Merge pull request #191 from Josue19-08/feat/rate-limiting

Implement Rate Limiting

Author: Dario0731

contracts/course/course_registry/src/error.rs

@@ -55,6 +55,9 @@ pub enum Error {
     InvalidPrice100 = 54,
     AlreadyInitialized = 55,
     DuplicatePrerequisite = 56,
+    // Rate limiting errors
+    CourseRateLimitExceeded = 57,
+    CourseRateLimitNotConfigured = 58,
 }
 
 pub fn handle_error(env: &Env, error: Error) -> ! {

contracts/course/course_registry/src/functions/access_control.rs

@@ -5,6 +5,7 @@ use soroban_sdk::{symbol_short, Address, Env, String, Symbol, IntoVal};
 
 use crate::error::{handle_error, Error};
 use crate::schema::Course;
+use super::course_rate_limit_utils::initialize_course_rate_limit_config;
 
 const COURSE_KEY: Symbol = symbol_short!("course");
 
@@ -67,6 +68,10 @@ pub fn initialize(env: &Env, owner: &Address, user_mgmt_addr: &Address) {
     env.storage()
         .instance()
         .set(&(KEY_USER_MGMT_ADDR,), user_mgmt_addr);
+    
+    // Initialize rate limiting configuration
+    initialize_course_rate_limit_config(env);
+    
     env.events()
         .publish((INIT_ACCESS_CONTROL_EVENT,), (owner, user_mgmt_addr));
 }

contracts/course/course_registry/src/functions/course_rate_limit_utils.rs

@@ -0,0 +1,113 @@
+// SPDX-License-Identifier: MIT
+// Copyright (c) 2025 SkillCert
+
+use crate::error::{handle_error, Error};
+use crate::schema::{DataKey, CourseRateLimitData, CourseRateLimitConfig, DEFAULT_COURSE_RATE_LIMIT_WINDOW, DEFAULT_MAX_COURSE_CREATIONS_PER_WINDOW};
+use soroban_sdk::{Address, Env};
+
+/// Check if the user has exceeded the rate limit for course creation operations.
+///
+/// This function validates if the caller can perform a course creation operation
+/// based on the configured rate limiting rules.
+///
+/// # Arguments
+/// * `env` - The Soroban environment
+/// * `creator` - The address attempting to create a course
+///
+/// # Panics
+/// * If rate limit is exceeded
+/// * If rate limit configuration is not found
+pub fn check_course_creation_rate_limit(env: &Env, creator: &Address) {
+    // Get rate limit configuration
+    let config_key = DataKey::CourseRateLimitConfig;
+    let rate_config = match env
+        .storage()
+        .persistent()
+        .get::<DataKey, CourseRateLimitConfig>(&config_key)
+    {
+        Some(config) => config,
+        None => {
+            // If no configuration exists, use default
+            get_default_course_rate_limit_config()
+        }
+    };
+
+    let current_time = env.ledger().timestamp();
+    let rate_limit_key = DataKey::CourseRateLimit(creator.clone());
+    
+    // Get existing rate limit data or create new one
+    let mut rate_data = match env
+        .storage()
+        .persistent()
+        .get::<DataKey, CourseRateLimitData>(&rate_limit_key)
+    {
+        Some(data) => data,
+        None => CourseRateLimitData {
+            count: 0,
+            window_start: current_time,
+        }
+    };
+
+    // Check if we need to reset the window
+    if current_time >= rate_data.window_start + rate_config.window_seconds {
+        // Reset the window
+        rate_data.count = 0;
+        rate_data.window_start = current_time;
+    }
+
+    // Check if user has exceeded the rate limit
+    if rate_data.count >= rate_config.max_courses_per_window {
+        handle_error(env, Error::CourseRateLimitExceeded);
+    }
+
+    // Increment the count and save
+    rate_data.count += 1;
+    env.storage()
+        .persistent()
+        .set(&rate_limit_key, &rate_data);
+}
+
+/// Get the default rate limiting configuration for course operations.
+///
+/// This function returns the default rate limiting settings that can be
+/// used when initializing the system or when no custom configuration is set.
+pub fn get_default_course_rate_limit_config() -> CourseRateLimitConfig {
+    CourseRateLimitConfig {
+        window_seconds: DEFAULT_COURSE_RATE_LIMIT_WINDOW,
+        max_courses_per_window: DEFAULT_MAX_COURSE_CREATIONS_PER_WINDOW,
+    }
+}
+
+/// Initialize the default rate limiting configuration for course operations.
+///
+/// This function should be called during system initialization to set up
+/// the default rate limiting configuration.
+///
+/// # Arguments
+/// * `env` - The Soroban environment
+pub fn initialize_course_rate_limit_config(env: &Env) {
+    let config_key = DataKey::CourseRateLimitConfig;
+    
+    // Only initialize if not already set
+    if !env.storage().persistent().has(&config_key) {
+        let default_config = get_default_course_rate_limit_config();
+        env.storage()
+            .persistent()
+            .set(&config_key, &default_config);
+    }
+}
+
+/// Update the course rate limiting configuration.
+///
+/// This function allows administrators to modify the rate limiting settings.
+///
+/// # Arguments
+/// * `env` - The Soroban environment
+/// * `new_config` - The new rate limiting configuration
+pub fn update_course_rate_limit_config(env: &Env, new_config: CourseRateLimitConfig) {
+    let config_key = DataKey::CourseRateLimitConfig;
+    env.storage()
+        .persistent()
+        .set(&config_key, &new_config);
+}
+

