Skip to content

Security/rate limiting proxy support#1478

Open
Revanza1106 wants to merge 7 commits intoOpenSID:devfrom
Revanza1106:security/rate-limiting-proxy-support
Open

Security/rate limiting proxy support#1478
Revanza1106 wants to merge 7 commits intoOpenSID:devfrom
Revanza1106:security/rate-limiting-proxy-support

Conversation

@Revanza1106
Copy link
Contributor

@Revanza1106 Revanza1106 commented Mar 2, 2026

Deskripsi

Menambahkan rate limiting pada endpoint login dan OTP untuk mencegah brute force attack. Implementasi mendukung aplikasi yang berada di belakang Cloudflare Proxy atau Reverse Proxy dengan deteksi IP asli dari header proxy.

Fitur Utama

  • IP Detection: Mendeteksi IP asli dari CF-Connecting-IP, X-Forwarded-For, X-Real-IP
  • Rate Limiting:
    • Login: 10 percobaan per menit per IP + Email
    • OTP: 3 percobaan per menit per IP + Email
  • Security: Validasi IP format, filter private IP, mencegah header injection

Perubahan File

  1. app/Helpers/IpAddress.php (baru) - Helper deteksi IP proxy
  2. app/Http/Middleware/TrustProxies.php - Konfigurasi trusted proxy
  3. app/Providers/RouteServiceProvider.php - Rate limiter login/OTP
  4. routes/web.php - Apply throttle middleware
  5. .env.example - Konfigurasi env variables
  6. tests/Feature/RateLimitingTest.php - Test suite (20 test cases)

Masalah Terkait (Related Issue)

  • Solusi untuk brute force protection terkait issue #1410
  • Related to PR #1411

Langkah untuk mereproduksi (Steps to Reproduce)

Sebelum Perubahan (Bug Reproduction)

  1. Buka halaman /login
  2. Coba login dengan password salah sebanyak 20+ kali
  3. Hasil: Semua percobaan diterima tanpa batasan → Vulnerable ke brute force

Setelah Perubahan (Verification)

  1. Buka halaman /login
  2. Coba login dengan password salah 10 kali
  3. Pada percobaan ke-11: 429 Too Many Requests
  4. Coba login dengan email berbeda: Request diproses (IP+Email key)
  5. Coba dengan header CF-Connecting-IP: IP terdeteksi dengan benar

Manual Test Command

# Test rate limiting
for i in {1..15}; do
  curl -X POST http://localhost:8000/login \
    -d "email=test@example.com&password=wrong" \
    -w "\nStatus: %{http_code}\n"
done
# Expected: 422 untuk 10 pertama, 429 untuk sisanya

Hasil Test

Automated Test (Pest)

PASS  Tests\Feature\RateLimitingTest
✓ IpAddress Helper - IP Detection (8 tests)  → ✅ PASS
✓ IpAddress Helper - Rate Limit Key (3 tests) → ✅ PASS
✓ Login Rate Limiting (3 tests)               → ✅ PASS
✓ OTP Rate Limiting (2 tests)                 → ✅ PASS
✓ Security - Header Injection Prevention (2) → ✅ PASS
✓ IP Detection Priority Order (2 tests)      → ✅ PASS

Tests:  ✅ 20 passed
Duration: 4.97s
Pass Rate: 100%

Test Coverage Summary

Category Tests Status
IP Detection 8 ✅ Pass
Rate Limit Key 3 ✅ Pass
Login Rate Limiting 3 ✅ Pass
OTP Rate Limiting 2 ✅ Pass
Security Validation 2 ✅ Pass
Priority Order 2 ✅ Pass
TOTAL 20 ✅ 100%

Daftar Periksa (Checklist)

Tangkapan Layar (Screenshot)

