Merge pull request #9 from baoduy/copilot/fix-8

baoduy · web-flow · commit c8c5fd14ef5a · 2025-06-24T17:12:08.000+08:00
Implement RateLimit feature for SlimBus.Api project
diff --git a/z_Templates/SlimBus.ApiEndpoints/SlimBus.Api/Configs/AppConfig.cs b/z_Templates/SlimBus.ApiEndpoints/SlimBus.Api/Configs/AppConfig.cs
@@ -1,6 +1,7 @@
 ﻿using SlimBus.Api.Configs.Auth;
 using SlimBus.Api.Configs.GlobalExceptions;
 using SlimBus.Api.Configs.Idempotency;
+using SlimBus.Api.Configs.RateLimits;
 using SlimBus.Api.Configs.Swagger;
 
 namespace SlimBus.Api.Configs;
@@ -23,6 +24,9 @@ public static IServiceCollection AddAppConfig(this IServiceCollection services,
         if (features.EnableHttps)
             services.AddHttpsConfig();
 
+        if (features.EnableRateLimit)
+            services.AddRateLimitConfig();
+
         services.AddHttpContextAccessor()
             .AddFeatureManagement();
 
@@ -41,6 +45,7 @@ public static Task UseAppConfig(this WebApplication app, Action<WebApplication>?
     {
         app.UseAntiforgeryConfig()
             .UseCrosConfig()
+            .UseRateLimitConfig()
             .UseHttpsConfig()
             .UseHealthzConfig();
 
diff --git a/z_Templates/SlimBus.ApiEndpoints/SlimBus.Api/Configs/README.md b/z_Templates/SlimBus.ApiEndpoints/SlimBus.Api/Configs/README.md
@@ -118,6 +118,14 @@ The configuration system is organized into focused modules, each handling a dist
 - Distributed and memory cache setup.
 - Cache profile management.
 
+#### Rate Limiting (`RateLimits/`)
+
+- Client IP and JWT-based rate limiting.
+- Configurable request limits and time windows.
+- Support for forwarded headers (X-Forwarded-For, X-Real-IP).
+- Automatic user identity extraction from JWT tokens.
+- Feature flag controlled via `FeatureOptions.EnableRateLimit`.
+
 ---
 
 ## Implementation Examples
@@ -129,6 +137,25 @@ services.AddAntiforgeryConfig(cookieName: "x-csrf-cookie", headerName: "x-csrf-h
 app.UseAntiforgeryConfig();
 ```
 
+**Rate Limiting**
+
+```csharp
+// Enable in FeatureOptions
+services.Configure<FeatureOptions>(options => options.EnableRateLimit = true);
+
+// Custom configuration (optional)
+services.AddRateLimitConfig(options => {
+    options.DefaultRequestLimit = 5;
+    options.TimeWindowInSeconds = 1;
+});
+
+// Apply to specific endpoints
+app.MapPost("/api/resource", handler).RequireRateLimit();
+
+// Apply to route groups
+var apiGroup = app.MapGroup("/api").RequireRateLimit();
+```
+
 **Idempotency**
 
