Configure middleware position in Rails

README.md

@@ -79,6 +79,21 @@ You can disable it permanently (like for specific environment) or temporarily (c
 Rack::Attack.enabled = false
 ```
 
+You can also tweak its position in the Rack middleware stack.
+
+```ruby
+# in config/application.rb
+
+# by index
+config.rack_attack.middleware_position = 0
+
+# relative to another middleware
+config.rack_attack.middleware_position = {
+  before: AnotherMiddleware, # optional
+  after: YetAnotherMiddleware # optional
+} 
+```
+
 b) For __rack__ applications:
 
 ```ruby

lib/rack/attack.rb

@@ -13,8 +13,6 @@
 require 'rack/attack/store_proxy/redis_cache_store_proxy'
 require 'rack/attack/store_proxy/active_support_redis_store_proxy'
 
-require 'rack/attack/railtie' if defined?(::Rails)
-
 module Rack
   class Attack
     class Error < StandardError; end
@@ -129,3 +127,5 @@ def call(env)
     end
   end
 end
+
+require 'rack/attack/railtie' if defined?(::Rails)

lib/rack/attack/configuration.rb

@@ -20,7 +20,8 @@ class Configuration
       end
 
       attr_reader :safelists, :blocklists, :throttles, :anonymous_blocklists, :anonymous_safelists
-      attr_accessor :blocklisted_callback, :throttled_callback, :throttled_response_retry_after_header
+      attr_accessor :blocklisted_callback, :middleware_position, :throttled_callback,
+                    :throttled_response_retry_after_header
 
       attr_reader :blocklisted_response, :throttled_response # Keeping these for backwards compatibility
 

lib/rack/attack/railtie.rb

@@ -3,8 +3,32 @@
 module Rack
   class Attack
     class Railtie < ::Rails::Railtie
+      # Initialize rack-attack own configuration object in application config
+      config.rack_attack = Rack::Attack.configuration
+
+      # Set Rack middleware position. By default it is unset.
+      config.rack_attack.middleware_position = nil
+
       initializer "rack-attack.middleware" do |app|
-        app.middleware.use(Rack::Attack)
+        insert_middleware_at(app, app.config.rack_attack.middleware_position)
+      end
+
+      private
+
+      def insert_middleware_at(app, position)
+        if position.nil?
+          app.middleware.use(Rack::Attack)
+        elsif position.is_a?(Integer)
+          app.middleware.insert_before(position, Rack::Attack)
+        elsif position.is_a?(Hash)
+          app.middleware.insert_before(position[:before], Rack::Attack) if position.key?(:before)
+          app.middleware.insert_after(position[:after], Rack::Attack) if position.key?(:after)
+        else
+          raise <<~ERROR
+            The middleware position you have set is invalid. Please be sure
+            `config.rack_attack.middleware_position` is set up correctly.
+          ERROR
+        end
       end
     end
   end

spec/acceptance/rails_middleware_spec.rb

@@ -12,9 +12,45 @@
       end
     end
 
-    it "is used by default" do
+    it "is placed at the end by default" do
       @app.initialize!
-      assert @app.middleware.include?(Rack::Attack)
+
+      assert @app.middleware.last == Rack::Attack
+    end
+
+    it "is placed at a specific index when the configured position is an integer" do
+      old_config = @app.config.rack_attack.clone
+      @app.config.rack_attack.middleware_position = 0
+
+      @app.initialize!
+
+      assert @app.middleware[0] == Rack::Attack
+
+      @app.config.rack_attack = old_config
+    end
+
+    it "is placed before a specific middleware when configured with :before" do
+      old_config = @app.config.rack_attack.clone
+      @app.config.rack_attack.middleware_position = { before: Rack::Runtime }
+
+      @app.initialize!
+
+      middlewares = @app.middleware.middlewares
+      assert middlewares.index(Rack::Attack) == middlewares.index(Rack::Runtime) - 1
+
+      @app.config.rack_attack = old_config
+    end
+
+    it "is placed after a specific middleware when configured with :after" do
+      old_config = @app.config.rack_attack.clone
+      @app.config.rack_attack.middleware_position = { after: Rack::Runtime }
+
+      @app.initialize!
+
+      middlewares = @app.middleware.middlewares
+      assert middlewares.index(Rack::Attack) == middlewares.index(Rack::Runtime) + 1
+
+      @app.config.rack_attack = old_config
     end
   end
 end