Test Results

   PASS  Tests\Feature\RateLimitingTest
   ✓ IpAddress Helper - IP Detection → detects cloudflare connecting ip
   ✓ IpAddress Helper - IP Detection → detects x-forwarded-for header
   ✓ IpAddress Helper - IP Detection → parses first ip from x-forwarded-for with multiple ips
   ✓ IpAddress Helper - IP Detection → detects x-real-ip header
   ✓ IpAddress Helper - IP Detection → falls back to request ip when no proxy headers
   ✓ IpAddress Helper - IP Detection → rejects invalid ip format
   ✓ IpAddress Helper - IP Detection → filters private ips when trustPrivateIp is false
   ✓ IpAddress Helper - IP Detection → accepts private ips when trustPrivateIp is true
   ✓ IpAddress Helper - Rate Limit Key → generates rate limit key with ip and email
   ✓ IpAddress Helper - Rate Limit Key → sanitizes email in rate limit key
   ✓ IpAddress Helper - Rate Limit Key → generates key with only ip when email is null
   ✓ Login Rate Limiting → allows login within rate limit
   ✓ Login Rate Limiting → blocks login after rate limit exceeded
   ✓ Login Rate Limiting → different email bypasses rate limit
   ✓ OTP Rate Limiting → allows otp request within rate limit
   ✓ OTP Rate Limiting → blocks otp request after rate limit exceeded
   ✓ Security - Header Injection Prevention → rejects script injection in x-forwarded-for
   ✓ Security - Header Injection Prevention → validates ipv4 format
   ✓ IP Detection Priority Order → cf-connecting-ip has highest priority
   ✓ IP Detection Priority Order → x-forwarded-for has priority over x-real-ip

   Tests:  ✅ 20 passed

Konfigurasi Environment

Tambahkan ke .env:

# Security Configuration
TRUST_PROXIES=*
RATE_LIMIT_LOGIN_MAX=10
RATE_LIMIT_LOGIN_DECAY=1
RATE_LIMIT_OTP_MAX=3
RATE_LIMIT_OTP_DECAY=1

Commit Breakdown

8f8de06f test(security): add Pest tests for rate limiting
6d28a702 feat(security): add rate limiting config to env example
03732de1 feat(security): apply throttle middleware to login and OTP routes
da96e690 feat(security): add rate limiters for login and OTP
6e7fe8db feat(security): update TrustProxies for proxy support
1edd66a8 feat(security): add IpAddress helper for proxy IP detection

@Revanza1106
feat(security): add IpAddress helper for proxy IP detection
1edd66a 
- Detects real IP from CF-Connecting-IP, X-Forwarded-For, X-Real-IP
- Validates IP format to prevent header injection
- Filters private IPs (configurable)
- Generates rate limit keys with IP+Email combination

Closes OpenSID#1410
@Revanza1106
feat(security): update TrustProxies for proxy support
6e7fe8d 
- Add configurable trusted proxies via env variable
- Support Cloudflare, reverse proxy, load balancer

Closes OpenSID#1410
@Revanza1106
feat(security): add rate limiters for login and OTP
da96e69 
- Login rate limiter: 10 attempts per minute per IP+Email
- OTP rate limiter: 3 attempts per minute per IP+Email
- Use IpAddress helper for real IP detection

Closes OpenSID#1410
@Revanza1106
feat(security): apply throttle middleware to login and OTP routes
03732de 
- Add throttle:login to POST /login
- Add throttle:login to 2FA verify-login
- Add throttle:otp to OTP request/resend routes

Closes OpenSID#1410
@Revanza1106
feat(security): add rate limiting config to env example
6d28a70 
- TRUST_PROXIES for trusted proxy configuration
- RATE_LIMIT_LOGIN_MAX and _DECAY
- RATE_LIMIT_OTP_MAX and _DECAY

Closes OpenSID#1410
@Revanza1106
test(security): add Pest tests for rate limiting
8f8de06 
- IP detection tests (8 tests)
- Rate limit key generation tests (3 tests)
- Login rate limiting tests (3 tests)
- OTP rate limiting tests (2 tests)
- Security validation tests (2 tests)
- Priority order tests (2 tests)

Total: 20 tests

Closes OpenSID#1410
@Revanza1106
Merge branch 'dev' into security/rate-limiting-proxy-support
2d5fe03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Revanza1106