Cache what a crop is harvested for (#4582 )

Merge pull request #4581 from Growstuff/add-rack-attack-protection-3014929071908440304
Add Rack::Attack rate limiting and Fail2Ban protection
2026-05-25 01:13:03 -04:00 · 2026-04-27 13:32:45 +09:30 · 2026-04-27 13:23:17 +09:30 · 2026-04-27 03:52:11 +00:00
5 changed files with 47 additions and 3 deletions
--- a/2
+++ b/2
@@ -116,6 +116,8 @@ gem 'xmlrpc' # fixes rake error - can be removed if not needed later

 gem 'puma'

+gem 'rack-attack'
+
 gem 'loofah', '>= 2.19.1'
 gem 'rack-protection', '>= 2.0.1'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -503,6 +503,8 @@ GEM
    query_diet (0.7.3)
    racc (1.8.1)
    rack (2.2.23)
+    rack-attack (6.8.0)
+      rack (>= 1.0, < 4)
    rack-cors (2.0.2)
      rack (>= 2.0.0)
    rack-protection (3.2.0)
@@ -841,6 +843,7 @@ DEPENDENCIES
  pry
  puma
  query_diet
+  rack-attack
  rack-cors
  rack-protection (>= 2.0.1)
  rails (~> 7.2.0)
--- a/app/controllers/charts/crops_controller.rb
+++ b/app/controllers/charts/crops_controller.rb
@@ -14,9 +14,12 @@ module Charts

    def harvested_for
      @crop = Crop.find_by!(slug: params[:crop_slug])
-      render json: Harvest.joins(:plant_part)
-        .where(crop: @crop)
-        .group("plant_parts.name").count(:id)
+      data = Rails.cache.fetch("#{@crop.cache_key_with_version}/harvested_for", expires_in: 1.day) do
+        Harvest.joins(:plant_part)
+          .where(crop: @crop)
+          .group("plant_parts.name").count(:id)
+      end
+      render json: data
    end

    private
--- a/config/application.rb
+++ b/config/application.rb
@@ -73,6 +73,8 @@ module Growstuff
    config.newsletter_list_id = ENV.fetch('GROWSTUFF_MAILCHIMP_NEWSLETTER_ID', nil)

    # config.active_record.raise_in_transactional_callbacks = true
+    config.middleware.insert_before 0, Rack::Attack
+
    config.middleware.insert_before 0, Rack::Cors do
      allow do
        origins '*'
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+class Rack::Attack
+  ### Throttle Config ###
+
+  if Rails.env.production?
+    # Throttle requests to /plantings, /harvests, and /members to 10 per minute per IP
+    # Includes API routes
+    throttle('req/ip/restricted_routes', limit: 20, period: 1.minute) do |req|
+      if req.path =~ %r{^/(plantings|harvests|members)(/|$)} || req.path =~ %r{^/api/v1/(plantings|harvests|members)(/|$)}
+        req.ip
+      end
+    end
+
+    ### Fail2Ban Config ###
+
+    # Block IPs that make too many requests to suspicious paths
+    # After 5 "bad" requests in 10 minutes, block the IP for 1 hour
+    blocklist('fail2ban/pentesters') do |req|
+      Fail2Ban.filter("pentesters-#{req.ip}", maxretry: 5, findtime: 10.minutes, bantime: 1.hour) do
+        # The count for the IP is incremented if the return value is truthy.
+        req.path.include?('wp-admin') ||
+          req.path.include?('wp-login') ||
+          req.path.include?('cgi-bin') ||
+          req.path.end_with?('.php', '.asp', '.aspx', '.jsp', '.exe', '.env', '.git')
+      end
+    end
+  end
+
+  ### Custom Response Headers ###
+
+  # Add Retry-After header to throttled responses
+  self.throttled_response_retry_after_header = true
+end
Author	SHA1	Message	Date
Daniel O'Connor	bd637c3310	Cache what a crop is harvested for (#4582 )	2026-04-27 13:32:45 +09:30
Daniel O'Connor	9abb0d02b9	Merge pull request #4581 from Growstuff/add-rack-attack-protection-3014929071908440304 Add Rack::Attack rate limiting and Fail2Ban protection	2026-04-27 13:23:17 +09:30
Daniel O'Connor	2e56f8cb2f	Cache what a crop is harvested for	2026-04-27 03:52:11 +00:00