einundzwanzig/einundzwanzig-verein
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-nostr.git synced 2026-02-15 03:23:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0639c1a65682bb38150a18bba61c994db1917263
einundzwanzig-verein/resources/views/livewire/association/project-support/form/edit.blade.php
vk 9faae15212 [P1 Security] Rate Limiting für API-Routes und Livewire-Actions (vibe-kanban e1f85c61) 
## Security Audit: Fehlendes Rate Limiting

### Problem
Die Anwendung hat **kein Rate Limiting** auf API-Routes oder Livewire-Actions. Das ermöglicht:
- Brute-Force-Angriffe auf Authentication-Endpoints
- Denial-of-Service durch massenhaftes Aufrufen von API-Endpoints
- Vote-Manipulation durch schnelle, wiederholte Requests
- Ressourcen-Erschöpfung durch unkontrollierte Datenbankabfragen

### Betroffene Endpoints

**API-Routes (`routes/api.php`):**
```php
Route::get('/nostr/profile/{key}', GetProfile::class);  // kein Rate Limit
Route::get('/members/{year}', GetPaidMembers::class);    // kein Rate Limit
```

**Kritische Livewire-Actions (kein Throttling):**
- Voting auf ProjectProposals (`association/project-support/show`)
- Login via Nostr (`handleNostrLogin`)
- ProjectProposal-Erstellung
- Election Voting

### Lösung

**1. API Rate Limiting in `bootstrap/app.php`:**
Nutze Laravel 12's Middleware-Konfiguration um Rate Limiting zu aktivieren:

```php
->withMiddleware(function (Middleware $middleware) {
    $middleware->api(prepend: [
        \Illuminate\Routing\Middleware\ThrottleRequests::class.':api',
    ]);
})
```

Und definiere den `api` Rate Limiter in `app/Providers/AppServiceProvider.php`:

```php
use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Support\Facades\RateLimiter;

public function boot(): void
{
    RateLimiter::for('api', function (Request $request) {
        return Limit::perMinute(60)->by($request->ip());
    });
}
```

**2. Livewire Action Throttling:**
Nutze Livewire's `#[Throttle]` Attribut auf sensiblen Actions. Suche in der Livewire-Dokumentation nach der korrekten v4-Syntax mit `search-docs`:
- `queries: ['throttle', 'rate limiting']`
- `packages: ['livewire/livewire']`

Wende Throttling an auf:
- Vote-Submit-Methoden in den ProjectSupport-Components
- Login-Handler (`handleNostrLogin` in `WithNostrAuth` Trait)
- ProjectProposal Create/Update Actions

**3. Zusätzlicher Custom Rate Limiter für Voting:**

```php
RateLimiter::for('voting', function (Request $request) {
    return Limit::perMinute(10)->by($request->ip());
});
```

### Betroffene Dateien
- `bootstrap/app.php` – Middleware-Konfiguration (Rate Limit Middleware hinzufügen)
- `app/Providers/AppServiceProvider.php` – RateLimiter Definitionen
- `routes/api.php` – Rate Limit Middleware anwenden
- `app/Livewire/Traits/WithNostrAuth.php` – Throttle auf `handleNostrLogin`
- Livewire-Components in `app/Livewire/Association/ProjectSupport/` – Throttle auf Vote/Create Actions

### Vorgehen
1. `search-docs` nutzen für: `['rate limiting', 'throttle']` (Laravel) und `['throttle']` (Livewire)
2. Rate Limiter in AppServiceProvider definieren
3. API-Middleware in `bootstrap/app.php` konfigurieren
4. Livewire-Actions mit Throttle versehen
5. Pest-Tests schreiben, die verifizieren dass Rate Limiting greift (429 Response bei Überschreitung)
6. `vendor/bin/pint --dirty` und `php artisan test --compact`

### Akzeptanzkriterien
- API-Routes geben HTTP 429 nach 60 Requests/Minute zurück
- Voting-Actions sind auf max. 10/Minute limitiert
- Login-Attempts sind throttled
- Tests verifizieren Rate Limiting Verhalten
2026-02-11 21:13:36 +01:00

