feat: re-implement rate limiting

ace-of-aces · ace-of-aces · commit 123da185c99a · 2025-04-15T18:26:15.000+02:00
diff --git a/config/image-transform-url.php b/config/image-transform-url.php
@@ -61,6 +61,23 @@
         'lifetime' => env('IMAGE_TRANSFORM_CACHE_LIFETIME', 60 * 24 * 7), // 7 days
     ],
 
+    /*
+    |--------------------------------------------------------------------------
+    | Rate Limit
+    |--------------------------------------------------------------------------
+    |
+    | Below you may configure the rate limit which is applied for each image
+    | new transformation by the path and IP address. It is recommended to
+    | set this to a low value, e.g. 2 requests per minute, to prevent
+    | abuse.
+    */
+
+    'rate_limit' => [
+        'enabled' => env('IMAGE_TRANSFORM_RATE_LIMIT_ENABLED', app()->isProduction()),
+        'max_attempts' => env('IMAGE_TRANSFORM_RATE_LIMIT_MAX_REQUESTS', 2),
+        'decay_seconds' => env('IMAGE_TRANSFORM_RATE_LIMIT_DECAY_SECONDS', 60),
+    ],
+
     /*
     |--------------------------------------------------------------------------
     | Response Headers
diff --git a/src/Http/Controllers/ImageTransformerController.php b/src/Http/Controllers/ImageTransformerController.php
@@ -10,6 +10,7 @@
 use Illuminate\Support\Arr;
 use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\File;
+use Illuminate\Support\Facades\RateLimiter;
 use Illuminate\Support\Facades\Storage;
 use Intervention\Image\Drivers\Gd\Encoders\WebpEncoder;
 use Intervention\Image\Encoders\AutoEncoder;
@@ -49,6 +50,10 @@ public function __invoke(Request $request, string $options, string $path)
             }
         }
 
+        if (config()->boolean('image-transform-url.rate_limit.enabled')) {
+            $this->rateLimit($request, $path);
+        }
+
         $image = Image::read($publicPath);
 
         if (Arr::hasAny($options, ['width', 'height'])) {
@@ -120,6 +125,23 @@ public function __invoke(Request $request, string $options, string $path)
 
     }
 
+    /**
+     * Rate limit the request.
+     */
+    protected function rateLimit(Request $request, string $path): void
+    {
+        $key = 'image-transform-url:'.$request->ip().':'.$path;
+
+        $passed = RateLimiter::attempt(
+            key: $key,
+            maxAttempts: config()->integer('image-transform-url.rate_limit.max_attempts'),
+            callback: fn () => true,
+            decaySeconds: config()->integer('image-transform-url.rate_limit.decay_seconds'),
+        );
+
+        abort_unless($passed, 429, 'Too many requests. Please try again later.');
+    }
+
     /**
      * Parse the given options.
      *
diff --git a/tests/Feature/RateLimitTest.php b/tests/Feature/RateLimitTest.php
@@ -0,0 +1,83 @@
+<?php
+
+declare(strict_types=1);
+
+use AceOfAces\LaravelImageTransformUrl\Tests\TestCase;
+
+beforeEach(function () {
+    Cache::flush();
+    Storage::fake('local');
+});
+
+it('can apply rate limiting to image transformation requests with distinct options', function () {
+    // Set up the rate limit configuration
+    config()->set('image-transform-url.rate_limit.enabled', true);
+    config()->set('image-transform-url.rate_limit.max_attempts', 2);
+    config()->set('image-transform-url.rate_limit.decay_seconds', 60);
+
+    /** @var TestCase $this */
+    $firstResponse = $this->get(route('image.transform', [
+        'options' => 'width=100',
+        'path' => 'cat.jpg',
+    ]));
+
+    expect($firstResponse)->toBeImage([
+        'width' => 100,
+        'mime' => 'image/jpeg',
+    ]);
+
+    $secondResponse = $this->get(route('image.transform', [
+        'options' => 'width=200',
+        'path' => 'cat.jpg',
+    ]));
+
+    expect($secondResponse)->toBeImage([
+        'width' => 200,
+        'mime' => 'image/jpeg',
+    ]);
+
+    $thirdResponse = $this->get(route('image.transform', [
+        'options' => 'width=300',
+        'path' => 'cat.jpg',
+    ]));
+
+    $thirdResponse->assertTooManyRequests();
+});
+
+it('does not apply rate limiting to image transformations with identical options', function () {
+    // Set up the rate limit configuration
+    config()->set('image-transform-url.rate_limit.enabled', true);
+    config()->set('image-transform-url.rate_limit.max_attempts', 2);
+    config()->set('image-transform-url.rate_limit.decay_seconds', 60);
+
+    /** @var TestCase $this */
+    $firstResponse = $this->get(route('image.transform', [
+        'options' => 'width=100',
+        'path' => 'cat.jpg',
+    ]));
+
+    expect($firstResponse)->toBeImage([
+        'width' => 100,
+        'mime' => 'image/jpeg',
+    ]);
+
+    $secondResponse = $this->get(route('image.transform', [
+        'options' => 'width=100',
+        'path' => 'cat.jpg',
+    ]));
+
+    expect($secondResponse)->toBeImage([
+        'width' => 100,
+        'mime' => 'image/jpeg',
+    ]);
+
+    $thirdResponse = $this->get(route('image.transform', [
+        'options' => 'width=100',
+        'path' => 'cat.jpg',
+    ]));
+
+    expect($thirdResponse)->toBeImage([
+        'width' => 100,
+        'mime' => 'image/jpeg',
+    ]);
+});