 ```csharp
diff --git a/z_Templates/SlimBus.ApiEndpoints/SlimBus.Api/Configs/RateLimits/RateLimitConfig.cs b/z_Templates/SlimBus.ApiEndpoints/SlimBus.Api/Configs/RateLimits/RateLimitConfig.cs
@@ -0,0 +1,105 @@
+using System.Diagnostics.CodeAnalysis;
+using System.Threading.RateLimiting;
+using Microsoft.AspNetCore.RateLimiting;
+using Microsoft.Extensions.Options;
+
+namespace SlimBus.Api.Configs.RateLimits;
+
+/// <summary>
+/// Rate limiting configuration for SlimBus API
+/// </summary>
+[ExcludeFromCodeCoverage]
+internal static class RateLimitConfig
+{
+    private static bool _configAdded;
+    private const string DefaultPolicyName = "DefaultRateLimit";
+
+    /// <summary>
+    /// Adds rate limiting services to the service collection
+    /// </summary>
+    /// <param name="services">The service collection to configure</param>
+    /// <param name="configAction">Optional configuration action for rate limit options</param>
+    /// <returns>The service collection with rate limiting configured</returns>
+    public static IServiceCollection AddRateLimitConfig(this IServiceCollection services, Action<RateLimitOptions>? configAction = null)
+    {
+        var options = new RateLimitOptions();
+        configAction?.Invoke(options);
+
+        services.AddSingleton(Options.Create(options));
+        services.AddSingleton<RateLimitPolicyProvider>();
+
+        services.AddRateLimiter(rateLimiterOptions =>
+        {
+            rateLimiterOptions.AddPolicy(DefaultPolicyName, httpContext =>
+            {
+                var policyProvider = httpContext.RequestServices.GetRequiredService<RateLimitPolicyProvider>();
+                return RateLimitPartition.GetFixedWindowLimiter(
+                    partitionKey: policyProvider.GetPartitionKey(httpContext),
+                    factory: _ => 
+                    {
+                        var rateLimitOptions = httpContext.RequestServices.GetRequiredService<IOptions<RateLimitOptions>>().Value;
+                        return new FixedWindowRateLimiterOptions
+                        {
+                            AutoReplenishment = true,
+                            PermitLimit = rateLimitOptions.DefaultRequestLimit,
+                            Window = TimeSpan.FromSeconds(rateLimitOptions.TimeWindowInSeconds),
+                            QueueLimit = rateLimitOptions.QueueLimit,
+                            QueueProcessingOrder = (QueueProcessingOrder)rateLimitOptions.QueueProcessingOrder
+                        };
+                    });
+            });
+            
+            // Global settings
+            rateLimiterOptions.GlobalLimiter = null; // We use partitioned limiter instead
+            rateLimiterOptions.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
+        });
+
+        _configAdded = true;
+        Console.WriteLine("Rate Limiting enabled.");
+        
+        return services;
+    }
+
+    /// <summary>
+    /// Applies rate limiting middleware to the application
+    /// </summary>
+    /// <param name="app">The web application to configure</param>
+    /// <returns>The web application with rate limiting applied</returns>
+    public static WebApplication UseRateLimitConfig(this WebApplication app)
+    {
+        if (!_configAdded) return app;
+
+        app.UseRateLimiter();
+        
+        Console.WriteLine("Rate Limiting middleware enabled.");
+        return app;
+    }
+
+    /// <summary>
+    /// Applies rate limiting to a route handler
+    /// </summary>
+    /// <param name="builder">The route handler builder</param>
+    /// <returns>The route handler builder with rate limiting applied</returns>
+    public static RouteHandlerBuilder RequireRateLimit(this RouteHandlerBuilder builder)
+    {
+        if (_configAdded)
+        {
+            builder.RequireRateLimiting(DefaultPolicyName);
+        }
+        return builder;
+    }
+
+    /// <summary>
+    /// Applies rate limiting to a route group
+    /// </summary>
+    /// <param name="group">The route group builder</param>
+    /// <returns>The route group builder with rate limiting applied</returns>
+    public static RouteGroupBuilder RequireRateLimit(this RouteGroupBuilder group)
+    {
+        if (_configAdded)
+        {
+            group.RequireRateLimiting(DefaultPolicyName);
+        }
+        return group;
+    }
+}
diff --git a/z_Templates/SlimBus.ApiEndpoints/SlimBus.Api/Configs/RateLimits/RateLimitOptions.cs b/z_Templates/SlimBus.ApiEndpoints/SlimBus.Api/Configs/RateLimits/RateLimitOptions.cs
@@ -0,0 +1,36 @@
+namespace SlimBus.Api.Configs.RateLimits;
+
+/// <summary>
+/// Configuration options for rate limiting
+/// </summary>
+public class RateLimitOptions
+{
+    /// <summary>
+    /// Default number of requests allowed per time window
+    /// </summary>
+    public int DefaultRequestLimit { get; set; } = 2;
+
+    /// <summary>
+    /// Time window for rate limiting in seconds
+    /// </summary>
+    public int TimeWindowInSeconds { get; set; } = 1;
+
+    /// <summary>
+    /// Maximum number of queued requests when rate limit is reached
+    /// </summary>
+    public int QueueLimit { get; set; } = 0;
+
+    /// <summary>
+    /// Queue processing order
+    /// </summary>
+    public RateLimitQueueProcessingOrder QueueProcessingOrder { get; set; } = RateLimitQueueProcessingOrder.OldestFirst;
+}
+
+/// <summary>
+/// Defines the order in which queued requests are processed
+/// </summary>
+public enum RateLimitQueueProcessingOrder
+{
+    OldestFirst,
+    NewestFirst
+}
diff --git a/z_Templates/SlimBus.ApiEndpoints/SlimBus.Api/Configs/RateLimits/RateLimitPolicyProvider.cs b/z_Templates/SlimBus.ApiEndpoints/SlimBus.Api/Configs/RateLimits/RateLimitPolicyProvider.cs
