From a13942d1b156afaabc1053fb72f24dd5fb95f6ad Mon Sep 17 00:00:00 2001
From: Miles Zhang <mingchang555@hotmail.com>
Date: Tue, 2 Apr 2024 17:10:13 +0800
Subject: [PATCH] Issue 594 (#1727)

* chore: api rate limit increase

Signed-off-by: Miles Zhang <mingchang555@hotmail.com>

* chore: configure dynamic cors

Signed-off-by: Miles Zhang <mingchang555@hotmail.com>

---------

Signed-off-by: Miles Zhang <mingchang555@hotmail.com>
---
 .env.example                       |  5 ++++-
 config/initializers/cors.rb        | 14 +++++---------
 config/initializers/rack_attack.rb |  6 +++---
 3 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/.env.example b/.env.example
index 92e4a10ec..5312bae16 100644
--- a/.env.example
+++ b/.env.example
@@ -120,4 +120,7 @@ AUTH_ACCESS_EXPIRE=1296000
 SECRET_KEY_BASE=""
 
 # -------------------------------- Bitcoin segment --------------------------------
-BITCOIN_NODE_URL=""
\ No newline at end of file
+BITCOIN_NODE_URL=""
+
+# Dynamic CORS configuration
+PARTNER_DOMAINS="/localhost:\d*/"
diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
index e673c5386..fe507da1c 100644
--- a/config/initializers/cors.rb
+++ b/config/initializers/cors.rb
@@ -17,14 +17,10 @@
 
 Rails.application.config.middleware.insert_before 0, Rack::Cors do
   allow do
-    origins "https://explorer.nervos.org",
-            "https://explorer-testnet.nervos.org",
-            "https://aggron.explorer.nervos.org",
-            "https://pudge.explorer.nervos.org",
-            "https://staging.explorer.nervos.org",
-            /\Ahttps:\/\/ckb-explorer-.*-magickbase.vercel.app\z/,
-            "http://localhost:3000",
-            (ENV["STAGING_DOMAIN"]).to_s
-    resource "*", headers: :any, methods: [:get, :post, :put, :head, :options]
+    origins ["https://explorer.nervos.org",
+             "https://pudge.explorer.nervos.org",
+             /\Ahttps:\/\/ckb-explorer-.*-magickbase.vercel.app\z/] +
+      ENV["PARTNER_DOMAINS"].to_s.split(",").map(&:strip).map { |x| x.start_with?("/") ? Regexp.new(x[1..-2]) : x }
+    resource "*", headers: :any, methods: %i[get post put head options]
   end
 end
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index 5a60ad13d..2e3e48f92 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -23,8 +23,8 @@ class Rack::Attack
   # Throttle all requests by IP (60rpm)
   #
   # Key: "rack::attack:#{Time.now.to_i/:period}:req/ip:#{req.ip}"
-  throttle("req/ip", limit: 1500, period: 5.minutes) do |req|
-    req.env['HTTP_CF_CONNECTING_IP'] || req.ip # unless req.path.start_with?('/assets')
+  throttle("req/ip", limit: 3000, period: 5.minutes) do |req|
+    req.env["HTTP_CF_CONNECTING_IP"] || req.ip # unless req.path.start_with?('/assets')
   end
 
   ### Custom Throttle Response ###
@@ -49,7 +49,7 @@ class Rack::Attack
       headers = {
         "RateLimit-Limit" => match_data[:limit].to_s,
         "RateLimit-Remaining" => "0",
-        "RateLimit-Reset" => (now + (match_data[:period] - now % match_data[:period])).to_s
+        "RateLimit-Reset" => (now + (match_data[:period] - now % match_data[:period])).to_s,
       }
 
       [429, headers, ["Throttled\n"]]