einundzwanzig/einundzwanzig-verein
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-nostr.git synced 2026-02-15 03:23:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0639c1a65682bb38150a18bba61c994db1917263
einundzwanzig-verein/tests/Feature/RateLimitingTest.php
vk 9faae15212 [P1 Security] Rate Limiting für API-Routes und Livewire-Actions (vibe-kanban e1f85c61) 
## Security Audit: Fehlendes Rate Limiting

### Problem
Die Anwendung hat **kein Rate Limiting** auf API-Routes oder Livewire-Actions. Das ermöglicht:
- Brute-Force-Angriffe auf Authentication-Endpoints
- Denial-of-Service durch massenhaftes Aufrufen von API-Endpoints
- Vote-Manipulation durch schnelle, wiederholte Requests
- Ressourcen-Erschöpfung durch unkontrollierte Datenbankabfragen

### Betroffene Endpoints

**API-Routes (`routes/api.php`):**
```php
Route::get('/nostr/profile/{key}', GetProfile::class);  // kein Rate Limit
Route::get('/members/{year}', GetPaidMembers::class);    // kein Rate Limit
```

**Kritische Livewire-Actions (kein Throttling):**
- Voting auf ProjectProposals (`association/project-support/show`)
- Login via Nostr (`handleNostrLogin`)
- ProjectProposal-Erstellung
- Election Voting

### Lösung

**1. API Rate Limiting in `bootstrap/app.php`:**
Nutze Laravel 12's Middleware-Konfiguration um Rate Limiting zu aktivieren:

```php
->withMiddleware(function (Middleware $middleware) {
    $middleware->api(prepend: [
        \Illuminate\Routing\Middleware\ThrottleRequests::class.':api',
    ]);
})
```

Und definiere den `api` Rate Limiter in `app/Providers/AppServiceProvider.php`:

```php
use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Support\Facades\RateLimiter;

public function boot(): void
{
    RateLimiter::for('api', function (Request $request) {
        return Limit::perMinute(60)->by($request->ip());
    });
}
```

**2. Livewire Action Throttling:**
Nutze Livewire's `#[Throttle]` Attribut auf sensiblen Actions. Suche in der Livewire-Dokumentation nach der korrekten v4-Syntax mit `search-docs`:
- `queries: ['throttle', 'rate limiting']`
- `packages: ['livewire/livewire']`

Wende Throttling an auf:
- Vote-Submit-Methoden in den ProjectSupport-Components
- Login-Handler (`handleNostrLogin` in `WithNostrAuth` Trait)
- ProjectProposal Create/Update Actions

**3. Zusätzlicher Custom Rate Limiter für Voting:**

```php
RateLimiter::for('voting', function (Request $request) {
    return Limit::perMinute(10)->by($request->ip());
});
```

### Betroffene Dateien
- `bootstrap/app.php` – Middleware-Konfiguration (Rate Limit Middleware hinzufügen)
- `app/Providers/AppServiceProvider.php` – RateLimiter Definitionen
- `routes/api.php` – Rate Limit Middleware anwenden
- `app/Livewire/Traits/WithNostrAuth.php` – Throttle auf `handleNostrLogin`
- Livewire-Components in `app/Livewire/Association/ProjectSupport/` – Throttle auf Vote/Create Actions

### Vorgehen
1. `search-docs` nutzen für: `['rate limiting', 'throttle']` (Laravel) und `['throttle']` (Livewire)
2. Rate Limiter in AppServiceProvider definieren
3. API-Middleware in `bootstrap/app.php` konfigurieren
4. Livewire-Actions mit Throttle versehen
5. Pest-Tests schreiben, die verifizieren dass Rate Limiting greift (429 Response bei Überschreitung)
6. `vendor/bin/pint --dirty` und `php artisan test --compact`

### Akzeptanzkriterien
- API-Routes geben HTTP 429 nach 60 Requests/Minute zurück
- Voting-Actions sind auf max. 10/Minute limitiert
- Login-Attempts sind throttled
- Tests verifizieren Rate Limiting Verhalten
2026-02-11 21:13:36 +01:00

