feat: Rate limiters for contact and custom form submissions

roadiz · Feb 17, 2022 · 70a28f0 · 70a28f0
1 parent 63977d2
commit 70a28f0
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 3 deletions.
diff --git a/.env b/.env
@@ -50,7 +50,7 @@ DEFAULT_GATEWAY=172.58.0.1
 ###> symfony/lock ###
 # Choose one of the stores below
 # postgresql+advisory://db_user:db_password@localhost/db_name
-LOCK_DSN=semaphore
+LOCK_DSN=flock
 ###< symfony/lock ###
 
 ###> rezozero/intervention-request-bundle ###

diff --git a/config/packages/cache.yaml b/config/packages/cache.yaml
@@ -15,5 +15,7 @@ framework:
         #app: cache.adapter.apcu
 
         # Namespaced pools use the above "app" backend by default
-        #pools:
+        pools:
+            cache.contact_form_limiter: ~
+            cache.custom_form_limiter: ~
             #my.dedicated.cache: null
diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
@@ -18,7 +18,17 @@ framework:
     php_errors:
         log: true
 
-    rate_limiter: ~
+    rate_limiter:
+        contact_form:
+            policy: 'token_bucket'
+            limit: 10
+            rate: { interval: '1 minutes', amount: 5 }
+            cache_pool: 'cache.contact_form_limiter'
+        custom_form:
+            policy: 'token_bucket'
+            limit: 10
+            rate: { interval: '1 minutes', amount: 5 }
+            cache_pool: 'cache.custom_form_limiter'
 
     csrf_protection:
         enabled: true

diff --git a/config/packages/security.yaml b/config/packages/security.yaml
@@ -60,5 +60,7 @@ security:
         - { path: ^/rz-admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/rz-admin, roles: ROLE_BACKEND_USER }
         - { path: ^/api/token, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        # Allow posting custom_forms
+        - { path: ^/api/custom_forms/(?:[0-9]+)/post, methods: [ POST ], roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/api, roles: ROLE_BACKEND_USER, methods: [ POST, PUT, PATCH, DELETE ] }
         # - { path: ^/profile, roles: ROLE_USER }