From 10a9b3b3c245fa50186c8ea76bc24f1a9a7019e2 Mon Sep 17 00:00:00 2001
From: Chris Beer <cabeer@stanford.edu>
Date: Mon, 8 Jul 2024 15:37:35 -0700
Subject: [PATCH] Throttle email, sms, citation and fulltext actions.

---
 config/initializers/rack_attack.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index 1ce64418a..f992b78b4 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -50,6 +50,16 @@
     req.ip if route[:controller] == 'articles' && route[:action] == 'show'
   end
 
+  Rack::Attack.throttle('req/actions/ip', limit: 10, period: 1.minute) do |req|
+    route = begin
+      Rails.application.routes.recognize_path(req.path) || {}
+    rescue StandardError
+      {}
+    end
+
+    req.ip if route[:action].in? %w[email sms citation fulltext_link]
+  end
+
   # Throttle article searching based on badly behaved user agent (device farm)?
   # Bots seem to be rotating IPs or using multiple devices as of April 2023
   # See error reports e.g. https://app.honeybadger.io/projects/50022/faults/34763067