feat: implement RateLimitMiddleware for API rate limiting and update validation rules in IpUserAgentMiddleware

Author: dewanakl

app/Middleware/IpUserAgentMiddleware.php

@@ -16,8 +16,8 @@ public function handle(Request $request, Closure $next)
             'ip' => env('HTTP_CF_CONNECTING_IP') ? $request->server->get('HTTP_CF_CONNECTING_IP', $request->ip()) : $request->ip(),
             'user_agent' => $request->userAgent(),
         ], [
-            'ip' => ['required', 'str', 'trim', 'max:45', 'ip'],
-            'user_agent' => ['required', 'str', 'trim', 'max:512'],
+            'ip' => ['required', 'str', 'trim', 'min:2', 'max:45', 'ip'],
+            'user_agent' => ['required', 'str', 'trim', 'min:64', 'max:512'],
         ]);
 
         if ($valid->fails()) {

app/Middleware/RateLimitMiddleware.php

@@ -0,0 +1,133 @@
+<?php
+
+namespace App\Middleware;
+
+use App\Response\JsonResponse;
+use Closure;
+use Core\Http\Request;
+use Core\Http\Respond;
+use Core\Http\Stream;
+use Core\Middleware\MiddlewareInterface;
+use MongoDB\Client;
+use MongoDB\BSON\UTCDateTime;
+
+final class RateLimitMiddleware implements MiddlewareInterface
+{
+    public function handle(Request $request, Closure $next)
+    {
+        if (!env('MONGODB_URI') || !env('MONGODB_DB') || !env('MONGODB_COLLECTION')) {
+            return $next($request);
+        }
+
+        if (!class_exists(Client::class) || !class_exists(UTCDateTime::class)) {
+            throw new \Exception('MongoDB PHP Library is not installed. Please install it using "composer require mongodb/mongodb"');
+        }
+
+        list($response, $headers) = $this->handleRateLimit($request, $next);
+
+        $baseResponse = ($response instanceof Stream) ? respond() : $response;
+
+        foreach ($headers as $key => $value) {
+            $baseResponse->headers->set($key, $value);
+        }
+
+        return $response;
+    }
+
+    public function handleRateLimit(Request $request, Closure $next)
+    {
+        $limit = intval(env('RATE_LIMIT', 120));
+        $window = intval(env('RATE_LIMIT_WINDOW', 60 * 60 * 24));
+
+        $collection = (new Client(env('MONGODB_URI')))
+            ->selectDatabase(env('MONGODB_DB'))
+            ->selectCollection(env('MONGODB_COLLECTION'));
+
+        $this->createIndexIfnotExists($collection, $window);
+
+        $record = $collection->findOne([
+            'ip' => context('ip'),
+            'window_start_time' => ['$gte' => new UTCDateTime((time() - $window) * 1000)]
+        ]);
+
+        $rateLimitHeaders = [
+            'X-Rate-Limit-Limit' => $limit,
+            'X-Rate-Limit-Remaining' => $limit,
+            'X-Rate-Limit-Reset' => time() + $window
+        ];
+
+        $response = $next($request);
+
+        if (
+            !$response instanceof Stream &&
+            !($response instanceof Respond && $response->getCode() >= 300 && $response->getCode() < 400)
+        ) {
+            $response = respond()->transform($response);
+        }
+
+        if (!$record) {
+            $collection->findOneAndUpdate(
+                ['ip' => context('ip')],
+                ['$set' => [
+                    'count' => 1,
+                    'window_start_time' => new UTCDateTime(time() * 1000)
+                ]],
+                ['upsert' => true]
+            );
+
+            return [$response, $rateLimitHeaders];
+        }
+
+        $rateLimitHeaders['X-Rate-Limit-Remaining'] = max(0, $limit - intval($record['count']));
+        $rateLimitHeaders['X-Rate-Limit-Reset'] = $record['window_start_time']->toDateTime()->getTimestamp() + $window;
+
+        if (intval($record['count']) >= $limit) {
+            $response = (new JsonResponse)->errorBadRequest(['Rate limit exceeded. Please try again later.']);
+
+            return [$response, $rateLimitHeaders];
+        }
+
+        $collection->updateOne(
+            ['_id' => $record['_id']],
+            ['$inc' => ['count' => 1]]
+        );
+
+        return [$response, $rateLimitHeaders];
+    }
+
+    private function createIndexIfnotExists($collection, $window)
+    {
+        $ipIndexExists = false;
+        $ttlIndexName = null;
+        $existingExpireAfter = null;
+
+        foreach ($collection->listIndexes() as $index) {
+            $key = $index->getKey();
+
+            if ($key === ['ip' => 1]) {
+                $ipIndexExists = true;
+            }
+
+            if (isset($index['expireAfterSeconds']) && $key === ['window_start_time' => 1]) {
+                $ttlIndexName = $index->getName();
+                $existingExpireAfter = $index['expireAfterSeconds'];
+            }
+        }
+
+        if (!$ipIndexExists) {
+            $collection->createIndex(['ip' => 1]);
+        }
+
+        $expectedTtl = $window * 2;
+        if ($ttlIndexName && $existingExpireAfter !== $expectedTtl) {
+            $collection->dropIndex($ttlIndexName);
+        }
+
+        if (!$ttlIndexName || $existingExpireAfter !== $expectedTtl) {
+            $collection->createIndex(
+                ['window_start_time' => 1],
+                ['expireAfterSeconds' => $expectedTtl]
+            );
+        }
+    }
+}

composer.json

@@ -12,6 +12,7 @@
         "firebase/php-jwt": "^6.3",
         "kamu/aman": "^1.0",
         "kamu/framework": "^3.3.0",
+        "mongodb/mongodb": "^1.21",
         "ramsey/uuid": "^4.7"
     },
     "require-dev": {
@@ -38,4 +39,4 @@
     },
     "minimum-stability": "stable",
     "prefer-stable": true
-}
+}

composer.lock

@@ -5,6 +5,7 @@
 use App\Controllers\Api\DashboardController;
 use App\Middleware\AuthMiddleware;
 use App\Middleware\DashboardMiddleware;
+use App\Middleware\RateLimitMiddleware;
 use App\Middleware\TzMiddleware;
 use Core\Routing\Route;
 
@@ -13,12 +14,12 @@
  * keep simple yeah.
  */
 
-Route::prefix('/session')->group(function () {
+Route::middleware(RateLimitMiddleware::class)->prefix('/session')->group(function () {
     Route::post('/', [AuthController::class, 'login']);
     Route::options('/'); // Preflight request [/api/session]
 });
 
-Route::middleware([AuthMiddleware::class, TzMiddleware::class])->group(function () {
+Route::middleware([RateLimitMiddleware::class, AuthMiddleware::class, TzMiddleware::class])->group(function () {
 
     // Dashboard
     Route::middleware(DashboardMiddleware::class)->group(function () {