16343465380

Committed 17 Jul 2025 11:07AM UTC coverage: 59.224% (-0.6%) from 59.854%

Build # 16343465380

Build Type

push

github

Committed by

web-flow

Commit Message

Merge pull request #23 from daycry/development

Improvements

Coverage Stats

57 of 292 new or added lines in 16 files covered. (19.52%)

6 existing lines in 4 files now uncovered.

1939 of 3274 relevant lines covered (59.22%)

22.81 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/src/Filters/RatesFilter.php

<?php

declare(strict_types=1);

/**
 * This file is part of Daycry Auth.
 *
 * (c) Daycry <daycry9@proton.me>
 *
 * For the full copyright and license information, please view
 * the LICENSE file that was distributed with this source code.
 */

namespace Daycry\Auth\Filters;

use CodeIgniter\Filters\FilterInterface;
use CodeIgniter\HTTP\IncomingRequest;
use CodeIgniter\HTTP\RedirectResponse;
use CodeIgniter\HTTP\RequestInterface;
use CodeIgniter\HTTP\ResponseInterface;
use Config\Services;
use Daycry\Auth\Entities\Endpoint;

/**
 * Auth Rate-Limiting Filter.
 *
 * Provides rated limiting intended for routes.
 */
class RatesFilter implements FilterInterface
{
    /**
     * Intened for use on auth form pages to restrict the number
     * of attempts that can be generated. Restricts it to 10 attempts
     * per minute, which is what auth0 uses.
     *
     * @see https://auth0.com/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy/database-connections-rate-limits
     *
     * @param array|null $arguments
     *
     * @return RedirectResponse|void
     */
    public function before(RequestInterface $request, $arguments = null)
    {
        if (! $request instanceof IncomingRequest) {
            return;
        }

        helper('checkEndpoint');

        $throttler = service('throttler');
        $router    = Services::router();

        $endpoint = checkEndpoint();

        $limit = service('settings')->get('Auth.requestLimit') ?? 10;
        $time  = service('settings')->get('Auth.timeLimit') ?? 60;

        if ($endpoint instanceof Endpoint) {
            $limit = $endpoint->limit ?: $limit;
            $time  = $endpoint->time ?: $time;
        }

        $limitMethod = service('settings')->get('Auth.limitMethod') ?? 'ROUTED_URL';
        $limited_uri = $this->buildLimitedUri($request, $router, $limitMethod);

        $ignoreLimits = false;
        if ($userId = auth()->id()) {
            $ignoreLimits = auth()->user()->ignore_rates ?? false;
        }

        // Restrict requests based on the configured method and limits
        if (! $ignoreLimits && $throttler->check(md5($limited_uri), $limit, $time, 1) === false) {
            return service('response')->setStatusCode(
                429,
                lang('Auth.throttled', [$throttler->getTokenTime()]), // message
            );
        }
    }

    /**
     * Build the URI used for rate limiting based on the configured method
     *
     * @param mixed $router
     */
    private function buildLimitedUri(RequestInterface $request, $router, string $limitMethod): string
    {
        switch ($limitMethod) {
            case 'IP_ADDRESS':
                return 'ip-address:' . $request->getIPAddress();

            case 'USER':
                $username = auth()->user()->username ?? 'anonymous';

                return 'user:' . $username;

            case 'METHOD_NAME':
                return 'method-name:' . $router->controllerName() . '::' . $router->methodName();

            case 'ROUTED_URL':
            default:
                return 'uri:' . $request->getUri()->getPath() . ':' . $request->getMethod();
        }
    }

    /**
     * We don't have anything to do here.
     *
     * @param array|null $arguments
     */
    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null): void
    {
        // Nothing required
    }
}

1	<?php
2
3	declare(strict_types=1);
4
5	/**
6	* This file is part of Daycry Auth.
7	*
8	* (c) Daycry <daycry9@proton.me>
9	*
10	* For the full copyright and license information, please view
11	* the LICENSE file that was distributed with this source code.
12	*/
13
14	namespace Daycry\Auth\Filters;
15
16	use CodeIgniter\Filters\FilterInterface;
17	use CodeIgniter\HTTP\IncomingRequest;
18	use CodeIgniter\HTTP\RedirectResponse;
19	use CodeIgniter\HTTP\RequestInterface;
20	use CodeIgniter\HTTP\ResponseInterface;
21	use Config\Services;
22	use Daycry\Auth\Entities\Endpoint;
23
24	/**
25	* Auth Rate-Limiting Filter.
26	*
27	* Provides rated limiting intended for routes.
28	*/
29	class RatesFilter implements FilterInterface
30	{
31	/**
32	* Intened for use on auth form pages to restrict the number
33	* of attempts that can be generated. Restricts it to 10 attempts
34	* per minute, which is what auth0 uses.
35	*
36	* @see https://auth0.com/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy/database-connections-rate-limits
37	*
38	* @param array\|null $arguments
39	*
40	* @return RedirectResponse\|void
41	*/
42	public function before(RequestInterface $request, $arguments = null)
43	{
44	if (! $request instanceof IncomingRequest) {	×
45	return;	×
46	}
47
48	helper('checkEndpoint');	×
49
50	$throttler = service('throttler');	×
51	$router = Services::router();	×
52
53	$endpoint = checkEndpoint();	×
54
NEW 55	$limit = service('settings')->get('Auth.requestLimit') ?? 10;	×
NEW 56	$time = service('settings')->get('Auth.timeLimit') ?? 60;	×
57
58	if ($endpoint instanceof Endpoint) {	×
NEW 59	$limit = $endpoint->limit ?: $limit;	×
NEW 60	$time = $endpoint->time ?: $time;	×
61	}
62
NEW 63	$limitMethod = service('settings')->get('Auth.limitMethod') ?? 'ROUTED_URL';	×
NEW 64	$limited_uri = $this->buildLimitedUri($request, $router, $limitMethod);	×
65
NEW 66	$ignoreLimits = false;	×
67	if ($userId = auth()->id()) {	×
NEW 68	$ignoreLimits = auth()->user()->ignore_rates ?? false;	×
69	}
70
71	// Restrict requests based on the configured method and limits
UNCOV 72	if (! $ignoreLimits && $throttler->check(md5($limited_uri), $limit, $time, 1) === false) {	×
73	return service('response')->setStatusCode(	×
74	429,	×
75	lang('Auth.throttled', [$throttler->getTokenTime()]), // message	×
76	);	×
77	}
78	}
79
80	/**
81	* Build the URI used for rate limiting based on the configured method
82	*
83	* @param mixed $router
84	*/
85	private function buildLimitedUri(RequestInterface $request, $router, string $limitMethod): string
86	{
87	switch ($limitMethod) {
NEW 88	case 'IP_ADDRESS':	×
NEW 89	return 'ip-address:' . $request->getIPAddress();	×
90
NEW 91	case 'USER':	×
NEW 92	$username = auth()->user()->username ?? 'anonymous';	×
93
NEW 94	return 'user:' . $username;	×
95
NEW 96	case 'METHOD_NAME':	×
NEW 97	return 'method-name:' . $router->controllerName() . '::' . $router->methodName();	×
98
NEW 99	case 'ROUTED_URL':	×
100	default:
NEW 101	return 'uri:' . $request->getUri()->getPath() . ':' . $request->getMethod();	×
102	}
103	}
104
105	/**
106	* We don't have anything to do here.
107	*
108	* @param array\|null $arguments
109	*/
110	public function after(RequestInterface $request, ResponseInterface $response, $arguments = null): void
111	{
112	// Nothing required
113	}	×
114	}

daycry / auth / 16343465380

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous