magento / magento2

Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
http://www.magento.com
Open Software License 3.0
11.56k stars 9.32k forks source link

Rate limiting not working #39325

Closed devchris79 closed 1 week ago

devchris79 commented 1 week ago

Preconditions and environment

Steps to reproduce

Turn on rate limiting to reduce carding attack severity (Stores->Configuration->Sales->Sales->Rate limiting). Settings as below:

image

Expected result

When a guest attempts to place orders a 1 hour pause is put in place after 10 failed attempts, helping to reduce carding.

Actual result

I am seeing log entries saying that the rate limiting isn't working:

[2024-11-01T12:58:26.766321+00:00] main.ERROR: Backpressure sliding window not applied. Invalid request logger type: [] [] [2024-11-03T01:26:12.851250+00:00] main.ERROR: Backpressure sliding window not applied. Invalid request logger type: [] [] [2024-11-04T01:31:54.983504+00:00] main.ERROR: Backpressure sliding window not applied. Invalid request logger type: [] [] [2024-11-04T01:57:08.217718+00:00] main.ERROR: Backpressure sliding window not applied. Invalid request logger type: [] []

Additional information

I think the error is from by the line below : $requestLogger = $this->getRequestLogger();

In /vendor/magento/framework/App/Backpressure/SlidingWindow/SlidingWindowEnforcer. php:79

Release note

No response

Triage and priority

m2-assistant[bot] commented 1 week ago

Hi @devchris79. Thank you for your report. To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce.

m2-assistant[bot] commented 1 week ago

Hi @engcom-Bravo. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

engcom-Bravo commented 1 week ago

Hi @devchris79,

Thanks for your reporting and collaboration.

We have tried to reproduce the issue in Latest 2.4-develop instance and it looks like expected behaviour of magento. Could you please refer this document https://developer.adobe.com/commerce/webapi/get-started/rate-limiting/#log-contents.

Screenshot 2024-11-05 at 09 54 33

Thanks.

devchris79 commented 1 week ago

It would have been better if there was a note in the admin panel that Redis was required and/or a less trivial log entry.

Thanks anyway @engcom-Bravo, I will close this now.