NEXT-23422 - Added rate limiter to adding a line item

Author: cyl3x

changelog/_unreleased/2022-11-03-added-rate-limiter-to-adding-a-line-item.md

@@ -0,0 +1,15 @@
+---
+title: Added rate limiter to adding a line item
+issue: NEXT-23422
+author: Michel Bade
+author_email: [email protected]
+author_github: @cyl3x
+---
+# Core
+* Added `cart_add_line_item` to rate limiter configuration in `Shopwar\Core\Framework\Resources\config\packages\shopware` 
+* Added constant `CART_ADD_LINE_ITEM` in `Shopware\Core\Framework\RateLimiter\RateLimiter`.
+* Added rate limiter `Shopware\Core\Framework\RateLimiter\Policy\SystemConfigLimiter` and policy type `system_config` to allow limitation configuration with `SystemConfigService`
+* Added policy type `system_config` to `Shopware\Core\Framework\RateLimiter`
+___
+# API
+* Added rate limitation for api route `store-api.checkout.cart.add`

config-schema.json

@@ -198,6 +198,9 @@
                 },
                 "newsletter_form": {
                     "$ref": "#/definitions/rate_limiter_config"
+                },
+                "cart_add_line_item_from": {
+                    "$ref": "#/definitions/rate_limiter_config"
                 }
             },
             "title": "RateLimiter"

phpstan-baseline.neon

@@ -895,16 +895,6 @@ parameters:
 			count: 1
 			path: src/Core/Checkout/Cart/SalesChannel/AbstractCartItemAddRoute.php
 
-		-
-			message: "#^Method Shopware\\\\Core\\\\Checkout\\\\Cart\\\\SalesChannel\\\\CartItemAddRoute\\:\\:add\\(\\) has parameter \\$items with no value type specified in iterable type array\\.$#"
-			count: 1
-			path: src/Core/Checkout/Cart/SalesChannel/CartItemAddRoute.php
-
-		-
-			message: "#^PHPDoc tag @var for variable \\$item has no value type specified in iterable type array\\.$#"
-			count: 1
-			path: src/Core/Checkout/Cart/SalesChannel/CartItemAddRoute.php
-
 		-
 			message: "#^PHPDoc tag @var for variable \\$item has no value type specified in iterable type array\\.$#"
 			count: 1
@@ -16918,11 +16908,6 @@ parameters:
 			count: 1
 			path: src/Core/Framework/DependencyInjection/CompilerPass/BusinessEventRegisterCompilerPass.php
 
-		-
-			message: "#^Method Shopware\\\\Core\\\\Framework\\\\DependencyInjection\\\\CompilerPass\\\\RateLimiterCompilerPass\\:\\:setConfigDefaults\\(\\) has parameter \\$config with no value type specified in iterable type array\\.$#"
-			count: 1
-			path: src/Core/Framework/DependencyInjection/CompilerPass/RateLimiterCompilerPass.php
-
 		-
 			message: "#^Method Shopware\\\\Core\\\\Framework\\\\DependencyInjection\\\\FrameworkExtension\\:\\:addShopwareConfig\\(\\) has parameter \\$options with no value type specified in iterable type array\\.$#"
 			count: 1
@@ -17698,16 +17683,6 @@ parameters:
 			count: 1
 			path: src/Core/Framework/RateLimiter/Policy/TimeBackoffLimiter.php
 
-		-
-			message: "#^Method Shopware\\\\Core\\\\Framework\\\\RateLimiter\\\\RateLimiterFactory\\:\\:__construct\\(\\) has parameter \\$config with no value type specified in iterable type array\\.$#"
-			count: 1
-			path: src/Core/Framework/RateLimiter/RateLimiterFactory.php
-
-		-
-			message: "#^Property Shopware\\\\Core\\\\Framework\\\\RateLimiter\\\\RateLimiterFactory\\:\\:\\$config type has no value type specified in iterable type array\\.$#"
-			count: 1
-			path: src/Core/Framework/RateLimiter/RateLimiterFactory.php
-
 		-
 			message: "#^Method Shopware\\\\Core\\\\Framework\\\\Routing\\\\AbstractRouteScope\\:\\:getRoutePrefixes\\(\\) return type has no value type specified in iterable type array\\.$#"
 			count: 1
@@ -22538,11 +22513,6 @@ parameters:
 			count: 1
 			path: src/Core/Framework/Test/Plugin/_fixture/plugins/SwagTestWithBundle/src/SwagTestWithBundle.php
 
