feat: aggiunto rate limiting API con Illuminate RateLimiter e store su file

Author: lucasalva87

api/index.php

@@ -38,6 +38,21 @@ function serverError()
 
 include_once __DIR__.'/../core.php';
 
+// Rate limiting per API (se abilitato)
+if (($config['rate_limiting']['enabled'] ?? false)) {
+    [$ok, $retry] = \Security\LaravelRateLimiter::enforce('api', $config, [
+        'key_parts' => [
+            'resource' => get('resource'),
+            'token' => get('token'),
+        ],
+    ]);
+    if (!$ok) {
+        http_response_code(429);
+        exit('Too Many Requests');
+    }
+}
+
+
 // Permesso di accesso all'API da ogni dispositivo
 header('Access-Control-Allow-Origin: *');
 header('Access-Control-Allow-Methods: POST, GET, PUT, DELETE, OPTIONS');

composer.json

@@ -42,6 +42,8 @@
         "guzzlehttp/guzzle": "^7.0.1",
         "ifsnop/mysqldump-php": "^2.3",
         "illuminate/database": "^10.0",
+        "illuminate/cache": "^10.0",
+        "illuminate/filesystem": "^10.0",
         "intervention/image": "^3.0",
         "jurosh/pdf-merge": "^2.1",
         "league/csv": "^9.7.0",

config.example.php

@@ -72,3 +72,16 @@
 
 // Configura il limite di tempo di esecuzione del file cron.php
 $php_time_limit = '';
+
+
+// Integrazione con Laravel per Rate limiting
+$rate_limiting = [
+    'enabled' => false,
+    'store_path' => __DIR__.'/files/cache/ratelimiter',
+    'strategy' => 'user', // 'user' | 'ip' | 'ip_user'
+    'limits' => [
+        'api' => ['max' => 60, 'decay' => 60],
+    ],
+    'whitelist_ips' => [],
+    'blacklist_ips' => [],
+];

