1
0
Fork 0
mirror of synced 2024-06-02 10:54:44 +12:00

Apply rate limiting only on API calls

This commit is contained in:
eldadfux 2019-11-29 20:23:29 +02:00
parent df81e3a035
commit f41cc152a3
2 changed files with 49 additions and 43 deletions

View file

@ -12,8 +12,6 @@ use Utopia\Validator\Host;
use Utopia\Validator\Range;
use Utopia\View;
use Utopia\Exception;
use Utopia\Abuse\Abuse;
use Utopia\Abuse\Adapters\TimeLimit;
use Auth\Auth;
use Database\Document;
use Database\Validator\Authorization;
@ -55,7 +53,7 @@ $clients = array_unique(array_merge($clientsConsole, array_map(function ($node)
return false;
}))));
$utopia->init(function () use ($utopia, $request, $response, $register, &$user, $project, $roles, $webhook, $audit, $usage, $domain, $clients) {
$utopia->init(function () use ($utopia, $request, $response, &$user, $project, $roles, $webhook, $audit, $usage, $domain, $clients) {
$route = $utopia->match($request);
$referrer = $request->getServer('HTTP_REFERER', '');
@ -197,40 +195,6 @@ $utopia->init(function () use ($utopia, $request, $response, $register, &$user,
->setParam('response', 0)
->setParam('storage', 0)
;
/*
* Abuse Check
*/
$timeLimit = new TimeLimit($route->getLabel('abuse-key', 'url:{url},ip:{ip}'), $route->getLabel('abuse-limit', 0), $route->getLabel('abuse-time', 3600), function () use ($register) {
return $register->get('db');
});
$timeLimit->setNamespace('app_'.$project->getUid());
$timeLimit
->setParam('{userId}', $user->getUid())
->setParam('{userAgent}', $request->getServer('HTTP_USER_AGENT', ''))
->setParam('{ip}', $request->getIP())
->setParam('{url}', $request->getServer('HTTP_HOST', '').$route->getURL())
;
//TODO make sure we get array here
foreach ($request->getParams() as $key => $value) { // Set request params as potential abuse keys
$timeLimit->setParam('{param-'.$key.'}', (is_array($value)) ? json_encode($value) : $value);
}
$abuse = new Abuse($timeLimit);
if ($timeLimit->limit()) {
$response
->addHeader('X-RateLimit-Limit', $timeLimit->limit())
->addHeader('X-RateLimit-Remaining', $timeLimit->remaining())
->addHeader('X-RateLimit-Reset', $timeLimit->time() + $route->getLabel('abuse-time', 3600))
;
}
if ($abuse->check() && $request->getServer('_APP_OPTIONS_ABUSE', 'enabled') !== 'disabled') {
throw new Exception('Too many requests', 429);
}
});
$utopia->shutdown(function () use ($response, $request, $webhook, $audit, $usage) {

View file

@ -1,8 +1,50 @@
<?php
/*
* Created by PhpStorm.
* User: eldadfux
* Date: 11/10/2018
* Time: 18:30
*/
use Utopia\Exception;
use Utopia\Abuse\Abuse;
use Utopia\Abuse\Adapters\TimeLimit;
use Database\Database;
global $utopia, $request, $response, $register, $user, $project;
$utopia->init(function () use ($utopia, $request, $response, $register, $user, $project) {
if (is_null($project->getUid()) || Database::SYSTEM_COLLECTION_PROJECTS !== $project->getCollection()) {
throw new Exception('Missing Project UID', 400);
}
$route = $utopia->match($request);
/*
* Abuse Check
*/
$timeLimit = new TimeLimit($route->getLabel('abuse-key', 'url:{url},ip:{ip}'), $route->getLabel('abuse-limit', 0), $route->getLabel('abuse-time', 3600), function () use ($register) {
return $register->get('db');
});
$timeLimit->setNamespace('app_'.$project->getUid());
$timeLimit
->setParam('{userId}', $user->getUid())
->setParam('{userAgent}', $request->getServer('HTTP_USER_AGENT', ''))
->setParam('{ip}', $request->getIP())
->setParam('{url}', $request->getServer('HTTP_HOST', '').$route->getURL())
;
//TODO make sure we get array here
foreach ($request->getParams() as $key => $value) { // Set request params as potential abuse keys
$timeLimit->setParam('{param-'.$key.'}', (is_array($value)) ? json_encode($value) : $value);
}
$abuse = new Abuse($timeLimit);
if ($timeLimit->limit()) {
$response
->addHeader('X-RateLimit-Limit', $timeLimit->limit())
->addHeader('X-RateLimit-Remaining', $timeLimit->remaining())
->addHeader('X-RateLimit-Reset', $timeLimit->time() + $route->getLabel('abuse-time', 3600))
;
}
if ($abuse->check() && $request->getServer('_APP_OPTIONS_ABUSE', 'enabled') !== 'disabled') {
throw new Exception('Too many requests', 429);
}
});