-		-
-			message: "#^Property Shopware\\\\Core\\\\Framework\\\\Test\\\\RateLimiter\\\\Policy\\\\TimeBackoffLimiterTest\\:\\:\\$config type has no value type specified in iterable type array\\.$#"
-			count: 1
-			path: src/Core/Framework/Test/RateLimiter/Policy/TimeBackoffLimiterTest.php
-
 		-
 			message: "#^Method Shopware\\\\Core\\\\Framework\\\\Test\\\\Routing\\\\ApiRequestContextResolverTest\\:\\:addRoleToIntegration\\(\\) has parameter \\$privileges with no value type specified in iterable type array\\.$#"
 			count: 1

src/Core/Checkout/Cart/SalesChannel/CartItemAddRoute.php

@@ -8,8 +8,10 @@
 use Shopware\Core\Checkout\Cart\Event\AfterLineItemAddedEvent;
 use Shopware\Core\Checkout\Cart\Event\BeforeLineItemAddedEvent;
 use Shopware\Core\Checkout\Cart\Event\CartChangedEvent;
+use Shopware\Core\Checkout\Cart\LineItem\LineItem;
 use Shopware\Core\Checkout\Cart\LineItemFactoryRegistry;
 use Shopware\Core\Framework\Plugin\Exception\DecorationPatternException;
+use Shopware\Core\Framework\RateLimiter\RateLimiter;
 use Shopware\Core\Framework\Routing\Annotation\RouteScope;
 use Shopware\Core\Framework\Routing\Annotation\Since;
 use Shopware\Core\System\SalesChannel\SalesChannelContext;
@@ -42,19 +44,23 @@ class CartItemAddRoute extends AbstractCartItemAddRoute
      */
     private $lineItemFactory;
 
+    private RateLimiter $rateLimiter;
+
     /**
      * @internal
      */
     public function __construct(
         CartCalculator $cartCalculator,
         CartPersisterInterface $cartPersister,
         EventDispatcherInterface $eventDispatcher,
-        LineItemFactoryRegistry $lineItemFactory
+        LineItemFactoryRegistry $lineItemFactory,
+        RateLimiter $rateLimiter
     ) {
         $this->cartCalculator = $cartCalculator;
         $this->cartPersister = $cartPersister;
         $this->eventDispatcher = $eventDispatcher;
         $this->lineItemFactory = $lineItemFactory;
+        $this->rateLimiter = $rateLimiter;
     }
 
     public function getDecorated(): AbstractCartItemAddRoute
@@ -65,19 +71,26 @@ public function getDecorated(): AbstractCartItemAddRoute
     /**
      * @Since("6.3.0.0")
      * @Route("/store-api/checkout/cart/line-item", name="store-api.checkout.cart.add", methods={"POST"})
+     *
+     * @param array<LineItem> $items
      */
     public function add(Request $request, Cart $cart, SalesChannelContext $context, ?array $items): CartResponse
     {
         if ($items === null) {
             $items = [];
 
-            /** @var array $item */
+            /** @var array<mixed> $item */
             foreach ($request->request->all('items') as $item) {
                 $items[] = $this->lineItemFactory->create($item, $context);
             }
         }
 
         foreach ($items as $item) {
+            if ($request->getClientIp() !== null) {
+                $cacheKey = ($item->getReferencedId() ?? $item->getId()) . '-' . $request->getClientIp();
+                $this->rateLimiter->ensureAccepted(RateLimiter::CART_ADD_LINE_ITEM, $cacheKey);
+            }
+
             $alreadyExists = $cart->has($item->getId());
             $cart->add($item);
 

src/Core/Checkout/DependencyInjection/cart.xml

@@ -103,6 +103,7 @@
             <argument type="service" id="Shopware\Core\Checkout\Cart\CartPersister"/>
             <argument type="service" id="event_dispatcher"/>
             <argument type="service" id="Shopware\Core\Checkout\Cart\LineItemFactoryRegistry"/>
+            <argument type="service" id="shopware.rate_limiter"/>
         </service>
 
         <service id="Shopware\Core\Checkout\Cart\SalesChannel\CartOrderRoute" public="true">

src/Core/Framework/DependencyInjection/CompilerPass/RateLimiterCompilerPass.php

@@ -4,6 +4,7 @@
 
 use Shopware\Core\Framework\RateLimiter\RateLimiter;
 use Shopware\Core\Framework\RateLimiter\RateLimiterFactory;
+use Shopware\Core\System\SystemConfig\SystemConfigService;
 use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Definition;
@@ -35,6 +36,7 @@ public function process(ContainerBuilder $container): void
             $cacheDef->addArgument(new Reference($config['cache_pool']));
 
             $def->addArgument($cacheDef);
+            $def->addArgument(new Reference(SystemConfigService::class));
             $def->addArgument(new Reference($config['lock_factory']));
 
             $rateLimiter->addMethodCall('registerLimiterFactory', [$name, $def]);
@@ -43,6 +45,9 @@ public function process(ContainerBuilder $container): void
         $container->setDefinition('shopware.rate_limiter', $rateLimiter);
     }
 
