Added configurable API throttling, Handled API errors standardly

2024-07-02 17:41:45 +00:00 · 2020-01-18 15:03:28 +00:00 · 2020-01-18 15:03:28 +00:00 · be554b9c79
commit be554b9c79
parent 1350136ca3
9 changed files with 125 additions and 2 deletions
--- a/.env.example.complete
+++ b/.env.example.complete
@ -260,4 +260,7 @@ ALLOW_ROBOTS=null

 # The default and maximum item-counts for listing API requests.
 API_DEFAULT_ITEM_COUNT=100
-API_MAX_ITEM_COUNT=500
+API_MAX_ITEM_COUNT=500
+
+# The number of API requests that can be made per minute by a single user.
+API_REQUESTS_PER_MIN=180
--- a/app/Config/api.php
+++ b/app/Config/api.php
@ -17,4 +17,7 @@ return [
    // The maximum number of items that can be returned in a listing API request.
    'max_item_count' => env('API_MAX_ITEM_COUNT', 500),

+    // The number of API requests that can be made per minute by a single user.
+    'requests_per_minute' => env('API_REQUESTS_PER_MIN', 180)
+
 ];
--- a/app/Exceptions/Handler.php
+++ b/app/Exceptions/Handler.php
@ -7,6 +7,9 @@ use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Auth\AuthenticationException;
 use Illuminate\Database\Eloquent\ModelNotFoundException;
 use Illuminate\Foundation\Exceptions\Handler as ExceptionHandler;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Http\Response;
 use Illuminate\Validation\ValidationException;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@ -47,6 +50,10 @@ class Handler extends ExceptionHandler
     */
    public function render($request, Exception $e)
    {
+        if ($this->isApiRequest($request)) {
+            return $this->renderApiException($e);
+        }
+
        // Handle notify exceptions which will redirect to the
        // specified location then show a notification message.
        if ($this->isExceptionType($e, NotifyException::class)) {
@ -70,6 +77,41 @@ class Handler extends ExceptionHandler
        return parent::render($request, $e);
    }

+    /**
+     * Check if the given request is an API request.
+     */
+    protected function isApiRequest(Request $request): bool
+    {
+        return strpos($request->path(), 'api/') === 0;
+    }
+
+    /**
+     * Render an exception when the API is in use.
+     */
+    protected function renderApiException(Exception $e): JsonResponse
+    {
+        $code = $e->getCode() === 0 ? 500 : $e->getCode();
+        $headers = [];
+        if ($e instanceof HttpException) {
+            $code = $e->getStatusCode();
+            $headers = $e->getHeaders();
+        }
+
+        $responseData = [
+            'error' => [
+                'message' => $e->getMessage(),
+            ]
+        ];
+
+        if ($e instanceof ValidationException) {
+            $responseData['error']['validation'] = $e->errors();
+            $code = $e->status;
+        }
+
+        $responseData['error']['code'] = $code;
+        return new JsonResponse($responseData, $code, $headers);
+    }
+
    /**
     * Check the exception chain to compare against the original exception type.
     * @param Exception $e
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -32,7 +32,7 @@ class Kernel extends HttpKernel
            \BookStack\Http\Middleware\GlobalViewData::class,
        ],
        'api' => [
-            'throttle:60,1',
+            \BookStack\Http\Middleware\ThrottleApiRequests::class,
            \BookStack\Http\Middleware\EncryptCookies::class,
            \BookStack\Http\Middleware\StartSessionIfCookieExists::class,
            \BookStack\Http\Middleware\ApiAuthenticate::class,
--- a/app/Http/Middleware/ThrottleApiRequests.php
+++ b/app/Http/Middleware/ThrottleApiRequests.php
@ -0,0 +1,18 @@
+<?php
+
+namespace BookStack\Http\Middleware;
+
+use Illuminate\Routing\Middleware\ThrottleRequests as Middleware;
+
+class ThrottleApiRequests extends Middleware
+{
+
+    /**
+     * Resolve the number of attempts if the user is authenticated or not.
+     */
+    protected function resolveMaxAttempts($request, $maxAttempts)
+    {
+        return (int) config('api.requests_per_minute');
+    }
+
+}
--- a/phpunit.xml
+++ b/phpunit.xml
@ -50,5 +50,6 @@
        <server name="APP_URL" value="http://bookstack.dev"/>
        <server name="DEBUGBAR_ENABLED" value="false"/>
        <server name="SAML2_ENABLED" value="false"/>
+        <server name="API_REQUESTS_PER_MIN" value="180"/>
    </php>
 </phpunit>
--- a/tests/Api/ApiAuthTest.php
+++ b/tests/Api/ApiAuthTest.php
@ -120,4 +120,29 @@ class ApiAuthTest extends TestCase
        $resp->assertJson($this->errorResponse("The email address for the account in use needs to be confirmed", 401));
    }

+    public function test_rate_limit_headers_active_on_requests()
+    {
+        $resp = $this->actingAsApiEditor()->get($this->endpoint);
+        $resp->assertHeader('x-ratelimit-limit', 180);
+        $resp->assertHeader('x-ratelimit-remaining', 179);
+        $resp = $this->actingAsApiEditor()->get($this->endpoint);
+        $resp->assertHeader('x-ratelimit-remaining', 178);
+    }
+
+    public function test_rate_limit_hit_gives_json_error()
+    {
+        config()->set(['api.requests_per_minute' => 1]);
+        $resp = $this->actingAsApiEditor()->get($this->endpoint);
+        $resp->assertStatus(200);
+
+        $resp = $this->actingAsApiEditor()->get($this->endpoint);
+        $resp->assertStatus(429);
+        $resp->assertHeader('x-ratelimit-remaining', 0);
+        $resp->assertHeader('retry-after');
+        $resp->assertJson([
+            'error' => [
+                'code' => 429,
+            ]
+        ]);
+    }
 }
--- a/tests/Api/ApiConfigTest.php
+++ b/tests/Api/ApiConfigTest.php
@ -44,4 +44,15 @@ class ApiConfigTest extends TestCase
        $resp->assertJsonCount(2, 'data');
    }

+    public function test_requests_per_min_alters_rate_limit()
+    {
+        $resp = $this->actingAsApiEditor()->get($this->endpoint);
+        $resp->assertHeader('x-ratelimit-limit', 180);
+
+        config()->set(['api.requests_per_minute' => 10]);
+
+        $resp = $this->actingAsApiEditor()->get($this->endpoint);
+        $resp->assertHeader('x-ratelimit-limit', 10);
+    }
+
 }
--- a/tests/Api/BooksApiTest.php
+++ b/tests/Api/BooksApiTest.php
@ -38,6 +38,26 @@ class BooksApiTest extends TestCase
        $this->assertActivityExists('book_create', $newItem);
    }

+    public function test_book_name_needed_to_create()
+    {
+        $this->actingAsApiEditor();
+        $details = [
+            'description' => 'A book created via the API',
+        ];
+
+        $resp = $this->postJson($this->baseEndpoint, $details);
+        $resp->assertStatus(422);
+        $resp->assertJson([
+            "error" => [
+                "message" => "The given data was invalid.",
+                "validation" => [
+                    "name" => ["The name field is required."]
+                ],
+                "code" => 422,
+            ],
+        ]);
+    }
+
    public function test_read_endpoint()
    {
        $this->actingAsApiEditor();