Expand throttle to include string targets

app/controllers/concerns/idv_session.rb

@@ -41,7 +41,10 @@ def idv_session
   end
 
   def idv_attempter_throttled?
-    Throttler::IsThrottled.call(effective_user.id, :idv_resolution)
+    Throttle.for(
+      user: effective_user,
+      throttle_type: :idv_resolution,
+    ).throttled?
   end
 
   def redirect_unless_effective_user

app/controllers/idv/capture_doc_status_controller.rb

@@ -50,7 +50,10 @@ def document_capture_session
     end
 
     def throttled?
-      Throttler::IsThrottled.call(document_capture_session.user_id, :idv_acuant)
+      Throttle.for(
+        user: document_capture_session.user,
+        throttle_type: :idv_acuant,
+      ).throttled?
     end
   end
 end

app/controllers/idv/gpo_controller.rb

@@ -137,15 +137,18 @@ def form_response(result, success)
     end
 
     def idv_throttle_params
-      [idv_session.current_user.id, :idv_resolution]
+      {
+        user: idv_session.current_user,
+        throttle_type: :idv_resolution,
+      }
     end
 
     def idv_attempter_increment
-      Throttler::Increment.call(*idv_throttle_params)
+      Throttle.for(**idv_throttle_params).increment
     end
 
     def idv_attempter_throttled?
-      Throttler::IsThrottled.call(*idv_throttle_params)
+      Throttle.for(**idv_throttle_params).throttled?
     end
 
     def throttle_failure

app/controllers/idv/session_errors_controller.rb

@@ -1,6 +1,7 @@
 module Idv
   class SessionErrorsController < ApplicationController
     include IdvSession
+    include EffectiveUser
 
     before_action :confirm_two_factor_authenticated_or_user_id_in_session
     before_action :confirm_idv_session_step_needed
@@ -12,7 +13,10 @@ def warning
     private
 
     def remaining_step_attempts
-      Throttler::RemainingCount.call(user_id, :idv_resolution)
+      Throttle.for(
+        user: effective_user,
+        throttle_type: :idv_resolution,
+      ).remaining_count
     end
 
     def confirm_two_factor_authenticated_or_user_id_in_session
@@ -25,12 +29,5 @@ def confirm_idv_session_step_needed
       return unless user_fully_authenticated?
       redirect_to idv_phone_url if idv_session.profile_confirmation == true
     end
-
-    def user_id
-      doc_capture_user_id = session[:doc_capture_user_id]
-      return doc_capture_user_id if doc_capture_user_id.present?
-
-      current_user.id
-    end
   end
 end

app/controllers/users/verify_account_controller.rb

@@ -12,7 +12,7 @@ def index
       @verify_account_form = VerifyAccountForm.new(user: current_user)
       @code = session[:last_gpo_confirmation_code] if FeatureManagement.reveal_gpo_code?
 
-      if Throttler::IsThrottled.call(current_user.id, :verify_gpo_key)
+      if throttle.throttled?
         render_throttled
       else
         render :index
@@ -22,12 +22,7 @@ def index
     def create
       @verify_account_form = build_verify_account_form
 
-      throttled = Throttler::IsThrottledElseIncrement.call(
-        current_user.id,
-        :verify_gpo_key,
-      )
-
-      if throttled
+      if throttle.throttled_else_increment?
         render_throttled
       else
         result = @verify_account_form.submit
@@ -52,6 +47,13 @@ def create
 
     private
 
+    def throttle
+      @throttle ||= Throttle.for(
+        user: current_user,
+        throttle_type: :verify_gpo_key,
+      )
+    end
+
     def render_throttled
       analytics.track_event(
         Analytics::THROTTLER_RATE_LIMIT_TRIGGERED,

app/controllers/users/verify_personal_key_controller.rb

@@ -13,20 +13,15 @@ def new
         personal_key: '',
       )
 
-      if Throttler::IsThrottled.call(current_user.id, :verify_personal_key)
+      if throttle.throttled?
         render_throttled
       else
         render :new
       end
     end
 
     def create
-      throttled = Throttler::IsThrottledElseIncrement.call(
-        current_user.id,
-        :verify_personal_key,
-      )
-
-      if throttled
+      if throttle.throttled_else_increment?
         render_throttled
       else
         result = personal_key_form.submit
@@ -42,6 +37,13 @@ def create
 
     private
 
+    def throttle
+      @throttle ||= Throttle.for(
+        user: current_user,
+        throttle_type: :verify_personal_key,
+      )
+    end
+
     def render_throttled
       analytics.track_event(
         Analytics::THROTTLER_RATE_LIMIT_TRIGGERED,

app/forms/idv/api_document_verification_form.rb

@@ -39,7 +39,7 @@ def submit
 
     def remaining_attempts
       return unless document_capture_session
-      Throttler::RemainingCount.call(document_capture_session.user_id, :idv_acuant)
+      throttle.remaining_count
     end
 
     def liveness_checking_enabled?
@@ -95,9 +95,13 @@ def throttle_if_rate_limited
 
     def throttled_else_increment
       return unless document_capture_session
-      @throttled = Throttler::IsThrottledElseIncrement.call(
-        document_capture_session.user_id,
-        :idv_acuant,
+      @throttled = throttle.throttled_else_increment?
+    end
+
+    def throttle
+      @throttle ||= Throttle.for(
+        user: document_capture_session.user,
+        throttle_type: :idv_acuant,
       )
     end
 

app/forms/idv/api_document_verification_status_form.rb

@@ -23,7 +23,10 @@ def submit
 
     def remaining_attempts
       return unless @document_capture_session
-      Throttler::RemainingCount.call(@document_capture_session.user_id, :idv_acuant)
+      Throttle.for(
+        user: @document_capture_session.user,
+        throttle_type: :idv_acuant,
+      ).remaining_count
     end
 
     def timeout_error

app/forms/idv/api_image_upload_form.rb

@@ -45,10 +45,7 @@ def submit
 
     def throttled_else_increment
       return unless document_capture_session
-      @throttled = Throttler::IsThrottledElseIncrement.call(
-        document_capture_session.user_id,
-        :idv_acuant,
-      )
+      @throttled = throttle.throttled_else_increment?
     end
 
     def validate_form
@@ -104,7 +101,7 @@ def extra_attributes
 
     def remaining_attempts
       return nil unless document_capture_session
-      Throttler::RemainingCount.call(document_capture_session.user_id, :idv_acuant)
+      throttle.remaining_count
     end
 
     def determine_response(form_response:, client_response:, doc_pii_response:)
@@ -247,5 +244,12 @@ def user_id
     def user_uuid
       document_capture_session&.user&.uuid
     end
+
+    def throttle
+      @throttle ||= Throttle.for(
+        user: document_capture_session.user,
+        throttle_type: :idv_acuant,
+      )
+    end
   end
 end

app/forms/register_user_email_form.rb

@@ -133,7 +133,8 @@ def process_errors(request_id)
   end
 
   def send_sign_up_unconfirmed_email(request_id)
-    @throttled = Throttler::IsThrottledElseIncrement.call(existing_user.id, :reg_unconfirmed_email)
+    throttler = Throttle.for(user: existing_user, throttle_type: :reg_unconfirmed_email)
+    @throttled = throttler.throttled_else_increment?
 
     if @throttled
       @analytics.track_event(
@@ -146,7 +147,8 @@ def send_sign_up_unconfirmed_email(request_id)
   end
 
   def send_sign_up_confirmed_email
-    @throttled = Throttler::IsThrottledElseIncrement.call(existing_user.id, :reg_confirmed_email)
+    throttler = Throttle.for(user: existing_user, throttle_type: :reg_confirmed_email)
+    @throttled = throttler.throttled_else_increment?
 
     if @throttled
       @analytics.track_event(

app/jobs/document_proofing_job.rb

@@ -67,10 +67,7 @@ def perform(
       pii: proofer_result.pii_from_doc,
     )
 
-    remaining_attempts = Throttler::RemainingCount.call(
-      user.id,
-      :idv_acuant,
-    )
+    remaining_attempts = Throttle.for(user: user, throttle_type: :idv_acuant).remaining_count
 
     analytics.track_event(
       Analytics::IDV_DOC_AUTH_SUBMITTED_IMAGE_UPLOAD_VENDOR,

app/models/throttle.rb

@@ -1,6 +1,7 @@
 class Throttle < ApplicationRecord
   belongs_to :user
-  validates :user_id, presence: true
+  validates :user_id, presence: true, unless: :target?
+  validates :target, presence: true, unless: :user_id?
 