266 lines
12 KiB
PHP
Raw Blame History

<?php
use App\Models\ProjectProposal;
use App\Support\NostrAuth;
use Illuminate\Support\Facades\RateLimiter;
use Livewire\Attributes\Layout;
use Livewire\Attributes\Locked;
use Livewire\Attributes\Title;
use Livewire\Component;
use Livewire\WithFileUploads;
new
#[Layout('layouts.app')]
#[Title('Projektförderung bearbeiten')]
class extends Component
{
use WithFileUploads;
#[Locked]
public ProjectProposal $project;
public array $form = [
'name' => '',
'description' => '',
'support_in_sats' => '',
'website' => '',
'accepted' => false,
'sats_paid' => 0,
];
public $file = null;
#[Locked]
public bool $isAllowed = false;
#[Locked]
public bool $isAdmin = false;
public function mount($projectProposal): void
{
$this->project = ProjectProposal::query()->where('slug', $projectProposal)->firstOrFail();
if (NostrAuth::check()) {
$currentPubkey = NostrAuth::pubkey();
$currentPleb = \App\Models\EinundzwanzigPleb::query()->where('pubkey', $currentPubkey)->first();
if (
(
$currentPleb
&& $currentPleb->id === $this->project->einundzwanzig_pleb_id
)
|| in_array($currentPleb->npub, config('einundzwanzig.config.current_board'))
) {
$this->isAllowed = true;
$this->form = [
'name' => $this->project->name,
'description' => $this->project->description,
'support_in_sats' => (string) $this->project->support_in_sats,
'website' => $this->project->website ?? '',
'accepted' => (bool) $this->project->accepted,
'sats_paid' => $this->project->sats_paid,
];
}
if ($currentPleb && in_array($currentPleb->npub, config('einundzwanzig.config.current_board'), true)) {
$this->isAdmin = true;
}
}
}
public function deleteMainImage(): void
{
if ($this->project->getFirstMedia('main')) {
$this->project->getFirstMedia('main')->delete();
}
}
public function removeFile(): void
{
if ($this->file) {
$this->file->delete();
$this->file = null;
}
}
public function update(): void
{
$executed = RateLimiter::attempt(
'project-proposal-update:'.request()->ip(),
5,
function () {},
);
if (! $executed) {
abort(429, 'Too many requests.');
}
$this->validate([
'form.name' => 'required|string|max:255',
'form.description' => 'required|string',
'form.support_in_sats' => 'required|integer|min:0',
'form.website' => 'required|url|max:255',
'file' => 'nullable|file|mimes:jpeg,png,jpg,gif,webp|mimetypes:image/jpeg,image/png,image/gif,image/webp|max:10240',
]);
$this->project->update([
'name' => $this->form['name'],
'description' => $this->form['description'],
'support_in_sats' => (int) $this->form['support_in_sats'],
'website' => $this->form['website'],
'accepted' => $this->isAdmin ? (bool) $this->form['accepted'] : $this->project->accepted,
'sats_paid' => $this->isAdmin ? $this->form['sats_paid'] : $this->project->sats_paid,
]);
if ($this->file) {
$this->project->addMedia($this->file)->toMediaCollection('main');
}
$this->redirectRoute('association.projectSupport.item', $this->project);
}
};
?>
<div>
@if($isAllowed)
<div class="px-4 sm:px-6 lg:px-8 py-8 w-full max-w-9xl mx-auto">
<div
class="flex flex-col md:flex-row items-center mb-6 space-y-4 md:space-y-0 md:space-x-4">
<div class="flex items-center justify-between w-full">
<h1 class="text-2xl md:text-3xl text-zinc-800 dark:text-zinc-100 font-bold">
Projektförderungs-Antrag bearbeiten
</h1>
<flux:button :href="route('association.projectSupport')" variant="ghost" icon="arrow-left">
Zurück
</flux:button>
</div>
</div>
