Cache what a crop is harvested for (#4582)

Add Rack::Attack rate limiting and Fail2Ban protection

Gemfile

@@ -116,6 +116,8 @@ gem 'xmlrpc' # fixes rake error - can be removed if not needed later
 
 gem 'puma'
 
+gem 'rack-attack'
+
 gem 'loofah', '>= 2.19.1'
 gem 'rack-protection', '>= 2.0.1'
 

Gemfile.lock

@@ -503,6 +503,8 @@ GEM
     query_diet (0.7.3)
     racc (1.8.1)
     rack (2.2.23)
+    rack-attack (6.8.0)
+      rack (>= 1.0, < 4)
     rack-cors (2.0.2)
       rack (>= 2.0.0)
     rack-protection (3.2.0)
@@ -841,6 +843,7 @@ DEPENDENCIES
   pry
   puma
   query_diet
+  rack-attack
   rack-cors
   rack-protection (>= 2.0.1)
   rails (~> 7.2.0)

app/controllers/charts/crops_controller.rb

@@ -14,9 +14,12 @@ module Charts
 
     def harvested_for
       @crop = Crop.find_by!(slug: params[:crop_slug])
-      render json: Harvest.joins(:plant_part)
+      data = Rails.cache.fetch("#{@crop.cache_key_with_version}/harvested_for", expires_in: 1.day) do
-        .where(crop: @crop)
+        Harvest.joins(:plant_part)
-        .group("plant_parts.name").count(:id)
+          .where(crop: @crop)
+          .group("plant_parts.name").count(:id)
+      end
+      render json: data
     end
 
     private

app/models/member.rb

@@ -196,4 +196,25 @@ class Member < ApplicationRecord
   def get_block(member)
     blocks.find_by(blocked_id: member.id) if already_blocking?(member)
   end
+
+  def has_activity?
+    (gardens.exists? && gardens.count > 1) ||
+      plantings.exists? ||
+      harvests.exists? ||
+      seeds.exists? ||
+      photos.exists? ||
+      forums.exists? ||
+      activities.exists? ||
+      posts.exists? ||
+      comments.exists? ||
+      requested_crops.exists? ||
+      created_crops.exists? ||
+      likes.exists? ||
+      created_alternate_names.exists? ||
+      created_scientific_names.exists? ||
+      follows.exists? ||
+      inverse_follows.exists? ||
+      blocks.exists? ||
+      inverse_blocks.exists?
+  end
 end

app/views/alternate_names/_form.html.haml

@@ -22,8 +22,8 @@
       .form-group
         = f.label :crop_id, class: 'control-label col-md-2'
         .col-md-8
-          = collection_select(:alternate_name, :crop_id,
+          = select(:alternate_name, :crop_id,
-                              Crop.all, :id, :name,
+                              Crop.order(:name).pluck(:name, :id),
                               { selected: @alternate_name.crop_id || @crop.id },
                               class: 'form-control')
 

app/views/crops/_form.html.haml

@@ -85,7 +85,7 @@
 
       -# Only crop wranglers see the crop hierarchy (for now)
       - if can? :wrangle, @crop
-        = f.collection_select(:parent_id, Crop.all.order(:name), :id, :name,
+        = f.select(:parent_id, Crop.order(:name).pluck(:name, :id),
           { include_blank: true, label: 'Parent crop'})
         %span.help-block Optional. For setting up crop hierarchies for varieties etc.
 

app/views/crops/show.html.haml

@@ -73,10 +73,11 @@
               = pie_chart crop_harvested_for_path(@crop, format: :json), legend: "bottom"
 
     - if @crop.varieties.any?
-      %section.varieties
+      - cache [@crop, 'varieties'] do
-        %h2 Varieties
+        %section.varieties
-        .index-cards
+          %h2 Varieties
-          = render 'varieties', crop: @crop
+          .index-cards
+            = render 'varieties', crop: @crop
 
     %section.crop-map
       %h2
@@ -134,9 +135,11 @@
     = render 'harvests', crop: @crop
     = render 'find_seeds', crop: @crop
 
-    = render 'openfarm_data', crop: @crop
+    - cache [@crop, 'openfarm_data'] do
+      = render 'openfarm_data', crop: @crop
 
-    = render 'nutritional_data', crop: @crop
+    - cache [@crop, 'nutritional_data'] do
+      = render 'nutritional_data', crop: @crop
 
     = cute_icon
     .card

app/views/scientific_names/_form.html.haml

@@ -17,8 +17,8 @@
   .form-group
     = f.label :crop_id, class: 'control-label col-md-2'
     .col-md-8
-      = collection_select(:scientific_name, :crop_id, Crop.all.order(:name), :id,
+      = select(:scientific_name, :crop_id, Crop.order(:name).pluck(:name, :id),
-        :name, { selected: @scientific_name.crop_id || @crop.id },
+        { selected: @scientific_name.crop_id || @crop.id },
         class: 'form-control')
   .form-group
     = f.label :name, class: 'control-label col-md-2'

config/application.rb

@@ -73,6 +73,8 @@ module Growstuff
     config.newsletter_list_id = ENV.fetch('GROWSTUFF_MAILCHIMP_NEWSLETTER_ID', nil)
 
     # config.active_record.raise_in_transactional_callbacks = true
+    config.middleware.insert_before 0, Rack::Attack
+
     config.middleware.insert_before 0, Rack::Cors do
       allow do
         origins '*'

config/initializers/rack_attack.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+class Rack::Attack
+  ### Throttle Config ###
+
+  if Rails.env.production?
+    # Throttle requests to /plantings, /harvests, and /members to 10 per minute per IP
+    # Includes API routes
+    throttle('req/ip/restricted_routes', limit: 20, period: 1.minute) do |req|
+      if req.path =~ %r{^/(plantings|harvests|members)(/|$)} || req.path =~ %r{^/api/v1/(plantings|harvests|members)(/|$)}
+        req.ip
+      end
+    end
+
+    ### Fail2Ban Config ###
+
+    # Block IPs that make too many requests to suspicious paths
+    # After 5 "bad" requests in 10 minutes, block the IP for 1 hour
+    blocklist('fail2ban/pentesters') do |req|
+      Fail2Ban.filter("pentesters-#{req.ip}", maxretry: 5, findtime: 10.minutes, bantime: 1.hour) do
+        # The count for the IP is incremented if the return value is truthy.
+        req.path.include?('wp-admin') ||
+          req.path.include?('wp-login') ||
+          req.path.include?('cgi-bin') ||
+          req.path.end_with?('.php', '.asp', '.aspx', '.jsp', '.exe', '.env', '.git')
+      end
+    end
+  end
+
+  ### Custom Response Headers ###
+
+  # Add Retry-After header to throttled responses
+  self.throttled_response_retry_after_header = true
+end

lib/tasks/members.rake

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+namespace :members do
+  desc "Remove inactive members with no activity and last login > 24 months ago"
+  # usage: rake members:cleanup_inactive
+  # usage: DRY_RUN=true rake members:cleanup_inactive
+  task cleanup_inactive: :environment do
+    limit_date = 3.years.ago
+    dry_run = ENV.fetch('DRY_RUN', 'false') == 'true'
+
+    inactive_members = Member.where("last_sign_in_at < ? OR (last_sign_in_at IS NULL AND created_at < ?)", limit_date, limit_date)
+
+    count = 0
+    inactive_members.find_each do |member|
+      # Check for activity using the model method
+      unless member.has_activity?
+        if dry_run
+          puts "[DRY RUN] Would delete inactive member: #{member.login_name} (ID: #{member.id}, Last login: #{member.last_sign_in_at || 'Never'}, Created: #{member.created_at})"
+        else
+          puts "Deleting inactive member: #{member.login_name} (ID: #{member.id}, Last login: #{member.last_sign_in_at || 'Never'}, Created: #{member.created_at})"
+          member.destroy
+        end
+        count += 1
+      end
+    end
+
+    if dry_run
+      puts "Total inactive members that would be deleted: #{count}"
+    else
+      puts "Total inactive members deleted: #{count}"
+    end
+  end
+end

spec/tasks/members_spec.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'rake'
+
+describe 'members:cleanup_inactive' do
+  before :all do
+    Rails.application.load_tasks
+  end
+
+  let(:cleanup_task) { Rake::Task['members:cleanup_inactive'] }
+
+  before do
+    cleanup_task.reenable
+  end
+
+  it "deletes inactive members with no gardens and no other activity" do
+    inactive_no_activity = create(:member, last_sign_in_at: 25.months.ago)
+
+    # We must explicitly remove the default garden to test the "no gardens" condition
+    inactive_no_activity.gardens.destroy_all
+    expect(inactive_no_activity.gardens.count).to eq(0)
+
+    cleanup_task.invoke
+
+    expect(Member.exists?(inactive_no_activity.id)).to be_falsey
+  end
+
+  it "does not delete inactive members with a garden (even if empty)" do
+    inactive_with_garden = create(:member, last_sign_in_at: 25.months.ago)
+    # They have 1 default garden
+    expect(inactive_with_garden.gardens.count).to eq(1)
+
+    cleanup_task.invoke
+
+    expect(Member.exists?(inactive_with_garden.id)).to be_truthy
+  end
+
+  it "does not delete members with recent login" do
+    recent_member = create(:member, last_sign_in_at: 1.month.ago)
+    recent_member.gardens.destroy_all
+
+    cleanup_task.invoke
+
+    expect(Member.exists?(recent_member.id)).to be_truthy
+  end
+
+  it "does not delete inactive members with activity (posts)" do
+    inactive_with_post = create(:member, last_sign_in_at: 25.months.ago)
+    inactive_with_post.gardens.destroy_all
+    create(:post, author: inactive_with_post)
+
+    cleanup_task.invoke
+
+    expect(Member.exists?(inactive_with_post.id)).to be_truthy
+  end
+
+  it "honors DRY_RUN environment variable" do
+    inactive_no_activity = create(:member, last_sign_in_at: 25.months.ago)
+    inactive_no_activity.gardens.destroy_all
+
+    ENV['DRY_RUN'] = 'true'
+    cleanup_task.invoke
+    ENV['DRY_RUN'] = nil
+
+    expect(Member.exists?(inactive_no_activity.id)).to be_truthy
+  end
+end