<?php namespace App\Http\Middleware; use Closure; use Illuminate\Support\Str; use Illuminate\Cache\RateLimiter; use Illuminate\Http\JsonResponse; use Illuminate\Support\InteractsWithTime; class ThrottleRequestsMiddleware { use InteractsWithTime; /** * The rate limiter instance. * * @var \Illuminate\Cache\RateLimiter */ protected $limiter; /** * Create a new request throttler. * * @param \Illuminate\Cache\RateLimiter $limiter */ public function __construct(RateLimiter $limiter) { $this->limiter = $limiter; } /** * Handle an incoming request. * * @param \Illuminate\Http\Request $request * @param \Closure $next * @param int $maxAttempts * @param int $decayMinutes * @return mixed */ public function handle($request, Closure $next, $maxAttempts = 60, $decayMinutes = 1) { $key = $this->resolveRequestSignature($request); $maxAttempts = $this->resolveMaxAttempts($request, $maxAttempts); if ($this->limiter->tooManyAttempts($key, $maxAttempts)) { return $this->buildResponse($key, $maxAttempts); } $this->limiter->hit($key, $decayMinutes); $response = $next($request); return $this->addHeaders( $response, $maxAttempts, $this->calculateRemainingAttempts($key, $maxAttempts) ); } /** * Resolve the number of attempts if the user is authenticated or not. * * @param \Illuminate\Http\Request $request * @param int|string $maxAttempts * @return int */ protected function resolveMaxAttempts($request, $maxAttempts) { if (Str::contains($maxAttempts, '|')) { $maxAttempts = explode('|', $maxAttempts, 2)[$request->user() ? 1 : 0]; } if (! is_numeric($maxAttempts) && $request->user()) { $maxAttempts = $request->user()->{$maxAttempts}; } return (int) $maxAttempts; } /** * Resolve request signature. * * @param \Illuminate\Http\Request $request * @return string */ protected function resolveRequestSignature($request) { if ($user = $request->user()) { return sha1($user->getAuthIdentifier()); } return $request->fingerprint(); } /** * Create a 'too many attempts' response. * * @param string $key * @param int $maxAttempts * @return \Symfony\Component\HttpFoundation\Response */ protected function buildResponse($key, $maxAttempts) { $message = [ 'error' => [ 'message' => config('api.error_codes.34'), 'error_code' => 34, ], ]; $response = new JsonResponse($message, 429); $retryAfter = $this->limiter->availableIn($key); return $this->addHeaders( $response, $maxAttempts, $this->calculateRemainingAttempts($key, $maxAttempts, $retryAfter), $retryAfter ); } /** * Add the limit header information to the given response. * * @param \Symfony\Component\HttpFoundation\Response $response * @param int $maxAttempts * @param int $remainingAttempts * @param int|null $retryAfter * @return \Symfony\Component\HttpFoundation\Response */ protected function addHeaders($response, $maxAttempts, $remainingAttempts, $retryAfter = null) { $response->headers->add( $this->getHeaders($maxAttempts, $remainingAttempts, $retryAfter) ); return $response; } /** * Get the limit headers information. * * @param int $maxAttempts * @param int $remainingAttempts * @param int|null $retryAfter * @return array */ protected function getHeaders($maxAttempts, $remainingAttempts, $retryAfter = null) { $headers = [ 'X-RateLimit-Limit' => $maxAttempts, 'X-RateLimit-Remaining' => $remainingAttempts, ]; if (! is_null($retryAfter)) { $headers['Retry-After'] = $retryAfter; $headers['X-RateLimit-Reset'] = $this->availableAt($retryAfter); } return $headers; } /** * Calculate the number of remaining attempts. * * @param string $key * @param int $maxAttempts * @param int|null $retryAfter * @return int */ protected function calculateRemainingAttempts($key, $maxAttempts, $retryAfter = null) { if (is_null($retryAfter)) { return $this->limiter->retriesLeft($key, $maxAttempts); } return 0; } }