@@ -0,0 +1,112 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Net;
+using System.Security.Claims;
+using System.Threading.RateLimiting;
+using Microsoft.AspNetCore.RateLimiting;
+using Microsoft.Extensions.Options;
+
+namespace SlimBus.Api.Configs.RateLimits;
+
+/// <summary>
+/// Provides rate limiting policies based on client IP or JWT user identity
+/// </summary>
+internal class RateLimitPolicyProvider
+{
+    private readonly RateLimitOptions _options;
+    private readonly ILogger<RateLimitPolicyProvider> _logger;
+
+    public RateLimitPolicyProvider(IOptions<RateLimitOptions> options, ILogger<RateLimitPolicyProvider> logger)
+    {
+        _options = options.Value;
+        _logger = logger;
+    }
+
+    /// <summary>
+    /// Gets the partition key for rate limiting based on authorization header or IP address
+    /// </summary>
+    public string GetPartitionKey(HttpContext context)
+    {
+        // Try to get user identity from JWT token first
+        var userIdentity = GetUserIdentityFromJwt(context);
+        if (!string.IsNullOrEmpty(userIdentity))
+        {
+            _logger.LogDebug("Using JWT user identity for rate limiting: {UserIdentity}", userIdentity);
+            return $"user:{userIdentity}";
+        }
+
+        // Fall back to client IP address
+        var clientIp = GetClientIpAddress(context);
+        _logger.LogDebug("Using client IP for rate limiting: {ClientIp}", clientIp);
+        return $"ip:{clientIp}";
+    }
+
+    /// <summary>
+    /// Extracts user identity from JWT token in authorization header
+    /// </summary>
+    private string? GetUserIdentityFromJwt(HttpContext context)
+    {
+        try
+        {
+            var authHeader = context.Request.Headers.Authorization.FirstOrDefault();
+            if (string.IsNullOrEmpty(authHeader) || !authHeader.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
+            {
+                return null;
+            }
+
+            var token = authHeader["Bearer ".Length..].Trim();
+            if (string.IsNullOrEmpty(token))
+            {
+                return null;
+            }
+
+            var jwtHandler = new JwtSecurityTokenHandler();
+            if (!jwtHandler.CanReadToken(token))
+            {
+                return null;
+            }
+
+            var jwtToken = jwtHandler.ReadJwtToken(token);
+            
+            // Try to get user identity in order of preference: name, email, sub (ID)
+            var userIdentity = jwtToken.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Name)?.Value
+                            ?? jwtToken.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Email)?.Value
+                            ?? jwtToken.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier)?.Value
+                            ?? jwtToken.Claims.FirstOrDefault(c => c.Type == "sub")?.Value
+                            ?? jwtToken.Claims.FirstOrDefault(c => c.Type == "name")?.Value
+                            ?? jwtToken.Claims.FirstOrDefault(c => c.Type == "email")?.Value;
+
+            return userIdentity;
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Failed to extract user identity from JWT token");
+            return null;
+        }
+    }
+
+    /// <summary>
+    /// Gets the client IP address from the HTTP context
+    /// </summary>
+    private string GetClientIpAddress(HttpContext context)
+    {
+        // Check for forwarded headers first (in case of proxy/load balancer)
+        var forwardedFor = context.Request.Headers["X-Forwarded-For"].FirstOrDefault();
+        if (!string.IsNullOrEmpty(forwardedFor))
+        {
+            var firstIp = forwardedFor.Split(',')[0].Trim();
+            if (IPAddress.TryParse(firstIp, out _))
+            {
+                return firstIp;
+            }
+        }
+
+        var realIp = context.Request.Headers["X-Real-IP"].FirstOrDefault();
+        if (!string.IsNullOrEmpty(realIp) && IPAddress.TryParse(realIp, out _))
+        {
+            return realIp;
+        }
+
+        // Fall back to connection remote IP address
+        return context.Connection.RemoteIpAddress?.ToString() ?? "unknown";
+    }
+}
diff --git a/z_Templates/SlimBus.ApiEndpoints/SlimBus.App.Tests/GlobalUsings.cs b/z_Templates/SlimBus.ApiEndpoints/SlimBus.App.Tests/GlobalUsings.cs
@@ -1,4 +1,5 @@
 global using System.Net.Http.Json;
+global using System.Security.Claims;
 global using Shouldly;
 global using System.Text.Json;
 global using FluentResults;
diff --git a/z_Templates/SlimBus.ApiEndpoints/SlimBus.App.Tests/SlimBus.App.Tests.csproj b/z_Templates/SlimBus.ApiEndpoints/SlimBus.App.Tests/SlimBus.App.Tests.csproj
@@ -14,6 +14,7 @@
         <PackageReference Include="Aspire.Hosting.AppHost" Version="9.3.1" />
         <PackageReference Include="Aspire.Hosting.Redis" Version="9.3.1" />
         <PackageReference Include="Aspire.Hosting.SqlServer" Version="9.3.2" />
+        <PackageReference Include="Microsoft.AspNetCore.RateLimiting" Version="8.0.11" />
         <PackageReference Update="Meziantou.Analyzer" Version="2.0.202">
           <PrivateAssets>all</PrivateAssets>
           <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
diff --git a/z_Templates/SlimBus.ApiEndpoints/SlimBus.App.Tests/Unit/RateLimitTests.cs b/z_Templates/SlimBus.ApiEndpoints/SlimBus.App.Tests/Unit/RateLimitTests.cs
diff --git a/z_Templates/SlimBus.ApiEndpoints/SlimBus.Share/Options/FeatureOptions.cs b/z_Templates/SlimBus.ApiEndpoints/SlimBus.Share/Options/FeatureOptions.cs

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`global using System.Net.Http.Json;`
	`2`	`+global using System.Security.Claims;`
`2`	`3`	`global using Shouldly;`
`3`	`4`	`global using System.Text.Json;`
`4`	`5`	`global using FluentResults;`