contracts/course/course_registry/src/functions/create_course.rs

@@ -1,11 +1,11 @@
 // SPDX-License-Identifier: MIT
 // Copyright (c) 2025 SkillCert
 
+use super::utils::{to_lowercase, trim, u32_to_string};
+use super::course_rate_limit_utils::check_course_creation_rate_limit;
 use soroban_sdk::{symbol_short, Address, Env, String, Symbol, Vec};
-
 use crate::error::{handle_error, Error};
 use crate::schema::{Course, CourseLevel};
-use crate::functions::utils::{to_lowercase, trim, u32_to_string};
 
 const COURSE_KEY: Symbol = symbol_short!("course");
 const TITLE_KEY: Symbol = symbol_short!("title");
@@ -28,6 +28,9 @@ pub fn create_course(
 ) -> Course {
     creator.require_auth();
 
+    // Check rate limiting before proceeding with course creation
+    check_course_creation_rate_limit(&env, &creator);
+
     // ensure the title is not empty and not just whitespace
     let trimmed_title: String = trim(&env, &title);
     if title.is_empty() || trimmed_title.is_empty() {

contracts/course/course_registry/src/functions/edit_prerequisite.rs

@@ -221,6 +221,17 @@ mod tests {
 
         let contract_id = env.register(CourseRegistry, ());
         let client = CourseRegistryClient::new(&env, &contract_id);
+        
+        // Initialize course rate limiting with permissive settings for testing
+        env.as_contract(&contract_id, || {
+            use crate::schema::{DataKey, CourseRateLimitConfig};
+            let permissive_config = CourseRateLimitConfig {
+                window_seconds: 3600,
+                max_courses_per_window: 100,
+            };
+            let config_key = DataKey::CourseRateLimitConfig;
+            env.storage().persistent().set(&config_key, &permissive_config);
+        });
 
         let creator: Address = Address::generate(&env);
         let course1 = client.create_course(
@@ -521,6 +532,17 @@ mod tests {
 
         let contract_id = env.register(CourseRegistry, ());
         let client = CourseRegistryClient::new(&env, &contract_id);
+        
+        // Initialize course rate limiting with permissive settings for testing
+        env.as_contract(&contract_id, || {
+            use crate::schema::{DataKey, CourseRateLimitConfig};
+            let permissive_config = CourseRateLimitConfig {
+                window_seconds: 3600,
+                max_courses_per_window: 100,
+            };
+            let config_key = DataKey::CourseRateLimitConfig;
+            env.storage().persistent().set(&config_key, &permissive_config);
+        });
 