+    /**
+     * @param array<string, array<string, int|string>|bool|string|int> $config
+     */
     private function setConfigDefaults(array &$config): void
     {
         if (!\array_key_exists('enabled', $config)) {

src/Core/Framework/RateLimiter/Policy/SystemConfigLimiter.php

@@ -0,0 +1,28 @@
+<?php declare(strict_types=1);
+
+namespace Shopware\Core\Framework\RateLimiter\Policy;
+
+use Shopware\Core\System\SystemConfig\SystemConfigService;
+use Symfony\Component\Lock\LockInterface;
+use Symfony\Component\RateLimiter\Storage\StorageInterface;
+
+class SystemConfigLimiter extends TimeBackoffLimiter
+{
+    /**
+     * @param array<string, string|int> $limits
+     */
+    public function __construct(SystemConfigService $systemConfigService, string $id, array $limits, \DateInterval $reset, StorageInterface $storage, ?LockInterface $lock = null)
+    {
+        foreach ($limits as $idx => $limit) {
+            if (!isset($limit['domain'])) {
+                continue;
+            }
+
+            $sysLimit = $systemConfigService->get($limit['domain']);
+            $limits[$idx]['limit'] = $sysLimit && (int) $sysLimit !== 0 ? (int) $sysLimit : \PHP_INT_MAX;
+            unset($limits[$idx]['domain']);
+        }
+
+        parent::__construct($id, $limits, $reset, $storage, $lock);
+    }
+}

src/Core/Framework/RateLimiter/RateLimiter.php

@@ -20,6 +20,8 @@ class RateLimiter
 
     public const NEWSLETTER_FORM = 'newsletter_form';
 
+    public const CART_ADD_LINE_ITEM = 'cart_add_line_item';
+
     /**
      * @var array<string, RateLimiterFactory>
      */

src/Core/Framework/RateLimiter/RateLimiterFactory.php

@@ -2,7 +2,9 @@
 
 namespace Shopware\Core\Framework\RateLimiter;
 
+use Shopware\Core\Framework\RateLimiter\Policy\SystemConfigLimiter;
 use Shopware\Core\Framework\RateLimiter\Policy\TimeBackoffLimiter;
+use Shopware\Core\System\SystemConfig\SystemConfigService;
 use Symfony\Component\Lock\LockFactory;
 use Symfony\Component\Lock\NoLock;
 use Symfony\Component\RateLimiter\LimiterInterface;
@@ -12,19 +14,27 @@
 
 class RateLimiterFactory
 {
+    /**
+     * @var array<mixed>
+     */
     private array $config;
 
     private StorageInterface $storage;
 
     private ?LockFactory $lockFactory;
 
+    private SystemConfigService $systemConfigService;
+
     /**
      * @internal
+     *
+     * @param array<string, array<int|string, array<string, int|string>|string>|bool|int|string> $config
      */
-    public function __construct(array $config, StorageInterface $storage, ?LockFactory $lockFactory = null)
+    public function __construct(array $config, StorageInterface $storage, SystemConfigService $systemConfigService, ?LockFactory $lockFactory = null)
     {
         $this->config = $config;
         $this->storage = $storage;
+        $this->systemConfigService = $systemConfigService;
         $this->lockFactory = $lockFactory;
     }
 
@@ -45,6 +55,10 @@ public function create(?string $key = null): LimiterInterface
             return new TimeBackoffLimiter($id, $this->config['limits'], $this->config['reset'], $this->storage, $lock);
         }
 
+        if ($this->config['policy'] === 'system_config') {
+            return new SystemConfigLimiter($this->systemConfigService, $id, $this->config['limits'], $this->config['reset'], $this->storage, $lock);
+        }
+
         // prevent symfony errors due to customized values
         $this->config = \array_filter($this->config, static function ($key): bool {
             return !\in_array($key, ['enabled', 'reset', 'cache_pool', 'lock_factory', 'limits'], true);

src/Core/Framework/Resources/config/packages/shopware.yaml

@@ -143,6 +143,13 @@ shopware:
                       interval: '60 seconds'
                     - limit: 10
                       interval: '90 seconds'
+            cart_add_line_item:
+                enabled: true
+                policy: 'system_config'
+                reset: '1 hours'
+                limits:
+                    -   domain: 'core.cart.lineItemAddLimit'
+                        interval: '60 seconds'
 
     admin_worker:
         enable_admin_worker: true

src/Core/System/Resources/config/cart.xml

@@ -29,6 +29,13 @@
             <label>Time in minutes for a customer to finalize a transaction</label>
             <label lang="de-DE">Zeit in Minuten, die ein Kunde Zeit hat eine Transaktion abzuschließen</label>
         </input-field>
+
+        <input-field type="int">
+            <name>lineItemAddLimit</name>
+            <defaultValue>0</defaultValue>
+            <label>Maximum addable products to cart per minute through API</label>
+            <label lang="de-DE">Maximal hinzufügbare Produkte pro Minute in den Warenkorb durch die API</label>
+        </input-field>
     </card>
 
