[P1 Security] Rate Limiting für API-Routes und Livewire-Actions (vibe-kanban e1f85c61)

## Security Audit: Fehlendes Rate Limiting ### Problem Die Anwendung hat **kein Rate Limiting** auf API-Routes oder Livewire-Actions. Das ermöglicht: - Brute-Force-Angriffe auf Authentication-Endpoints - Denial-of-Service durch massenhaftes Aufrufen von API-Endpoints - Vote-Manipulation durch schnelle, wiederholte Requests - Ressourcen-Erschöpfung durch unkontrollierte Datenbankabfragen ### Betroffene Endpoints **API-Routes (`routes/api.php`):** ```php Route::get('/nostr/profile/{key}', GetProfile::class); // kein Rate Limit Route::get('/members/{year}', GetPaidMembers::class); // kein Rate Limit ``` **Kritische Livewire-Actions (kein Throttling):** - Voting auf ProjectProposals (`association/project-support/show`) - Login via Nostr (`handleNostrLogin`) - ProjectProposal-Erstellung - Election Voting ### Lösung **1. API Rate Limiting in `bootstrap/app.php`:** Nutze Laravel 12's Middleware-Konfiguration um Rate Limiting zu aktivieren: ```php ->withMiddleware(function (Middleware $middleware) { $middleware->api(prepend: [ \Illuminate\Routing\Middleware\ThrottleRequests::class.':api', ]); }) ``` Und definiere den `api` Rate Limiter in `app/Providers/AppServiceProvider.php`: ```php use Illuminate\Cache\RateLimiting\Limit; use Illuminate\Support\Facades\RateLimiter; public function boot(): void { RateLimiter::for('api', function (Request $request) { return Limit::perMinute(60)->by($request->ip()); }); } ``` **2. Livewire Action Throttling:** Nutze Livewire's `#[Throttle]` Attribut auf sensiblen Actions. Suche in der Livewire-Dokumentation nach der korrekten v4-Syntax mit `search-docs`: - `queries: ['throttle', 'rate limiting']` - `packages: ['livewire/livewire']` Wende Throttling an auf: - Vote-Submit-Methoden in den ProjectSupport-Components - Login-Handler (`handleNostrLogin` in `WithNostrAuth` Trait) - ProjectProposal Create/Update Actions **3. Zusätzlicher Custom Rate Limiter für Voting:** ```php RateLimiter::for('voting', function (Request $request) { return Limit::perMinute(10)->by($request->ip()); }); ``` ### Betroffene Dateien - `bootstrap/app.php` – Middleware-Konfiguration (Rate Limit Middleware hinzufügen) - `app/Providers/AppServiceProvider.php` – RateLimiter Definitionen - `routes/api.php` – Rate Limit Middleware anwenden - `app/Livewire/Traits/WithNostrAuth.php` – Throttle auf `handleNostrLogin` - Livewire-Components in `app/Livewire/Association/ProjectSupport/` – Throttle auf Vote/Create Actions ### Vorgehen 1. `search-docs` nutzen für: `['rate limiting', 'throttle']` (Laravel) und `['throttle']` (Livewire) 2. Rate Limiter in AppServiceProvider definieren 3. API-Middleware in `bootstrap/app.php` konfigurieren 4. Livewire-Actions mit Throttle versehen 5. Pest-Tests schreiben, die verifizieren dass Rate Limiting greift (429 Response bei Überschreitung) 6. `vendor/bin/pint --dirty` und `php artisan test --compact` ### Akzeptanzkriterien - API-Routes geben HTTP 429 nach 60 Requests/Minute zurück - Voting-Actions sind auf max. 10/Minute limitiert - Login-Attempts sind throttled - Tests verifizieren Rate Limiting Verhalten
2026-02-15 03:23:17 +00:00 · 2026-02-11 20:53:29 +01:00
parent af3090e694
commit 9faae15212
8 changed files with 221 additions and 2 deletions
--- a/resources/views/livewire/association/election/show.blade.php
+++ b/resources/views/livewire/association/election/show.blade.php
@@ -4,6 +4,7 @@ use App\Models\Election;
 use App\Models\EinundzwanzigPleb;
 use App\Models\Profile;
 use App\Support\NostrAuth;
+use Illuminate\Support\Facades\RateLimiter;
 use Livewire\Attributes\Computed;
 use Livewire\Attributes\Locked;
 use Livewire\Component;
@@ -204,6 +205,16 @@ new class extends Component {

