mirror of
https://github.com/AnimeThemes/animethemes-server.git
synced 2026-07-11 09:34:50 +02:00
80 lines
2.3 KiB
PHP
80 lines
2.3 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Http\Middleware\GraphQL;
|
|
|
|
use App\Enums\Auth\SpecialPermission;
|
|
use App\Models\Auth\User;
|
|
use Closure;
|
|
use GraphQL\Language\AST\OperationDefinitionNode;
|
|
use GraphQL\Language\Parser;
|
|
use Illuminate\Http\JsonResponse;
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Support\Facades\Auth;
|
|
use Illuminate\Support\Facades\RateLimiter;
|
|
use JsonException;
|
|
|
|
class RateLimitPerQuery
|
|
{
|
|
/**
|
|
* @param Closure(Request): mixed $next
|
|
*/
|
|
public function handle(Request $request, Closure $next): mixed
|
|
{
|
|
$user = Auth::user();
|
|
$query = $request->input('query');
|
|
$ip = $request->ip();
|
|
$forwardedIp = $request->header('x-forwarded-ip');
|
|
|
|
// (If request is from client and no forwarded ip) or (the user logged in has permission to bypass API rate limiting)
|
|
/** @phpstan-ignore-next-line */
|
|
if (($ip === '127.0.0.1' && ! $forwardedIp) || ($user?->can(SpecialPermission::BYPASS_GRAPHQL_RATE_LIMITER->value))) {
|
|
return $next($request);
|
|
}
|
|
|
|
// Check if request is from client to prevent users from using forwarded ip
|
|
if ($ip === '127.0.0.1' && $forwardedIp) {
|
|
$ip = $forwardedIp;
|
|
}
|
|
|
|
if ($query) {
|
|
try {
|
|
$ast = Parser::parse($query);
|
|
} catch (JsonException) {
|
|
return $next($request);
|
|
}
|
|
|
|
$rootFields = 0;
|
|
|
|
foreach ($ast->definitions as $definition) {
|
|
if ($definition instanceof OperationDefinitionNode) {
|
|
$rootFields += count($definition->selectionSet->selections ?? []);
|
|
}
|
|
}
|
|
|
|
$hits = max(1, $rootFields);
|
|
|
|
$key = sprintf('graphql:%s', Auth::id() ?? $ip);
|
|
|
|
foreach (range(1, $hits) as $_) {
|
|
if (RateLimiter::tooManyAttempts($key, 80)) {
|
|
return new JsonResponse([
|
|
'message' => 'Too many requests',
|
|
], 429);
|
|
}
|
|
|
|
RateLimiter::hit($key);
|
|
}
|
|
|
|
return $next($request)
|
|
->withHeaders([
|
|
'X-RateLimit-Limit' => 80,
|
|
'X-RateLimit-Remaining' => RateLimiter::remaining($key, 80),
|
|
]);
|
|
}
|
|
|
|
return $next($request);
|
|
}
|
|
}
|