michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b9437ed68a81b6f907ab0dab5fa0784dd6ae3c12
michaelschiemer/tests/Framework/Http/Middlewares/RateLimitMiddlewareTest.php
Michael Schiemer 55a330b223 Enable Discovery debug logging for production troubleshooting 
- Add DISCOVERY_LOG_LEVEL=debug
- Add DISCOVERY_SHOW_PROGRESS=true
- Temporary changes for debugging InitializerProcessor fixes on production
2025-08-11 20:13:26 +02:00

376 lines
13 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Framework\Http\Headers;
use App\Framework\Http\HttpRequest;
use App\Framework\Http\HttpResponse;
use App\Framework\Http\Method;
use App\Framework\Http\MiddlewareContext;
use App\Framework\Http\Middlewares\RateLimitMiddleware;
use App\Framework\Http\Next;
use App\Framework\Http\RequestStateManager;
use App\Framework\Http\ResponseManipulator;
use App\Framework\Http\ServerEnvironment;
use App\Framework\Http\Status;
use App\Framework\RateLimit\RateLimitConfig;
use App\Framework\RateLimit\RateLimiter;
use App\Framework\RateLimit\Storage\StorageInterface;
use App\Framework\RateLimit\TimeProvider\TimeProviderInterface;
beforeEach(function () {
// Create test storage
$this->storage = new class () implements StorageInterface {
public array $requests = [];
public array $tokenBuckets = [];
public function getRequestsInWindow(string $key, int $windowStart, int $windowEnd): array
{
if (! isset($this->requests[$key])) {
return [];
}
return array_filter(
$this->requests[$key],
fn ($timestamp) => $timestamp >= $windowStart && $timestamp <= $windowEnd
);
}
public function addRequest(string $key, int $timestamp, int $ttl): void
{
if (! isset($this->requests[$key])) {
$this->requests[$key] = [];
}
$this->requests[$key][] = $timestamp;
}
public function getTokenBucket(string $key): ?\App\Framework\RateLimit\TokenBucket
{
return $this->tokenBuckets[$key] ?? null;
}
public function saveTokenBucket(string $key, \App\Framework\RateLimit\TokenBucket $bucket): void
{
$this->tokenBuckets[$key] = $bucket;
}
public function clear(string $key): void
{
unset($this->requests[$key], $this->tokenBuckets[$key]);
}
public function getBaseline(string $key): ?array
{
// Simple test implementation - return null for no baseline
return null;
}
public function updateBaseline(string $key, int $rate): void
{
// Simple test implementation - do nothing
}
public function reset(): void
{
$this->requests = [];
$this->tokenBuckets = [];
}
};
// Create test time provider
$this->timeProvider = new class () implements TimeProviderInterface {
public int $currentTime = 1000;
public function getCurrentTime(): int
{
return $this->currentTime;
}
public function setTime(int $time): void
{
$this->currentTime = $time;
}
};
$this->rateLimiter = new RateLimiter($this->storage, $this->timeProvider);
$this->responseManipulator = new ResponseManipulator();
$this->config = new RateLimitConfig(
enabled: true,
requestsPerMinute: 10,
windowSize: 60.0,
trustedIps: ['192.168.1.100'],
exemptPaths: ['/health']
);
$this->middleware = new RateLimitMiddleware(
$this->rateLimiter,
$this->responseManipulator,
$this->config
);
// Create test request
$this->request = new HttpRequest(
method: Method::GET,
path: '/api/test'
);
$this->stateManager = new RequestStateManager(new WeakMap(), $this->request);
$this->context = new MiddlewareContext($this->request);
});
afterEach(function () {
$this->storage->reset();
$this->timeProvider->setTime(1000);
});
it('allows requests within rate limit', function () {
$next = new class () implements Next {
public function __invoke(MiddlewareContext $context): MiddlewareContext
{
return $context->withResponse(new HttpResponse(Status::OK, new Headers(), 'success'));
}
};
$result = $this->middleware->__invoke($this->context, $next, $this->stateManager);
expect($result->hasResponse())->toBeTrue();
expect($result->response->status)->toBe(Status::OK);
expect($result->response->body)->toBe('success');
// Check rate limit headers
expect($result->response->headers->has('X-RateLimit-Limit'))->toBeTrue();
expect($result->response->headers->has('X-RateLimit-Remaining'))->toBeTrue();
expect($result->response->headers->has('X-RateLimit-Reset'))->toBeTrue();
});
it('blocks requests exceeding rate limit', function () {
$next = new class () implements Next {
public function __invoke(MiddlewareContext $context): MiddlewareContext
{
return $context->withResponse(new HttpResponse(Status::OK, new Headers(), 'should not reach'));
}
};
// Fill up the rate limit by making actual middleware calls
for ($i = 0; $i < 10; $i++) {
$this->middleware->__invoke($this->context, $next, $this->stateManager);
}
// This should be blocked
$result = $this->middleware->__invoke($this->context, $next, $this->stateManager);
expect($result->hasResponse())->toBeTrue();
expect($result->response->status)->toBe(Status::TOO_MANY_REQUESTS);
// Check rate limit headers
expect($result->response->headers->getFirst('X-RateLimit-Limit'))->toBe('10');
expect($result->response->headers->getFirst('X-RateLimit-Remaining'))->toBe('0');
expect($result->response->headers->has('Retry-After'))->toBeTrue();
// Check JSON response body
$body = json_decode($result->response->body, true);
expect($body['error'])->toBe('Rate limit exceeded');
expect($body['limit'])->toBe(10);
});
it('applies same limit to all endpoints', function () {
// Test /login endpoint with regular limit (10 requests)
$loginRequest = new HttpRequest(method: Method::POST, path: '/login');
$context = new MiddlewareContext($loginRequest);
$stateManager = new RequestStateManager(new WeakMap(), $loginRequest);
$next = new class () implements Next {
public function __invoke(MiddlewareContext $context): MiddlewareContext
{
return $context->withResponse(new HttpResponse(Status::OK, new Headers(), 'success'));
}
};
// Fill up the rate limit by making actual middleware calls
for ($i = 0; $i < 10; $i++) {
$this->middleware->__invoke($context, $next, $stateManager);
}
// This should be blocked
$result = $this->middleware->__invoke($context, $next, $stateManager);
expect($result->response->status)->toBe(Status::TOO_MANY_REQUESTS);
expect($result->response->headers->getFirst('X-RateLimit-Limit'))->toBe('10');
});
it('exempts whitelisted IPs', function () {
// Use exempt IP
$exemptRequest = new HttpRequest(
method: Method::GET,
path: '/api/test',
server: new ServerEnvironment(['REMOTE_ADDR' => '192.168.1.100'])
);
$context = new MiddlewareContext($exemptRequest);
$stateManager = new RequestStateManager(new WeakMap(), $exemptRequest);
// Fill up rate limit for this IP (should be ignored)
for ($i = 0; $i < 15; $i++) {
$this->rateLimiter->checkLimit('ip:192.168.1.100', 10, 60);
}
$next = new class () implements Next {
public function __invoke(MiddlewareContext $context): MiddlewareContext
{
return $context->withResponse(new HttpResponse(Status::OK, new Headers(), 'exempt'));
}
};
$result = $this->middleware->__invoke($context, $next, $stateManager);
expect($result->response->status)->toBe(Status::OK);
expect($result->response->body)->toBe('exempt');
});
it('exempts whitelisted endpoints', function () {
$healthRequest = new HttpRequest(method: Method::GET, path: '/health');
$context = new MiddlewareContext($healthRequest);
$stateManager = new RequestStateManager(new WeakMap(), $healthRequest);
// Fill up rate limit (should be ignored for /health)
for ($i = 0; $i < 15; $i++) {
$this->rateLimiter->checkLimit('ip:127.0.0.1', 10, 60);
}
$next = new class () implements Next {
public function __invoke(MiddlewareContext $context): MiddlewareContext
{
return $context->withResponse(new HttpResponse(Status::OK, new Headers(), 'healthy'));
}
};
$result = $this->middleware->__invoke($context, $next, $stateManager);
expect($result->response->status)->toBe(Status::OK);
expect($result->response->body)->toBe('healthy');
});
it('respects disabled configuration', function () {
