Implements rate limiting for API protection

Adds rate limiting functionality using Bucket4j to protect the API from abuse.

Introduces a filter to limit the number of requests a user can make within a timeframe.

Implements a custom exception and handler to return informative error messages when the rate limit is exceeded.

Updates logging to include retry information for rate limit exceptions.

Author: oDaviML

.gitignore

@@ -38,4 +38,5 @@ build/
 
 ### Logs ###
 logs/
-*.log
+*.log
+*.sh

docker-compose.prod.yaml

@@ -12,4 +12,9 @@ services:
       - SPRING_DATA_MONGODB_DATABASE=${MONGO_DATABASE}
       - SPRING_DATA_MONGODB_USERNAME=${MONGO_USERNAME}
       - SPRING_DATA_MONGODB_PASSWORD=${MONGO_PASSWORD}
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
     restart: unless-stopped

pom.xml

@@ -89,6 +89,11 @@
             <artifactId>logstash-logback-encoder</artifactId>
             <version>9.0</version>
         </dependency>
+        <dependency>
+            <groupId>com.bucket4j</groupId>
+            <artifactId>bucket4j-core</artifactId>
+            <version>8.10.1</version>
+        </dependency>
     </dependencies>
 
     <build>

src/main/java/com/dmware/api_onibusbh/exceptions/RateLimitExceededException.java

@@ -0,0 +1,15 @@
+package com.dmware.api_onibusbh.exceptions;
+
+public class RateLimitExceededException extends RuntimeException {
+
+    private final long retryAfterSeconds;
+
+    public RateLimitExceededException(String message, long retryAfterSeconds) {
+        super(message);
+        this.retryAfterSeconds = retryAfterSeconds;
+    }
+
+    public long getRetryAfterSeconds() {
+        return retryAfterSeconds;
+    }
+}

src/main/java/com/dmware/api_onibusbh/infra/CustomExceptionHandler.java

@@ -75,4 +75,12 @@ public ResponseEntity<ErrorResponse> noHandlerFoundException(NoHandlerFoundExcep
         logger.warn("Recurso não encontrado", kv("exception", ex.getClass().getSimpleName()), kv("status", HttpStatus.NOT_FOUND));
         return ErrorResponse.of("Verifique a rota digitada ou os dados enviados", HttpStatus.NOT_FOUND);
     }
+
+    @ExceptionHandler(RateLimitExceededException.class)
+    public ResponseEntity<ErrorResponse> rateLimitExceededException(RateLimitExceededException ex) {
+        logger.warn("Rate limit excedido", kv("exception", ex.getClass().getSimpleName()), kv("status", HttpStatus.TOO_MANY_REQUESTS), kv("retry_after", ex.getRetryAfterSeconds()));
+        return ResponseEntity.status(HttpStatus.TOO_MANY_REQUESTS)
+                .header("X-Rate-Limit-Retry-After-Seconds", String.valueOf(ex.getRetryAfterSeconds()))
+                .body(new ErrorResponse(java.time.LocalDateTime.now(), ex.getMessage(), HttpStatus.TOO_MANY_REQUESTS));
+    }
 }