     <card>

src/Core/Framework/Test/RateLimiter/RateLimiterFactoryTest.php renamed to tests/integration/php/Core/Framework/RateLimiter/Policy/RateLimiterFactoryTest.php

@@ -1,17 +1,20 @@
 <?php declare(strict_types=1);
 
-namespace Shopware\Core\Framework\Test\RateLimiter;
+namespace Shopware\Tests\Core\Framework\RateLimiter\Policy;
 
 use PHPUnit\Framework\TestCase;
 use Shopware\Core\Framework\RateLimiter\Policy\TimeBackoffLimiter;
 use Shopware\Core\Framework\RateLimiter\RateLimiterFactory;
 use Shopware\Core\Framework\Test\TestCaseBase\IntegrationTestBehaviour;
+use Shopware\Core\System\SystemConfig\SystemConfigService;
 use Symfony\Component\Lock\LockFactory;
 use Symfony\Component\RateLimiter\Policy\TokenBucketLimiter;
 use Symfony\Component\RateLimiter\Storage\StorageInterface;
 
 /**
  * @internal
+ *
+ * @covers \Shopware\Core\Framework\RateLimiter\RateLimiterFactory
  */
 class RateLimiterFactoryTest extends TestCase
 {
@@ -37,7 +40,8 @@ public function testFactoryShouldReturnCustomPolicy(): void
                 ],
             ],
             $this->createMock(StorageInterface::class),
-            $this->createMock(LockFactory::class)
+            $this->createMock(SystemConfigService::class),
+            $this->createMock(LockFactory::class),
         );
 
         static::assertInstanceOf(TimeBackoffLimiter::class, $factory->create('example'));
@@ -54,7 +58,8 @@ public function testFactoryShouldUseSymfonyFactory(): void
                 'rate' => ['interval' => '60 seconds'],
             ],
             $this->createMock(StorageInterface::class),
-            $this->createMock(LockFactory::class)
+            $this->createMock(SystemConfigService::class),
+            $this->createMock(LockFactory::class),
         );
 
         static::assertInstanceOf(TokenBucketLimiter::class, $factory->create('example'));
@@ -89,7 +94,8 @@ public function testFactoryShouldUseSymfonyFactoryOverrideDefaultConfig(): void
                 ],
             ),
             $this->createMock(StorageInterface::class),
-            $this->createMock(LockFactory::class)
+            $this->createMock(SystemConfigService::class),
+            $this->createMock(LockFactory::class),
         );
 
         static::assertInstanceOf(TokenBucketLimiter::class, $factory->create('example'));

src/Core/Framework/Test/RateLimiter/Policy/TimeBackoffLimiterTest.php renamed to tests/integration/php/Core/Framework/RateLimiter/Policy/TimeBackoffLimiterTest.php

@@ -1,13 +1,14 @@
 <?php declare(strict_types=1);
 
-namespace Shopware\Core\Framework\Test\RateLimiter\Policy;
+namespace Shopware\Tests\Core\Framework\RateLimiter\Policy;
 
 use PHPUnit\Framework\TestCase;
 use Shopware\Core\Checkout\Test\Customer\SalesChannel\CustomerTestTrait;
 use Shopware\Core\Framework\RateLimiter\Policy\TimeBackoff;
 use Shopware\Core\Framework\RateLimiter\RateLimiterFactory;
 use Shopware\Core\Framework\Test\TestCaseBase\IntegrationTestBehaviour;
 use Shopware\Core\Framework\Test\TestCaseBase\SalesChannelApiTestBehaviour;
+use Shopware\Core\System\SystemConfig\SystemConfigService;
 use Symfony\Component\Cache\Adapter\ArrayAdapter;
 use Symfony\Component\Lock\LockFactory;
 use Symfony\Component\RateLimiter\Exception\ReserveNotSupportedException;
@@ -17,13 +18,18 @@
 
 /**
  * @internal
+ *
+ * @covers \Shopware\Core\Framework\RateLimiter\Policy\TimeBackoffLimiter
  */
 class TimeBackoffLimiterTest extends TestCase
 {
     use IntegrationTestBehaviour;
     use CustomerTestTrait;
     use SalesChannelApiTestBehaviour;
 
+    /**
+     * @var array<mixed>
+     */
     private array $config;
 
     private LimiterInterface $limiter;
@@ -58,6 +64,7 @@ public function setUp(): void
         $factory = new RateLimiterFactory(
             $this->config,
             new CacheStorage(new ArrayAdapter()),
+            $this->createMock(SystemConfigService::class),
             $this->createMock(LockFactory::class)
         );