    public function handleNostrLoggedIn(string $pubkey): void
    {
+        $executed = RateLimiter::attempt(
+            'nostr-login:'.request()->ip(),
+            10,
+            function () {},
+        );
+
+        if (! $executed) {
+            abort(429, 'Too many login attempts.');
+        }
+
        $this->currentPubkey = $pubkey;
        $this->currentPleb = EinundzwanzigPleb::query()
            ->where('pubkey', $pubkey)->first();
@@ -279,6 +290,16 @@ new class extends Component {

    public function vote($pubkey, $type, $board = false): void
    {
+        $executed = RateLimiter::attempt(
+            'voting:'.request()->ip(),
+            10,
+            function () {},
+        );
+
+        if (! $executed) {
+            abort(429, 'Too many voting attempts.');
+        }
+
        if ($this->election->end_time?->isPast()) {
            $this->isNotClosed = false;

@@ -303,6 +324,16 @@ new class extends Component {

    public function signEvent($event): void
    {
+        $executed = RateLimiter::attempt(
+            'voting:'.request()->ip(),
+            10,
+            function () {},
+        );
+
+        if (! $executed) {
+            abort(429, 'Too many voting attempts.');
+        }
+
        $note = new NostrEvent;
        $note->setId($event['id']);
        $note->setSignature($event['sig']);
--- a/resources/views/livewire/association/project-support/form/create.blade.php
+++ b/resources/views/livewire/association/project-support/form/create.blade.php
@@ -2,6 +2,7 @@

 use App\Models\ProjectProposal;
 use App\Support\NostrAuth;
+use Illuminate\Support\Facades\RateLimiter;
 use Livewire\Attributes\Layout;
 use Livewire\Attributes\Locked;
 use Livewire\Attributes\Title;
@@ -58,6 +59,16 @@ class extends Component

    public function save(): void
    {
+        $executed = RateLimiter::attempt(
+            'project-proposal-create:'.request()->ip(),
+            5,
+            function () {},
+        );
+
+        if (! $executed) {
+            abort(429, 'Too many requests.');
+        }
+
        $this->validate([
            'form.name' => 'required|string|max:255',
            'form.description' => 'required|string',
--- a/resources/views/livewire/association/project-support/form/edit.blade.php
+++ b/resources/views/livewire/association/project-support/form/edit.blade.php
@@ -2,6 +2,7 @@

 use App\Models\ProjectProposal;
 use App\Support\NostrAuth;
+use Illuminate\Support\Facades\RateLimiter;
 use Livewire\Attributes\Layout;
 use Livewire\Attributes\Locked;
 use Livewire\Attributes\Title;
@@ -84,6 +85,16 @@ class extends Component

    public function update(): void
    {
+        $executed = RateLimiter::attempt(
+            'project-proposal-update:'.request()->ip(),
+            5,
+            function () {},
+        );
+
+        if (! $executed) {
+            abort(429, 'Too many requests.');
+        }
+
        $this->validate([
            'form.name' => 'required|string|max:255',
            'form.description' => 'required|string',
--- a/resources/views/livewire/association/project-support/show.blade.php
+++ b/resources/views/livewire/association/project-support/show.blade.php
@@ -4,6 +4,7 @@ use App\Livewire\Traits\WithNostrAuth;
 use App\Models\ProjectProposal;
 use App\Models\Vote;
 use App\Support\NostrAuth;
+use Illuminate\Support\Facades\RateLimiter;
 use Livewire\Attributes\Locked;
 use Livewire\Component;

@@ -64,6 +65,16 @@ new class extends Component {
            return;
        }

+        $executed = RateLimiter::attempt(
+            'voting:'.request()->ip(),
+            10,
+            function () {},
+        );
+
+        if (! $executed) {
+            abort(429, 'Too many voting attempts.');
+        }
+
        Vote::query()->updateOrCreate([
            'project_proposal_id' => $this->projectProposal->id,
            'einundzwanzig_pleb_id' => $this->currentPleb->id,
@@ -79,6 +90,16 @@ new class extends Component {
            return;
        }

+        $executed = RateLimiter::attempt(
+            'voting:'.request()->ip(),
+            10,
+            function () {},
+        );
+
+        if (! $executed) {
+            abort(429, 'Too many voting attempts.');
+        }
+
        Vote::query()->updateOrCreate([
            'project_proposal_id' => $this->projectProposal->id,
            'einundzwanzig_pleb_id' => $this->currentPleb->id,