96 lines
3.5 KiB
PHP
96 lines
3.5 KiB
PHP
<?php
|
|
|
|
namespace App\Filters;
|
|
|
|
use CodeIgniter\Filters\FilterInterface;
|
|
use CodeIgniter\HTTP\RequestInterface;
|
|
use CodeIgniter\HTTP\ResponseInterface;
|
|
|
|
class ThrottleFilter implements FilterInterface
|
|
{
|
|
/**
|
|
* Rate limit configuration
|
|
* Production: 10 requests per minute
|
|
* Development: 30 requests per minute (still active for security testing)
|
|
*/
|
|
protected function getRateLimit(): int
|
|
{
|
|
return ENVIRONMENT === 'production' ? 10 : 30;
|
|
}
|
|
|
|
protected function getWindowSeconds(): int
|
|
{
|
|
return 60; // 1 minute window
|
|
}
|
|
|
|
/**
|
|
* Do whatever processing this filter needs to do.
|
|
*/
|
|
public function before(RequestInterface $request, $arguments = null)
|
|
{
|
|
// Only throttle POST requests to login
|
|
if (strtolower($request->getMethod()) !== 'post') {
|
|
return;
|
|
}
|
|
|
|
$ipAddress = $request->getIPAddress();
|
|
$cache = \Config\Services::cache();
|
|
|
|
// Use a more specific key for login endpoint
|
|
$path = $request->getUri()->getPath();
|
|
$key = 'throttle_login_' . md5($ipAddress . '_' . $path);
|
|
|
|
$current = $cache->get($key);
|
|
|
|
// Log for debugging
|
|
log_message('debug', "Throttle check - IP: {$ipAddress}, Path: {$path}, Current: " . ($current ?? 'null') . ", Limit: {$this->getRateLimit()}");
|
|
|
|
if ($current === null) {
|
|
// First request - initialize counter
|
|
$cache->save($key, 1, $this->getWindowSeconds());
|
|
log_message('debug', "Throttle initialized for IP: {$ipAddress}");
|
|
return;
|
|
}
|
|
|
|
// Increment counter
|
|
$newCount = $current + 1;
|
|
$cache->save($key, $newCount, $this->getWindowSeconds());
|
|
|
|
log_message('debug', "Throttle incremented - IP: {$ipAddress}, Count: {$newCount}, Limit: {$this->getRateLimit()}");
|
|
|
|
// Check if limit exceeded (use >= instead of > to be more strict)
|
|
if ($newCount >= $this->getRateLimit()) {
|
|
log_message('warning', "Rate limit exceeded for IP: {$ipAddress} on path: {$path} - Count: {$newCount}, Limit: {$this->getRateLimit()}");
|
|
|
|
// Create response with 429 status
|
|
$response = service('response');
|
|
$response->setStatusCode(429);
|
|
$response->setBody('Too Many Requests. Please try again later.');
|
|
$response->setHeader('Retry-After', (string) $this->getWindowSeconds());
|
|
$response->setHeader('X-RateLimit-Limit', (string) $this->getRateLimit());
|
|
$response->setHeader('X-RateLimit-Remaining', '0');
|
|
$response->setHeader('X-RateLimit-Reset', (string) (time() + $this->getWindowSeconds()));
|
|
$response->setHeader('Content-Type', 'text/plain; charset=utf-8');
|
|
$response->setHeader('Cache-Control', 'no-cache, no-store, must-revalidate');
|
|
|
|
return $response;
|
|
}
|
|
|
|
// Set rate limit headers for successful requests
|
|
$remaining = max(0, $this->getRateLimit() - $newCount);
|
|
$response = service('response');
|
|
$response->setHeader('X-RateLimit-Limit', (string) $this->getRateLimit());
|
|
$response->setHeader('X-RateLimit-Remaining', (string) $remaining);
|
|
$response->setHeader('X-RateLimit-Reset', (string) (time() + $this->getWindowSeconds()));
|
|
}
|
|
|
|
/**
|
|
* Allows After filters to inspect and modify the response
|
|
*/
|
|
public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
|
|
{
|
|
// No action needed after request
|
|
}
|
|
}
|
|
|