bedrockstreaming / rate-limit-bundle
Manage rate limitation for your routes
Installs: 23 115
Dependents: 0
Suggesters: 0
Security: 0
Stars: 3
Watchers: 35
Forks: 1
Open Issues: 1
Type:symfony-bundle
Requires
- php: >=8.0
- ext-json: *
- symfony/config: ^5.4 || ^6.0
- symfony/dependency-injection: ^5.4 || ^6.0
- symfony/event-dispatcher: ^5.4 || ^6.0
- symfony/http-foundation: ^5.4 || ^6.0
- symfony/http-kernel: ^5.4 || ^6.0
- symfony/options-resolver: ^5.4 || ^6.0
Requires (Dev)
- m6web/php-cs-fixer-config: ^2.1
- phpstan/phpstan: ^1.5
- phpstan/phpstan-phpunit: ^1.1
- phpunit/phpunit: 9.5.*
- rector/rector: ^0.12.22
- symfony/var-dumper: ^5.4 || ^6.0
Suggests
- webonyx/graphql-php: Needed to support @GraphQLRateLimit attribute
README
This bundle provides an easy way to protect your project by limiting access to your controllers.
Install the bundle
composer require bedrockstreaming/rate-limit-bundle
Update your config/bundles.php file to add the bundle for all env
<?php return [ ... Bedrock\Bundle\RateLimitBundle\RateLimitBundle::class => ['all' => true], ... ];
Configure the bundle
Add the config/packages/bedrock_rate_limit.yaml file with the following data.
bedrock_rate_limit: limit: 25 # 1000 requests by default period: 600 # 60 seconds by default limit_by_route: true|false # false by default display_headers: true|false # false by default
By default, the limitation is common to all routes annotated #[RateLimit]
.
For example, if you keep the default configuration and you configure the #[RateLimit]
attribute in 2 routes. Limit will shared between this 2 routes, if user consume all authorized calls on the first route, the second route couldn't be called.
If you swicth limit_by_route
to true, users will be allowed to reach the limit on each route annotated.
#[GraphQLRateLimit]
attribute allows you to rate limit by graphQL query or mutation.
/!\ To use this attribute, you will need to install suggested package.
If you switch display_headers
to true, 3 headers will be added x-rate-limit
, x-rate-limit-hits
, x-rate-limit-untils
to your responses. This can be usefull to debug your limitations.
display_headers
is used to display a verbose return if limit is reached.
Configure your storage
You must tell Symfony which storage implementation you want to use.
Update your config/services.yml like this:
... Bedrock\Bundle\RateLimitBundle\Storage\RateLimitStorageInterface: '@Bedrock\Bundle\RateLimitBundle\Storage\RateLimitInMemoryStorage' ...
By default, only RateLimitInMemory
is provided. But feel free to create your own by implementing RateLimitStorageInterface
or ManuallyResetableRateLimitStorageInterface
.
If your database has a TTL system (like Redis), you can implement only RateLimitStorageInterface
. Otherwhise you must implement also ManuallyResetableRateLimitStorageInterface
to manually delete rate limit in your database.
Configure your modifiers
Modifiers are a way to customize the rate limit.
This bundle provides 2 modifiers:
HttpMethodRateLimitModifier
limits the requests byhttp_method
.RequestAttributeRateLimitModifier
limits the requests by attributes value (taken from the$request->attributes
Symfony's bag).
Update your config/services.yml like this:
... Bedrock\Bundle\RateLimitBundle\RateLimitModifier\HttpMethodRateLimitModifier: tags: [ 'rate_limit.modifiers' ] Bedrock\Bundle\RateLimitBundle\RateLimitModifier\RequestAttributeRateLimitModifier: arguments: $attributeName: 'myRequestAttribute' tags: [ 'rate_limit.modifiers' ] ...
You can also create your own rate limit modifier by implementing RateLimitModifierInterface
and tagging your service accordingly.
Configure your routes
With attribute
Add the #[RateLimit]
attribute to your controller methods (by default, the limit will be 1000 requests per minute).
This attribute accepts parameters to customize the rate limit. The following example shows how to limit requests on a route at the rate of 10 requests max every 2 minutes.
:warning: This customization only works if the limit_by_route
parameter is true
#[RateLimit(limit: 10, period: 120)]
To rate limit your graphQL API, add the #[GraphQlRateLimit]
attribute to your graphQL controller.
This attribute requires a list of endpoints and accepts parameters to customize the rate limit. The following example shows how to limit requests on an endpoint at the rate of 10 requests max every 2 minutes and on default limitations.
#[GraphQlRateLimit( endpoints: [ [ 'endpoint' => 'GetMyQuery', 'limit' => 10, 'period' => 12], [ 'endpoint' => 'EditMyMutation'], ] )]
In YAML
You also may add your rate limits in configuration files (Yaml) with the route name. If period
or limit
is not
defined for a route, the bundle will take the common option.
bedrock_rate_limit: limit: 1000 period: 60 routes: get_foobar: limit: 500 period: 10 post_foobar: period: 10
Migration to php8
If you use rector you can use those rules to automatically migrate annotation to attributes :
$rectorConfig->ruleWithConfiguration( \Rector\Php80\Rector\Class_\AnnotationToAttributeRector::class, [ new \Rector\Php80\ValueObject\AnnotationToAttribute( 'Bedrock\Bundle\RateLimitBundle\Annotation\GraphQLRateLimit', \Bedrock\Bundle\RateLimitBundle\Attribute\GraphQLRateLimit::class ), new \Rector\Php80\ValueObject\AnnotationToAttribute( 'Bedrock\Bundle\RateLimitBundle\Annotation\RateLimit', \Bedrock\Bundle\RateLimitBundle\Attribute\RateLimit::class ) ], );