120 lines
3.7 KiB
PHP
Raw Blame History

<?php
use App\Models\EinundzwanzigPleb;
use App\Models\ProjectProposal;
use App\Support\NostrAuth;
use Illuminate\Support\Facades\RateLimiter;
use Livewire\Livewire;
beforeEach(function () {
RateLimiter::clear('api');
RateLimiter::clear('voting');
RateLimiter::clear('nostr-login');
});
test('api routes return 429 after exceeding rate limit', function () {
for ($i = 0; $i < 60; $i++) {
$this->getJson('/api/members/2024')->assertSuccessful();
}
$this->getJson('/api/members/2024')->assertStatus(429);
});
test('api routes include rate limit headers', function () {
$response = $this->getJson('/api/members/2024');
$response->assertSuccessful();
$response->assertHeader('X-RateLimit-Limit', 60);
$response->assertHeader('X-RateLimit-Remaining');
});
test('nostr profile api route is rate limited', function () {
for ($i = 0; $i < 60; $i++) {
$this->getJson('/api/nostr/profile/testkey'.$i);
}
$this->getJson('/api/nostr/profile/testkey')->assertStatus(429);
});
test('voting actions are rate limited after 10 attempts', function () {
$pleb = EinundzwanzigPleb::factory()->create();
$project = ProjectProposal::factory()->create();
NostrAuth::login($pleb->pubkey);
for ($i = 0; $i < 10; $i++) {
RateLimiter::attempt('voting:127.0.0.1', 10, function () {});
}
Livewire::test('association.project-support.show', ['projectProposal' => $project->slug])
->call('handleApprove')
->assertStatus(429);
});
test('nostr login is rate limited after 10 attempts', function () {
$pleb = EinundzwanzigPleb::factory()->create();
for ($i = 0; $i < 10; $i++) {
RateLimiter::attempt('nostr-login:127.0.0.1', 10, function () {});
}
Livewire::test('association.project-support.index')
->call('handleNostrLogin', $pleb->pubkey)
->assertStatus(429);
});
test('project proposal creation is rate limited after 5 attempts', function () {
$pleb = EinundzwanzigPleb::factory()->active()->withPaidCurrentYear()->create();
NostrAuth::login($pleb->pubkey);
for ($i = 0; $i < 5; $i++) {
RateLimiter::attempt('project-proposal-create:127.0.0.1', 5, function () {});
}
Livewire::test('association.project-support.form.create')
->set('form.name', 'Test Project')
->set('form.description', 'Test Description')
->set('form.support_in_sats', 21000)
->set('form.website', 'https://example.com')
->call('save')
->assertStatus(429);
});
test('project proposal update is rate limited after 5 attempts', function () {
$pleb = EinundzwanzigPleb::factory()->create();
$project = ProjectProposal::factory()->create([
'einundzwanzig_pleb_id' => $pleb->id,
]);
NostrAuth::login($pleb->pubkey);
for ($i = 0; $i < 5; $i++) {
RateLimiter::attempt('project-proposal-update:127.0.0.1', 5, function () {});
}
Livewire::test('association.project-support.form.edit', ['projectProposal' => $project->slug])
->set('form.name', 'Updated Name')
->call('update')
->assertStatus(429);
});
test('voting works within rate limit', function () {
$pleb = EinundzwanzigPleb::factory()->create();
$project = ProjectProposal::factory()->create();
NostrAuth::login($pleb->pubkey);
Livewire::test('association.project-support.show', ['projectProposal' => $project->slug])
->call('handleApprove')
->assertHasNoErrors();
$vote = \App\Models\Vote::query()
->where('project_proposal_id', $project->id)
->where('einundzwanzig_pleb_id', $pleb->id)
->first();
expect($vote)->not->toBeNull()
->and($vote->value)->toBeTrue();
});
Reference in New Issue View Git Blame Copy Permalink