src/Security/LaravelRateLimiter.php

@@ -0,0 +1,178 @@
+<?php
+
+/*
+ * Implementazione conservativa di rate limiting per OpenSTAManager.
+ * Usa Illuminate\Cache\RateLimiter quando disponibile; in caso contrario
+ * applica un fallback file-based compatibile con i parametri configurati.
+ *
+ * Requisiti (modalità nativa):
+ *  - illuminate/cache:^10.0
+ *  - illuminate/filesystem:^10.0
+ */
+
+namespace Security;
+
+class LaravelRateLimiter
+{
+    /**
+     * Applica il rate limiting per una determinata "area" (es. 'api').
+     *
+     * @param string $area  Area logica (es. 'api')
+     * @param array  $config Configurazione completa di OSM (incluso $rate_limiting)
+     * @param array  $opts  Opzioni aggiuntive (es. ['key_parts' => ['resource' => ..., 'token' => ...]])
+     *
+     * @return array [bool $allowed, int $retryAfterSeconds]
+     */
+    public static function enforce(string $area, array $config, array $opts = []): array
+    {
+        $cfg = $config['rate_limiting'] ?? [];
+
+        $ip = function_exists('get_client_ip') ? get_client_ip() : ($_SERVER['REMOTE_ADDR'] ?? '0.0.0.0');
+
+        // Whitelist IP: sempre consentito
+        $whitelist = (array)($cfg['whitelist_ips'] ?? []);
+        if (in_array($ip, $whitelist, true)) {
+            return [true, 0];
+        }
+
+        // Blacklist IP: sempre bloccato
+        $blacklist = (array)($cfg['blacklist_ips'] ?? []);
+        if (in_array($ip, $blacklist, true)) {
+            return [false, 0];
+        }
+
+        // Costruzione chiave e limiti
+        [$key, $max, $decay, $storePath] = self::buildKeyAndLimits($area, $cfg, $ip, $opts);
+
+        // Prova ad usare il RateLimiter nativo di Illuminate
+        if (
+            class_exists('Illuminate\\Cache\\RateLimiter') &&
+            class_exists('Illuminate\\Cache\\Repository') &&
+            class_exists('Illuminate\\Cache\\FileStore') &&
+            class_exists('Illuminate\\Filesystem\\Filesystem')
+        ) {
+            try {
+                if (!is_dir($storePath)) {
+                    @mkdir($storePath, 0777, true);
+                }
+                $files = new \Illuminate\Filesystem\Filesystem();
+                $store = new \Illuminate\Cache\FileStore($files, $storePath);
+                $repo  = new \Illuminate\Cache\Repository($store);
+                $rl    = new \Illuminate\Cache\RateLimiter($repo);
+
+                if ($rl->tooManyAttempts($key, $max)) {
+                    return [false, $rl->availableIn($key)];
+                }
+
+                $rl->hit($key, $decay);
+
+                return [true, 0];
+            } catch (\Throwable) {
+                // In caso di problemi con Illuminate, prosegue col fallback
+            }
+        }
+
+        // Fallback file-based (compatibile con max/decay)
+        return self::fallbackEnforce($storePath, $key, $max, $decay);
+    }
+
+    /**
+     * Costruisce chiave, limiti e percorso store.
+     */
+    private static function buildKeyAndLimits(string $area, array $cfg, string $ip, array $opts): array
+    {
+        $limits = (array)($cfg['limits'][$area] ?? []);
+        $max   = (int)($limits['max'] ?? 60);
+        $decay = (int)($limits['decay'] ?? 60);
+
+        // Strategia chiave: 'user' | 'ip' | 'ip_user'
+        $strategy = (string)($cfg['strategy'] ?? 'user');
+
+        $userId = null;
+        if (class_exists('Auth')) {
+            try {
+                $u = \Auth::user();
+                if ($u && isset($u->id)) {
+                    $userId = (int)$u->id;
+                }
+            } catch (\Throwable) {
+                // ignora
+            }
+        }
+
+        $idParts = [$area, $strategy];
+        if ($strategy === 'user') {
+            $idParts[] = $userId ?: ('ip:'.$ip);
+        } elseif ($strategy === 'ip') {
+            $idParts[] = 'ip:'.$ip;
+        } else { // ip_user
+            $idParts[] = 'u:'.($userId ?? 0);
+            $idParts[] = 'ip:'.$ip;
+        }
+
+        // Ulteriori parti opzionali di chiave (per granularità)
+        foreach ((array)($opts['key_parts'] ?? []) as $k => $v) {
+            if (!empty($v)) {
+                $idParts[] = $k.':'.$v;
+            }
+        }
+
+        $key = 'osm:rate:'.sha1(implode('|', $idParts));
+
+        $storePath = (string)($cfg['store_path'] ?? (function_exists('base_dir') ? base_dir().'/files/cache/ratelimiter' : __DIR__.'/../../files/cache/ratelimiter'));
+
+        return [$key, $max, $decay, $storePath];
+    }
+
+    /**
+     * Fallback semplice su file (contatore per finestra temporale), con lock.
+     */
+    private static function fallbackEnforce(string $storePath, string $key, int $max, int $decay): array
+    {
+        if (!is_dir($storePath)) {
+            @mkdir($storePath, 0777, true);
+        }
+        $file = rtrim($storePath, '/\\').DIRECTORY_SEPARATOR.strtr($key, [':' => '_']).'.json';
+        $now  = time();
+        $data = ['count' => 0, 'start' => $now];
+
+        $h = @fopen($file, 'c+');
+        if ($h === false) {
+            // Se non posso accedere allo store, non blocco (fail-open conservativo)
+            return [true, 0];
+        }
+
+        try {
+            @flock($h, LOCK_EX);
+            $contents = stream_get_contents($h);
+            if ($contents) {
+                $decoded = json_decode($contents, true);
+                if (is_array($decoded) && isset($decoded['count'], $decoded['start'])) {
+                    $data = $decoded;
+                }
+            }
+
+            // Reset finestra se scaduta
+            if (($now - (int)$data['start']) >= $decay) {
+                $data = ['count' => 0, 'start' => $now];
+            }
+
+            if ((int)$data['count'] >= $max) {
+                $retry = max(0, $decay - ($now - (int)$data['start']));
+                return [false, $retry];
+            }
+
+            // Incremento e salvo
+            $data['count'] = (int)$data['count'] + 1;
+            ftruncate($h, 0);
+            rewind($h);
+            fwrite($h, json_encode($data));
+
+            return [true, 0];
+        } finally {
+            @flock($h, LOCK_UN);
+            @fclose($h);
+        }
+    }
+}
+