<div class="grid grid-cols-1 lg:grid-cols-3 gap-6">
<!-- Left column - Form -->
<div class="lg:col-span-2">
<flux:card>
<flux:fieldset>
<flux:legend>Formular</flux:legend>
<div class="space-y-4">
<div>
<flux:field>
<flux:label>Name</flux:label>
<flux:input wire:model="form.name" placeholder="Projektname" />
<flux:error name="form.name" />
</flux:field>
</div>
<div>
<flux:field>
<flux:label>Website</flux:label>
<flux:input wire:model="form.website" type="url" placeholder="https://example.com" />
<flux:error name="form.website" />
</flux:field>
</div>
<div>
<flux:field>
<flux:label>Unterstützung (Sats)</flux:label>
<flux:input wire:model="form.support_in_sats" type="number" placeholder="100000" />
<flux:error name="form.support_in_sats" />
</flux:field>
</div>
<div>
<flux:field>
<flux:label>Bild</flux:label>
<flux:file-upload wire:model="file" label="Bild hochladen">
<flux:file-upload.dropzone
heading="Bild hier ablegen oder zum Durchsuchen klicken"
text="JPG, PNG, GIF, WebP bis zu 10MB"
/>
</flux:file-upload>
<flux:error name="file" />
@if($file)
<div class="mt-4 flex flex-col gap-2">
<flux:file-item
:heading="$file->getClientOriginalName()"
:image="$file->temporaryUrl()"
:size="$file->getSize()"
>
<x-slot name="actions">
<flux:file-item.remove wire:click="removeFile" />
</x-slot>
</flux:file-item>
</div>
@endif
</flux:field>
@if($project->getFirstMedia('main'))
<div class="mt-4">
<flux:file-item
:heading="$project->getFirstMedia('main')->file_name"
:image="$project->getSignedMediaUrl('main')"
:size="$project->getFirstMedia('main')->size"
>
<x-slot name="actions">
<flux:file-item.remove wire:click="deleteMainImage" />
</x-slot>
</flux:file-item>
</div>
@endif
</div>
<div>
<flux:editor wire:model="form.description" label="Beschreibung" description="Projektbeschreibung..." />
<flux:error name="form.description" />
</div>
@if($isAdmin)
<flux:separator />
<flux:heading level="3" class="text-sm font-semibold uppercase tracking-wide text-zinc-500 dark:text-zinc-400">Admin Felder</flux:heading>
<div class="space-y-3 mt-3">
<flux:field>
<flux:label>Akzeptiert</flux:label>
<flux:switch wire:model="form.accepted" />
</flux:field>
<flux:field>
<flux:label>Sats bezahlt</flux:label>
<flux:input type="number" wire:model="form.sats_paid" />
</flux:field>
</div>
@endif
<flux:button wire:click="update" wire:loading.attr="disabled" variant="primary" class="w-full mt-4">
Speichern
</flux:button>
</div>
</flux:fieldset>
</flux:card>
</div>
<!-- Right column - Information -->
<div>
<flux:card>
<flux:heading level="2">Information</flux:heading>
<p class="text-sm text-zinc-800 dark:text-zinc-100 mt-4">
Bearbeite die Projektförderung und speichere deine Änderungen.
</p>
</flux:card>
</div>
</div>
</div>
@else
<div class="px-4 sm:px-6 lg:px-8 py-8 w-full max-w-9xl mx-auto">
<flux:callout variant="warning" icon="exclamation-circle">
<flux:heading>Projektförderung kann nicht bearbeitet werden</flux:heading>
<p>Um diese Projektförderung zu bearbeiten, musst du entweder:</p>
<ul class="list-disc ml-5 mt-2 space-y-1">
<li>Der Ersteller dieser Projektförderung sein</li>
<li>Ein Mitglied des aktuellen Vorstands sein</li>
</ul>
<p class="mt-3">
@if(!NostrAuth::check())
Bitte melde dich zunächst mit Nostr an.
@else
Bitte kontaktiere den Vorstand, wenn du denkst, dass du berechtigt sein solltest.
@endif
</p>
</flux:callout>
</div>
@endif
</div>
Reference in New Issue View Git Blame Copy Permalink