search

antonioribeiro / firewall

Firewall package for Laravel applications
BSD 3-Clause "New" or "Revised" License
1.39k stars 162 forks source link

Missing headers when comparing to base laravel 429 #184

Open lk77 opened 1 year ago

lk77 commented 1 year ago

Hello,

the firewall does not provide/override some headers that laravel provide,

firewall 429 headers : 

HTTP/1.1 429 Too Many Requests
[...]
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 53
[...]

those are set by laravel ThrottleRequests middleware, but are not overriden by the firewall when under attack

laravel throttling 429 headers when the limit is reach on ThrottleRequests middleware :

HTTP/1.1 429 Too Many Requests
[...]
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 27
X-RateLimit-Reset: 1670235836
[...]

I've overriden Responder:respond to add those headers :

if ($response['code'] == 429)
{
    return Response::make($response['message'], $response['code'], [
            "Retry-After"           => $maxSeconds,
            "X-RateLimit-Limit"     => $maxRequestCount,
            "X-RateLimit-Remaining" => max($maxRequestCount - $data['ip']['requestCount'], 0),
            'X-RateLimit-Reset'     => \Carbon\Carbon::now()->timestamp + ($maxSeconds * 1000),
        ]);
}
if ($this->isAttack()) {
    return (new Responder())->respond($this->getResponseConfig(), $this->record, $this->maxRequestCount, $this->maxSeconds);
}

Expected feature

when under attack, and on a 429 response, override Retry-After and X-RateLimit-* headers according to maxRequestCount and maxSeconds.

And optionally, when under attack or not, be able to lower X-RateLimit-Remaining, if the laravel throttle remaining request is actually higher than the firewall remaining requests, i'm not sure if it's easily doable though, i'm not sure if calling RateLimiter::remaining is an option inside AttackBlocker