Fix rate-limiting incorrectly triggering a session cookie on most end…

…points (mastodon#30483)
NeuromatchAcademy · May 30, 2024 · 73a78cc · 73a78cc
1 parent 3fa0dd0
commit 73a78cc
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
@@ -30,7 +30,7 @@ def throttleable_remote_ip
     end
 
     def authenticated_user_id
-      authenticated_token&.resource_owner_id || warden_user_id
+      authenticated_token&.resource_owner_id
     end
 
     def authenticated_token_id
@@ -142,7 +142,7 @@ def paging_request?
   end
 
   throttle('throttle_password_change/account', limit: 10, period: 10.minutes) do |req|
-    req.authenticated_user_id if req.put? || (req.patch? && req.path_matches?('/auth'))
+    req.warden_user_id if req.put? || (req.patch? && req.path_matches?('/auth'))
   end
 
   self.throttled_responder = lambda do |request|