Add API generic rate limit

enjin · Mar 28, 2024 · df8f912 · df8f912
1 parent cf0b5e7
commit df8f912
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 2 deletions.
diff --git a/config/enjin-platform.php b/config/enjin-platform.php
@@ -234,9 +234,23 @@
     | Prune blocks
     |--------------------------------------------------------------------------
     |
-    | Here, you can specify the number of days to retain blocks data before pruning.
+    | Here you can specify the number of days to retain blocks data before pruning.
     | If set to null or zero, blocks will not be pruned.
     |
     */
     'prune_blocks' => env('PRUNE_BLOCKS', 7),
+
+    /*
+    |--------------------------------------------------------------------------
+    | API Rate Limiting
+    |--------------------------------------------------------------------------
+    |
+    | Here you may set the rate limiting for the APIs
+    |
+    */
+    'rate_limit' => [
+        'enabled' => env('RATE_LIMIT_ENABLED', true),
+        'attempts' => env('RATE_LIMIT_ATTEMPTS', 500),
+        'time' => env('RATE_LIMIT_TIME', 60),
+    ],
 ];
diff --git a/config/graphql.php b/config/graphql.php
@@ -15,6 +15,7 @@
         // This middleware will apply to all schemas
         'middleware' => [
             Illuminate\Session\Middleware\StartSession::class,
+            Enjin\Platform\Middlewares\RateLimit::class,
             Enjin\Platform\Middlewares\Authenticated::class,
         ],
 

diff --git a/lang/en/error.php b/lang/en/error.php
@@ -54,4 +54,5 @@
     'unable_to_process' => "Sorry, we're unable to process your request at this time. Please try again later.",
     'no_collection' => 'Unable to find a collection for token ID :tokenId.',
     'cannot_retry_transaction' => 'Cannot retry FINALIZED transaction.',
+    'too_many_requests' => 'Too many requests. Retry in :num seconds',
 ];
diff --git a/src/Middlewares/RateLimit.php b/src/Middlewares/RateLimit.php
@@ -0,0 +1,41 @@
+<?php
+
+namespace Enjin\Platform\Middlewares;
+
+use Closure;
+use Enjin\Platform\Exceptions\PlatformException;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Http\Response;
+use Illuminate\Support\Facades\RateLimiter;
+
+class RateLimit
+{
+    /**
+     * The names of the schemas that should not be protected.
+     */
+    protected array $except = [
+        '__schema',
+    ];
+
+    /**
+     * Handle an incoming request.
+     */
+    public function handle(Request $request, Closure $next): JsonResponse|RedirectResponse|Response
+    {
+        if (config('enjin-platform.rate_limit.enabled')) {
+            $key = 'api:' . ($request->user()?->id ?: $request->ip());
+            if (RateLimiter::tooManyAttempts($key, config('enjin-platform.rate_limit.attempts'))) {
+                throw new PlatformException(
+                    __('enjin-platform::error.too_many_requests', ['num' => RateLimiter::availableIn($key)])
+                );
+            }
+
+            RateLimiter::hit($key, config('enjin-platform.rate_limit.time'));
+        }
+
+
+        return $next($request);
+    }
+}
diff --git a/testbench.yaml b/testbench.yaml
@@ -14,4 +14,4 @@ env:
   - DAEMON_ACCOUNT="0x68b427dda4f3894613e113b570d5878f3eee981196133e308c0a82584cf2e160"
 
 providers:
-  - Enjin\Platform\CoreServiceProvider
+  - Enjin\Platform\CoreServiceProvider