src/main/java/com/dmware/api_onibusbh/infra/RateLimitingFilter.java

@@ -0,0 +1,68 @@
+package com.dmware.api_onibusbh.infra;
+
+import com.dmware.api_onibusbh.exceptions.RateLimitExceededException;
+import io.github.bucket4j.Bucket;
+import io.github.bucket4j.ConsumptionProbe;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.servlet.HandlerExceptionResolver;
+
+import java.io.IOException;
+import java.time.Duration;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.TimeUnit;
+
+@Component
+public class RateLimitingFilter extends OncePerRequestFilter {
+
+    private final Map<String, Bucket> buckets = new ConcurrentHashMap<>();
+
+    @Autowired
+    private HandlerExceptionResolver handlerExceptionResolver;
+
+    @Value("${rate.limit.capacity:60}")
+    private long capacity;
+
+    @Value("${rate.limit.tokens:60}")
+    private long tokens;
+
+    @Value("${rate.limit.duration-seconds:60}")
+    private long durationSeconds;
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws ServletException, IOException {
+
+        String clientIp = request.getRemoteAddr();
+        Bucket bucket = buckets.computeIfAbsent(clientIp, this::createNewBucket);
+
+        ConsumptionProbe probe = bucket.tryConsumeAndReturnRemaining(1);
+
+        if (probe.isConsumed()) {
+            response.setHeader("X-Rate-Limit-Remaining", String.valueOf(probe.getRemainingTokens()));
+            filterChain.doFilter(request, response);
+        } else {
+            long waitForRefill = probe.getNanosToWaitForRefill();
+            long retryAfterSeconds = TimeUnit.NANOSECONDS.toSeconds(waitForRefill);
+
+            handlerExceptionResolver.resolveException(request, response, null,
+                    new RateLimitExceededException(
+                            "Rate limit exceeded. Try again in " + retryAfterSeconds + " seconds.",
+                            retryAfterSeconds
+                    ));
+        }
+    }
+
+    private Bucket createNewBucket(String key) {
+        return Bucket.builder()
+                .addLimit(limit -> limit.capacity(capacity).refillGreedy(tokens, Duration.ofSeconds(durationSeconds)))
+                .build();
+    }
+}

src/main/java/com/dmware/api_onibusbh/services/APIService.java

@@ -69,7 +69,6 @@ public List<LinhaDTO> getLinhasAPIBH() {
     }
 
     public List<CoordenadaDTO> getOnibusCoordenadaBH() {
-        logger.info("Acessando diretamente.");
         List<String> responses = fetchCoordenadasDirectly();
 
         if (responses == null || responses.size() < 2) {

src/main/java/com/dmware/api_onibusbh/services/OnibusService.java

@@ -1,13 +1,11 @@
 package com.dmware.api_onibusbh.services;
 
-import com.dmware.api_onibusbh.config.WebClientConfig;
 import com.dmware.api_onibusbh.dto.CoordenadaDTO;
 import com.dmware.api_onibusbh.dto.OnibusDTO;
 import com.dmware.api_onibusbh.entities.LinhaEntity;
 import com.dmware.api_onibusbh.exceptions.CoordenadasNotFoundException;
 import com.dmware.api_onibusbh.exceptions.LinhaNotFoundException;
 import com.dmware.api_onibusbh.repositories.LinhasRepository;
-import com.fasterxml.jackson.databind.ObjectMapper;
 import org.modelmapper.ModelMapper;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -33,12 +31,10 @@ public class OnibusService {
 
     private final LinhasRepository linhasRepository;
     private final ModelMapper modelMapper;
-    private final ObjectMapper objectMapper;
 
-    public OnibusService(LinhasService linhasService, WebClientConfig webClientConfig, LinhasRepository linhasRepository, ModelMapper modelMapper, ObjectMapper objectMapper) {
+    public OnibusService(LinhasRepository linhasRepository, ModelMapper modelMapper) {
         this.linhasRepository = linhasRepository;
         this.modelMapper = modelMapper;
-        this.objectMapper = objectMapper;
     }
 
 

src/main/resources/application-prod.properties

@@ -6,7 +6,7 @@ spring.data.mongodb.username=${MONGO_USERNAME}
 spring.data.mongodb.password=${MONGO_PASSWORD}
 
 logging.level.root=INFO
-logging.level.com.dmware.api_onibusbh=DEBUG
-logging.level.org.springframework.web=DEBUG
+logging.level.com.dmware.api_onibusbh=INFO
+logging.level.org.springframework.web=INFO
 
 server.forward-headers-strategy=framework

src/main/resources/application.properties

@@ -6,4 +6,12 @@ springdoc.swagger-ui.path=/swagger-ui.html
 spring.data.mongodb.auto-index-creation=true
 spring.data.mongodb.authentication-database=admin
 # Business
-api.onibus.coordenadas.ttl-minutes=20
+api.onibus.coordenadas.ttl-minutes=20
+
+# Rate Limiting (Bucket4j)
+rate.limit.capacity=60
+rate.limit.tokens=60
+rate.limit.duration-seconds=60
+
+# Performance
+spring.threads.virtual.enabled=true