Auth and Rate Limiting

Author: BenjaminMichaelis

EssentialCSharp.Web/Controllers/ChatController.cs

@@ -1,20 +1,27 @@
 using System.Text.Json;
 using EssentialCSharp.Chat.Common.Services;
+using EssentialCSharp.Web.Services;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.RateLimiting;
 
 namespace EssentialCSharp.Web.Controllers;
 
 [ApiController]
 [Route("api/[controller]")]
+[Authorize] // Require authentication for all chat endpoints
+[EnableRateLimiting("ChatEndpoint")]
 public class ChatController : ControllerBase
 {
     private readonly AIChatService _AiChatService;
     private readonly ILogger<ChatController> _Logger;
+    private readonly ICaptchaService _CaptchaService;
 
-    public ChatController(ILogger<ChatController> logger, AIChatService aiChatService)
+    public ChatController(ILogger<ChatController> logger, AIChatService aiChatService, ICaptchaService captchaService)
     {
         _AiChatService = aiChatService;
         _Logger = logger;
+        _CaptchaService = captchaService;
     }
 
     [HttpPost("message")]
@@ -32,17 +39,22 @@ public async Task<IActionResult> SendMessage([FromBody] ChatMessageRequest reque
                 return BadRequest(new { error = "Message cannot be empty." });
             }
 
-            // TODO: Add user authentication check here when implementing auth
-            // if (!User.Identity.IsAuthenticated)
-            // {
-            //     return Unauthorized(new { error = "User must be logged in to use chat." });
-            // }
-
-            // TODO: Add captcha verification here when implementing captcha
-            // if (!await _captchaService.VerifyAsync(request.CaptchaResponse))
-            // {
-            //     return BadRequest(new { error = "Captcha verification failed." });
-            // }
+            // Require user authentication for chat
+            if (!User.Identity?.IsAuthenticated ?? true)
+            {
+                return Unauthorized(new { error = "User must be logged in to use chat." });
+            }
+            // For now, we rely on ASP.NET Core Rate Limiting for protection
+            // Future enhancement: Add captcha verification after X number of requests
+            var captchaResult = await _CaptchaService.VerifyAsync(request.CaptchaResponse);
+            if (captchaResult == null || !captchaResult.Success)
+            {
+                return BadRequest(new
+                {
+                    error = "Captcha verification failed. Please try again.",
+                    requiresCaptcha = true
+                });
+            }
 
             var (response, responseId) = await _AiChatService.GetChatCompletion(
                 prompt: request.Message,
@@ -88,8 +100,26 @@ public async Task StreamMessage([FromBody] ChatMessageRequest request, Cancellat
                 return;
             }
 
-            // TODO: Add user authentication check here when implementing auth
-            // TODO: Add captcha verification here when implementing captcha
+            // Require user authentication for chat
+            if (!User.Identity?.IsAuthenticated ?? true)
+            {
+                Response.StatusCode = 401;
+                await Response.WriteAsync(JsonSerializer.Serialize(new { error = "User must be logged in to use chat." }), cancellationToken);
+                return;
+            }
+            // For now, we rely on ASP.NET Core Rate Limiting for protection
+            // Future enhancement: Add captcha verification after X number of requests
+            var captchaResult = await _CaptchaService.VerifyAsync(request.CaptchaResponse);
+            if (captchaResult == null || !captchaResult.Success)
+            {
+                Response.StatusCode = 400;
+                await Response.WriteAsync(JsonSerializer.Serialize(new
+                {
+                    error = "Captcha verification failed. Please try again.",
+                    requiresCaptcha = true
+                }), cancellationToken);
+                return;
+            }
 
             Response.ContentType = "text/event-stream";
             Response.Headers["Cache-Control"] = "no-cache";

EssentialCSharp.Web/Program.cs

@@ -1,3 +1,4 @@
+using System.Threading.RateLimiting;
 using Azure.Monitor.OpenTelemetry.AspNetCore;
 using EssentialCSharp.Web.Areas.Identity.Data;
 using EssentialCSharp.Web.Areas.Identity.Services.PasswordValidators;
@@ -10,6 +11,7 @@
 using Microsoft.AspNetCore.HttpOverrides;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Identity.UI.Services;
+using Microsoft.AspNetCore.RateLimiting;
 using Microsoft.EntityFrameworkCore;
 
 namespace EssentialCSharp.Web;
@@ -162,6 +164,81 @@ private static void Main(string[] args)
             logger.LogWarning(ex, "AI Chat services could not be registered. Chat functionality will be unavailable.");
         }
 
