chore: Rate limits on widget conversation endpoints (#3162)

- Limit widget conversation creation to 6 per 12 hours
- Enable rack attack by default

.env.example

@@ -169,7 +169,7 @@ USE_INBOX_AVATAR_FOR_BOT=true
 
 ## Rack Attack configuration
 ## To prevent and throttle abusive requests
-# ENABLE_RACK_ATTACK=false
+# ENABLE_RACK_ATTACK=true
 
 
 ## Running chatwoot as an API only server

config/initializers/rack_attack.rb

@@ -52,6 +52,16 @@ class Rack::Attack
     req.ip if req.path == '/api/v1/accounts' && req.post?
   end
 
+  ## Prevent Conversation Bombing on Widget APIs ###
+  throttle('api/v1/widget/conversations', limit: 6, period: 12.hours) do |req|
+    req.ip if req.path == '/api/v1/widget/conversations' && req.post?
+  end
+
+  ## Prevent Contact update Bombing in Widget API ###
+  throttle('api/v1/widget/contacts', limit: 60, period: 1.hour) do |req|
+    req.ip if req.path == '/api/v1/widget/contacts' && (req.patch? || req.put?)
+  end
+
   # ref: https://github.com/rack/rack-attack/issues/399
   throttle('login/email', limit: 20, period: 5.minutes) do |req|
     if req.path == '/auth/sign_in' && req.post?
@@ -75,4 +85,4 @@ ActiveSupport::Notifications.subscribe('throttle.rack_attack') do |_name, _start
   Rails.logger.info "[Rack::Attack][Blocked] remote_ip: \"#{payload[:request].remote_ip}\", path: \"#{payload[:request].path}\""
 end
 
-Rack::Attack.enabled = ActiveModel::Type::Boolean.new.cast(ENV.fetch('ENABLE_RACK_ATTACK', false))
+Rack::Attack.enabled = ActiveModel::Type::Boolean.new.cast(ENV.fetch('ENABLE_RACK_ATTACK', true))