-
-
Notifications
You must be signed in to change notification settings - Fork 585
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added mew middleware methods to secure Leantime
- Loading branch information
1 parent
3d4194c
commit cd79ec1
Showing
10 changed files
with
201 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
<?php | ||
|
||
namespace Leantime\Core\Middleware; | ||
|
||
use Closure; | ||
use Illuminate\Cache\RateLimiter; | ||
use Leantime\Core\ApiRequest; | ||
use Leantime\Core\Eventhelpers; | ||
use Leantime\Core\Frontcontroller; | ||
use Leantime\Core\IncomingRequest; | ||
use Leantime\Core\Middleware\Request; | ||
use Symfony\Component\HttpFoundation\Response; | ||
|
||
/** | ||
* Class ApiRateLimiter | ||
* | ||
* This class is responsible for rate limiting requests, login requests and api requests | ||
*/ | ||
class RequestRateLimiter | ||
{ | ||
use Eventhelpers; | ||
|
||
protected RateLimiter $limiter; | ||
|
||
/** | ||
* __construct | ||
* Constructor method for the class. | ||
* | ||
* @param RateLimiter $limiter The RateLimiter object to be initialized. | ||
* @return void. | ||
*/ | ||
public function __construct(RateLimiter $limiter) | ||
{ | ||
$this->limiter = $limiter; | ||
} | ||
|
||
/** | ||
* Handle the incoming request. | ||
* | ||
* @param IncomingRequest $request The incoming request object. | ||
* @param Closure $next The next middleware closure. | ||
* @return Response The response object. | ||
*/ | ||
public function handle(IncomingRequest $request, Closure $next): Response | ||
{ | ||
|
||
//Key | ||
$key = $request->getClientIp(); | ||
|
||
//General Limit per minute | ||
$limit = 1000; | ||
|
||
//API Routes Limit | ||
if ($request instanceof ApiRequest) { | ||
$apiKey = ""; | ||
$key = app()->make(ApiRequest::class)->getAPIKeyUser($apiKey); | ||
$limit = 10; | ||
} | ||
|
||
$route = Frontcontroller::getCurrentRoute(); | ||
|
||
if ($route == "auth.login") { | ||
$limit = 20; | ||
$key = $key . ".loginAttempts"; | ||
} | ||
|
||
$key = self::dispatch_filter( | ||
"rateLimit", | ||
$key, | ||
[ | ||
"bootloader" => $this, | ||
], | ||
); | ||
|
||
$limit = self::dispatch_filter( | ||
"rateLimit", | ||
$limit, | ||
[ | ||
"bootloader" => $this, | ||
"key" => $key, | ||
], | ||
); | ||
|
||
if ($this->limiter->tooManyAttempts($key, $limit)) { | ||
error_log("too many requests per minute: " . $key); | ||
return new Response(json_encode(['error' => 'Too many requests per minute.']), Response::HTTP_TOO_MANY_REQUESTS); | ||
} | ||
$this->limiter->hit($key, 60); | ||
|
||
return $next($request); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
<?php | ||
|
||
namespace Leantime\Core\Middleware; | ||
|
||
use Closure; | ||
use Illuminate\Cache\RateLimiting\Limit; | ||
use Illuminate\Support\Facades\RateLimiter; | ||
use Leantime\Core\ApiRequest; | ||
use Leantime\Core\Environment; | ||
use Leantime\Core\Eventhelpers; | ||
use Leantime\Core\Frontcontroller; | ||
use Leantime\Core\IncomingRequest; | ||
use Leantime\Core\Middleware\Request; | ||
use Symfony\Component\HttpFoundation\Response; | ||
|
||
/** | ||
* Class TrustProxies | ||
* | ||
* The TrustProxies class is responsible for handling incoming requests and checking if they are from trusted proxies. | ||
* | ||
* @package Your\Namespace | ||
*/ | ||
class TrustProxies | ||
{ | ||
use Eventhelpers; | ||
|
||
/** | ||
* The trusted proxies for this application. | ||
* | ||
* @var array | ||
*/ | ||
protected $proxies = []; | ||
|
||
/** | ||
* The headers that should be used to detect proxies. | ||
* | ||
* @var string | ||
*/ | ||
protected $headers = IncomingRequest::HEADER_X_FORWARDED_FOR | | ||
IncomingRequest::HEADER_X_FORWARDED_HOST | | ||
IncomingRequest::HEADER_X_FORWARDED_PORT | | ||
IncomingRequest::HEADER_X_FORWARDED_PROTO | | ||
IncomingRequest::HEADER_X_FORWARDED_AWS_ELB; | ||
|
||
/** | ||
* Constructor for the class. | ||
* | ||
* @param Environment $config An instance of the Environment class. | ||
*/ | ||
public function __construct(Environment $config) | ||
{ | ||
|
||
if (empty($config->trustedProxies)) { | ||
$config->trustedProxies = "127.0.0.1,REMOTE_ADDR"; | ||
} | ||
|
||
$this->proxies = self::dispatch_filter( | ||
"trustedProxies", | ||
explode(",", $config->trustedProxies), | ||
['bootloader' => $this] | ||
); | ||
|
||
IncomingRequest::setTrustedProxies($this->proxies, $this->headers); | ||
} | ||
|
||
/** | ||
* Handle the incoming request and pass it to the next middleware. | ||
* If the request is not from a trusted proxy, it returns a response with an error message. | ||
* | ||
* @param IncomingRequest $request The incoming request. | ||
* @param Closure $next The next middleware closure. | ||
* @return Response The response returned by the next middleware. | ||
*/ | ||
public function handle(IncomingRequest $request, Closure $next): Response | ||
{ | ||
|
||
if (!$request->isFromTrustedProxy()) { | ||
return new Response(json_encode(['error' => 'Not a trusted proxy']), 403); | ||
} | ||
|
||
return $next($request); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters