2_provider import views as dot_views
from ratelimit import ALL
from ratelimit.mixins import RatelimitMixin
from openedx.core.djangoapps.auth_exchange import views as auth_exchange_views
from openedx.core.lib.token_utils import JwtBuilder
......@@ -83,12 +85,16 @@ class _DispatchingView(View):
return request.POST.get('client_id')
class AccessTokenView(_DispatchingView):
class AccessTokenView(RatelimitMixin, _DispatchingView):
"""
Handle access token requests.
"""
dot_view = dot_views.TokenView
dop_view = dop_views.AccessTokenView
ratelimit_key = 'ip'
ratelimit_rate = '30/m'
ratelimit_block = True
ratelimit_method = ALL
def dispatch(self, request, *args, **kwargs):
response = super(AccessTokenView, self).dispatch(request, *args, **kwargs)
......
requirements/edx/base.txt
......@@ -26,6 +26,7 @@ django-mptt>=0.8.6,<0.9
django-oauth-toolkit==0.12.0
django-pipeline-forgiving==1.0.0
django-pyfs==1.0.7
django-ratelimit==1.1.0
django-sekizai>=0.10
django-ses==0.8.4
django-simple-history==1.9.0
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment