From e9c0b6a703f0d6a17c9f575285a6c2ae7f5135f2 Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete@docuseal.com>
Date: Mon, 27 Apr 2026 10:12:46 +0300
Subject: [PATCH] rate limit

---
 app/controllers/reveal_access_token_controller.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/app/controllers/reveal_access_token_controller.rb b/app/controllers/reveal_access_token_controller.rb
index c8959afd..eef24b50 100644
--- a/app/controllers/reveal_access_token_controller.rb
+++ b/app/controllers/reveal_access_token_controller.rb
@@ -1,6 +1,14 @@
 # frozen_string_literal: true
 
 class RevealAccessTokenController < ApplicationController
+  rate_limit to: 4, within: 1.minute, only: %i[create], by: -> { current_user.id }, with: lambda {
+    Rollbar.error('Rate limit api key') if defined?(Rollbar)
+
+    render turbo_stream: turbo_stream.replace(:modal, template: 'reveal_access_token/show',
+                                                      locals: { error_message: I18n.t(:too_many_attempts) }),
+           status: :unprocessable_content
+  }
+
   def show
     authorize!(:manage, current_user.access_token)
   end