mirror of
https://github.com/zulip/zulip.git
synced 2025-11-02 13:03:29 +00:00
49ad188449
TOR users are legitimate users of the system; however, that system can also be used for abuse -- specifically, by evading IP-based rate-limiting. For the purposes of IP-based rate-limiting, add a RATE_LIMIT_TOR_TOGETHER flag, defaulting to false, which lumps all requests from TOR exit nodes into the same bucket. This may allow a TOR user to deny other TOR users access to the find-my-account and new-realm endpoints, but this is a low cost for cutting off a significant potential abuse vector. If enabled, the list of TOR exit nodes is fetched from their public endpoint once per hour, via a cron job, and cached on disk. Django processes load this data from disk, and cache it in memcached. Requests are spared from the burden of checking disk on failure via a circuitbreaker, which trips of there are two failures in a row, and only begins trying again after 10 minutes.
The dependency graph of the requirements is as follows:
dev +-> prod +-> common
+
|
v
mypy,docs,pip
Of the files, only dev, prod, and mypy have been used in the install scripts directly. The rest are implicit dependencies.
Steps to update a lock file, e.g. to update ipython from 5.3.0 to latest version:
- Remove entry for
ipython==5.3.0in dev.txt. - Run
./tools/update-locked-requirements, which will generate new entries, pinned to the latest version. - Increase
PROVISION_VERSIONinversion.py. - Run
./tools/provisionto install the new deps and test them. - Commit your changes.