   enum throttle_type: {
     idv_acuant: 1,
@@ -48,10 +49,49 @@ class Throttle < ApplicationRecord
     },
   }.freeze
 
+  # Either target or user must be supplied
+  # @param [Symbol] throttle_type
+  # @param [String] target
+  # @param [User] user
+  # @return [Throttle]
+  def self.for(throttle_type:, user: nil, target: nil)
+    throttle = if user
+      find_or_create_by(user: user, throttle_type: throttle_type)
+    elsif target
+      find_or_create_by(target: target, throttle_type: throttle_type)
+    else
+      raise 'Throttle must have a user or a target, but neither were provided'
+    end
+
+    throttle.reset_if_expired_and_maxed
+    throttle
+  end
+
+  # @return [Integer]
+  def increment
+    return attempts if maxed?
+    update(attempts: attempts + 1, attempted_at: Time.zone.now)
+    attempts
+  end
+
   def throttled?
     !expired? && maxed?
   end
 
+  def throttled_else_increment?
+    if throttled?
+      true
+    else
+      update(attempts: attempts + 1, attempted_at: Time.zone.now)
+      false
+    end
+  end
+
+  def reset
+    update(attempts: 0)
+    self
+  end
+
   def remaining_count
     return 0 if throttled?
     max_attempts, _attempt_window_in_minutes = Throttle.config_values(throttle_type)
@@ -73,4 +113,10 @@ def self.config_values(throttle_type)
     config = THROTTLE_CONFIG.with_indifferent_access[throttle_type]
     [config[:max_attempts], config[:attempt_window]]
   end
+
+  # @api private
+  def reset_if_expired_and_maxed
+    return unless expired? && maxed?
+    update(attempts: 0, throttled_count: throttled_count.to_i + 1)
+  end
 end

app/services/idv/actions/verify_document_status_action.rb

@@ -97,7 +97,10 @@ def async_state
 
       def remaining_attempts
         return nil unless verify_document_capture_session
-        Throttler::RemainingCount.call(verify_document_capture_session.user_id, :idv_acuant)
+        Throttle.for(
+          user: verify_document_capture_session.user,
+          throttle_type: :idv_acuant,
+        ).remaining_count
       end
 
       def timed_out

app/services/idv/steps/doc_auth_base_step.rb

@@ -8,15 +8,18 @@ def initialize(flow)
       private
 
       def idv_throttle_params
-        [current_user.id, :idv_resolution]
+        {
+          user: current_user,
+          throttle_type: :idv_resolution,
+        }
       end
 
       def attempter_increment
-        Throttler::Increment.call(*idv_throttle_params)
+        Throttle.for(**idv_throttle_params).increment
       end
 
       def attempter_throttled?
-        Throttler::IsThrottled.call(*idv_throttle_params)
+        Throttle.for(**idv_throttle_params).throttled?
       end
 
       def idv_failure(result)
@@ -87,7 +90,10 @@ def throttled_url
       end
 
       def throttled_else_increment
-        Throttler::IsThrottledElseIncrement.call(user_id, :idv_acuant)
+        Throttle.for(
+          target: user_id,
+          throttle_type: :idv_acuant,
+        ).throttled_else_increment?
       end
 
       def user_id

app/services/idv/steps/send_link_step.rb

@@ -53,7 +53,10 @@ def link(session_uuid)
       end
 
       def throttled_else_increment
-        Throttler::IsThrottledElseIncrement.call(user_id, :idv_send_link)
+        Throttle.for(
+          user: current_user,
+          throttle_type: :idv_send_link,
+        ).throttled_else_increment?
       end
     end
   end

app/services/request_password_reset.rb

@@ -16,8 +16,7 @@ def perform
   private
 
   def send_reset_password_instructions
-    throttled = Throttler::IsThrottledElseIncrement.call(user.id, :reset_password_email)
-    if throttled
+    if Throttle.for(user: user, throttle_type: :reset_password_email).throttled_else_increment?
       analytics.track_event(
         Analytics::THROTTLER_RATE_LIMIT_TRIGGERED,
         throttle_type: :reset_password_email,