         let creator: Address = Address::generate(&env);
         let course1 = client.create_course(

contracts/course/course_registry/src/functions/mod.rs

@@ -9,6 +9,7 @@ pub mod contract_versioning;
 pub mod create_course;
 pub mod create_course_category;
 pub mod create_prerequisite;
+pub mod course_rate_limit_utils;
 pub mod delete_course;
 pub mod edit_course;
 pub mod edit_goal;

contracts/course/course_registry/src/schema.rs

@@ -10,6 +10,10 @@ pub const FILTER_MIN_PRICE: u128 = 500;
 pub const MAX_SCAN_ID: u32 = 50;
 pub const MAX_EMPTY_CHECKS: u32 = 10;
 
+/// Rate limiting constants for course operations
+pub const DEFAULT_COURSE_RATE_LIMIT_WINDOW: u64 = 3600; // 1 hour in seconds
+pub const DEFAULT_MAX_COURSE_CREATIONS_PER_WINDOW: u32 = 3; // Max course creations per hour per address
+
 #[contracttype]
 #[derive(Clone, Debug, PartialEq)]
 pub struct CourseModule {
@@ -30,6 +34,30 @@ pub struct CourseGoal {
     pub created_at: u64,
 }
 
+/// Rate limiting configuration for course operations.
+///
+/// Tracks rate limiting settings for spam protection in course creation.
+#[contracttype]
+#[derive(Clone, Debug, PartialEq)]
+pub struct CourseRateLimitConfig {
+    /// Time window for rate limiting in seconds
+    pub window_seconds: u64,
+    /// Maximum course creations allowed per window
+    pub max_courses_per_window: u32,
+}
+
+/// Rate limiting tracking data for course operations per address.
+///
+/// Stores the current usage count and window start time for course rate limiting.
+#[contracttype]
+#[derive(Clone, Debug, PartialEq)]
+pub struct CourseRateLimitData {
+    /// Current count of course creations in this window
+    pub count: u32,
+    /// Timestamp when the current window started
+    pub window_start: u64,
+}
+
 #[contracttype]
 #[derive(Clone, Debug, PartialEq)]
 pub struct CourseCategory {
@@ -49,6 +77,10 @@ pub enum DataKey {
     CategorySeq,          // Sequence counter for category IDs
     CourseCategory(u128), // Course category by ID
     Admins,               // List of admin addresses
+    /// Key for storing course rate limiting configuration
+    CourseRateLimitConfig,
+    /// Key for storing course rate limiting data per address: address -> CourseRateLimitData
+    CourseRateLimit(Address),
 }
 
 #[contracttype]

contracts/course/course_registry/test_snapshots/functions/add_module/test/test_add_module_invalid_course.1.json

@@ -51,6 +51,62 @@
           4095
         ]
       ],
+      [
+        {
+          "contract_data": {
+            "contract": "CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFCT4",
+            "key": {
+              "vec": [
+                {
+                  "symbol": "CourseRateLimitConfig"
+                }
+              ]
+            },
+            "durability": "persistent"
+          }
+        },
+        [
+          {
+            "last_modified_ledger_seq": 0,
+            "data": {
+              "contract_data": {
+                "ext": "v0",
+                "contract": "CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFCT4",
+                "key": {
+                  "vec": [
+                    {
+                      "symbol": "CourseRateLimitConfig"
+                    }
+                  ]
+                },
+                "durability": "persistent",
+                "val": {
+                  "map": [
+                    {
+                      "key": {
+                        "symbol": "max_courses_per_window"
+                      },
+                      "val": {
+                        "u32": 3
+                      }
+                    },
+                    {
+                      "key": {
+                        "symbol": "window_seconds"
+                      },
+                      "val": {
+                        "u64": 3600
+                      }
+                    }
+                  ]
+                }
+              }
+            },
+            "ext": "v0"
+          },
+          4095
+        ]
+      ],
       [
         {
           "contract_data": {