$disabledConfig = new RateLimitConfig(enabled: false);
$middleware = new RateLimitMiddleware(
$this->rateLimiter,
$this->responseManipulator,
$disabledConfig
);
// Fill up rate limit
for ($i = 0; $i < 15; $i++) {
$this->rateLimiter->checkLimit('ip:127.0.0.1', 10, 60);
}
$next = new class () implements Next {
public function __invoke(MiddlewareContext $context): MiddlewareContext
{
return $context->withResponse(new HttpResponse(Status::OK, new Headers(), 'disabled'));
}
};
$result = $middleware->__invoke($this->context, $next, $this->stateManager);
expect($result->response->status)->toBe(Status::OK);
expect($result->response->body)->toBe('disabled');
});
it('passes through when no response is set', function () {
$next = new class () implements Next {
public function __invoke(MiddlewareContext $context): MiddlewareContext
{
return $context; // No response set
}
};
$result = $this->middleware->__invoke($this->context, $next, $this->stateManager);
expect($result->hasResponse())->toBeFalse();
});
it('adds correct rate limit headers', function () {
$next = new class () implements Next {
public function __invoke(MiddlewareContext $context): MiddlewareContext
{
return $context->withResponse(new HttpResponse(Status::OK, new Headers(), 'test'));
}
};
$result = $this->middleware->__invoke($this->context, $next, $this->stateManager);
$headers = $result->response->headers;
expect($headers->has('X-RateLimit-Limit'))->toBeTrue();
expect($headers->has('X-RateLimit-Remaining'))->toBeTrue();
expect($headers->has('X-RateLimit-Reset'))->toBeTrue();
expect($headers->getFirst('X-RateLimit-Limit'))->toBe('10');
expect((int) $headers->getFirst('X-RateLimit-Remaining'))->toBeLessThan(10);
expect((int) $headers->getFirst('X-RateLimit-Reset'))->toBeGreaterThan(time());
});
it('handles time window properly', function () {
// Make 9 requests (within limit)
for ($i = 0; $i < 9; $i++) {
$result = $this->rateLimiter->checkLimit('ip:127.0.0.1', 10, 60);
expect($result->isAllowed())->toBeTrue();
}
// 10th request should still be allowed
$next = new class () implements Next {
public function __invoke(MiddlewareContext $context): MiddlewareContext
{
return $context->withResponse(new HttpResponse(Status::OK, new Headers(), 'allowed'));
}
};
$result = $this->middleware->__invoke($this->context, $next, $this->stateManager);
expect($result->response->status)->toBe(Status::OK);
// Move time forward beyond window
$this->timeProvider->setTime(2000); // +1000 seconds
// Should be allowed again after window reset
$result2 = $this->middleware->__invoke($this->context, $next, $this->stateManager);
expect($result2->response->status)->toBe(Status::OK);
});
it('generates different keys for different endpoints', function () {
$config = new RateLimitConfig(
enabled: true,
requestsPerMinute: 5,
windowSize: 60.0
);
$middleware = new RateLimitMiddleware(
$this->rateLimiter,
$this->responseManipulator,
$config
);
$next = new class () implements Next {
public function __invoke(MiddlewareContext $context): MiddlewareContext
{
return $context->withResponse(new HttpResponse(Status::OK, new Headers(), 'test'));
}
};
// Make requests to different endpoints - should each have their own limits
$apiRequest = new HttpRequest(method: Method::GET, path: '/api/users');
$apiContext = new MiddlewareContext($apiRequest);
$apiStateManager = new RequestStateManager(new WeakMap(), $apiRequest);
$webRequest = new HttpRequest(method: Method::GET, path: '/web/dashboard');
$webContext = new MiddlewareContext($webRequest);
$webStateManager = new RequestStateManager(new WeakMap(), $webRequest);
// Both should be allowed since they're different endpoints
$result1 = $middleware->__invoke($apiContext, $next, $apiStateManager);
$result2 = $middleware->__invoke($webContext, $next, $webStateManager);
expect($result1->response->status)->toBe(Status::OK);
expect($result2->response->status)->toBe(Status::OK);
});
Reference in New Issue View Git Blame Copy Permalink