+        // Add Rate Limiting for API endpoints
+        builder.Services.AddRateLimiter(options =>
+        {
+            // Global rate limiter for authenticated users by username, anonymous by IP
+            options.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(httpContext =>
+            {
+                var partitionKey = httpContext.User.Identity?.IsAuthenticated == true
+                    ? httpContext.User.Identity.Name ?? "unknown-user"
+                    : httpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown-ip";
+
+                return RateLimitPartition.GetFixedWindowLimiter(
+                    partitionKey: partitionKey,
+                    factory: _ => new FixedWindowRateLimiterOptions
+                    {
+                        PermitLimit = 30, // requests per window
+                        Window = TimeSpan.FromMinutes(1), // 1 minute window
+                        QueueProcessingOrder = QueueProcessingOrder.OldestFirst,
+                        QueueLimit = 0 // No queuing - immediate rejection for better UX
+                    });
+            });
+
+            options.AddFixedWindowLimiter("ChatEndpoint", rateLimiterOptions =>
+            {
+                rateLimiterOptions.PermitLimit = 15; // chat messages per window (reasonable limit)
+                rateLimiterOptions.Window = TimeSpan.FromMinutes(1); // minute window
+                rateLimiterOptions.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
+                rateLimiterOptions.QueueLimit = 0; // No queuing to make rate limiting immediate
+            });
+
+            options.AddFixedWindowLimiter("Anonymous", rateLimiterOptions =>
+            {
+                rateLimiterOptions.PermitLimit = 5; // requests per window for anonymous users
+                rateLimiterOptions.Window = TimeSpan.FromMinutes(1);
+                rateLimiterOptions.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
+                rateLimiterOptions.QueueLimit = 0; // No queuing for anonymous users
+            });
+
+            // Custom response when rate limit is exceeded
+            options.OnRejected = async (context, cancellationToken) =>
+            {
+                context.HttpContext.Response.StatusCode = StatusCodes.Status429TooManyRequests;
+                context.HttpContext.Response.Headers.RetryAfter = "60";
+                if (context.HttpContext.Request.Path.StartsWithSegments("/api/chat"))
+                {
+                    // Custom rejection handling logic
+                    context.HttpContext.Response.ContentType = "application/json";
+
+                    var errorResponse = new
+                    {
+                        error = "Rate limit exceeded. Please wait before sending another message.",
+                        retryAfter = 60,
+                        requiresCaptcha = true,
+                        statusCode = 429
+                    };
+
+                    await context.HttpContext.Response.WriteAsync(
+                        System.Text.Json.JsonSerializer.Serialize(errorResponse),
+                        cancellationToken);
+
+                    // Optional logging
+                    logger.LogWarning("Rate limit exceeded for user: {User}, IP: {IpAddress}",
+                            context.HttpContext.User.Identity?.Name ?? "anonymous",
+                            context.HttpContext.Connection.RemoteIpAddress);
+                    return;
+                }
+
+                await context.HttpContext.Response.WriteAsync("Rate limit exceeded. Please try again later.", cancellationToken);
+
+                // Optional logging
+                logger.LogWarning("Rate limit exceeded for user: {User}, IP: {IpAddress}",
+                        context.HttpContext.User.Identity?.Name ?? "anonymous",
+                        context.HttpContext.Connection.RemoteIpAddress);
+            };
+        });
+
         if (!builder.Environment.IsDevelopment())
         {
             builder.Services.AddHttpClient<IMailjetClient, MailjetClient>(client =>
@@ -220,10 +297,14 @@ private static void Main(string[] args)
 
         app.UseAuthentication();
         app.UseAuthorization();
+
+        // Enable rate limiting middleware (must be after UseAuthentication)
+        app.UseRateLimiter();
+
         app.UseMiddleware<ReferralMiddleware>();
 
         app.MapRazorPages();
-        app.MapDefaultControllerRoute();
+        app.MapDefaultControllerRoute().RequireRateLimiting("ChatEndpoint"); // Apply rate limiting to controllers
 
         app.MapFallbackToController("Index", "Home");
 

EssentialCSharp.Web/Services/CaptchaService.cs

@@ -24,8 +24,12 @@ public class CaptchaService(IHttpClientFactory clientFactory, IOptions<CaptchaOp
         return await PostVerification(postData);
     }
 
-    public async Task<HCaptchaResult?> VerifyAsync(string response)
+    public async Task<HCaptchaResult?> VerifyAsync(string? response)
     {
+        if (string.IsNullOrWhiteSpace(response))
+        {
+            return null;
+        }
         string secret = Options.SecretKey ?? throw new InvalidOperationException($"{CaptchaOptions.CaptchaSender} {nameof(Options.SecretKey)} is unexpectedly null");
         string sitekey = Options.SiteKey ?? throw new InvalidOperationException($"{CaptchaOptions.CaptchaSender} {nameof(Options.SiteKey)} is unexpectedly null");
 

EssentialCSharp.Web/Services/ICaptchaService.cs

@@ -5,5 +5,5 @@ namespace EssentialCSharp.Web.Services;
 public interface ICaptchaService
 {
     Task<HCaptchaResult?> VerifyAsync(string secret, string response, string sitekey);
-    Task<HCaptchaResult?> VerifyAsync(string response);
+    Task<HCaptchaResult?> VerifyAsync(string? response);
 }