<?php
|
namespace JVBase\managers;
|
|
if (!defined('ABSPATH')) {
|
exit;
|
}
|
|
/**
|
* Simple rate limiter for AJAX requests (non-REST)
|
* Includes both hourly limits AND burst protection
|
*/
|
class AjaxRateLimiter
|
{
|
protected array $limits = [
|
'login' => [
|
'count' => 20, // Hourly limit
|
'window' => 3600, // 1 hour
|
'burst_count' => 5, // Burst limit
|
'burst_window' => 60 // 1 minute
|
],
|
'register' => [
|
'count' => 10,
|
'window' => 3600,
|
'burst_count' => 3,
|
'burst_window' => 60
|
],
|
'lostpassword' => [
|
'count' => 10,
|
'window' => 3600,
|
'burst_count' => 3,
|
'burst_window' => 60
|
],
|
'resetpass' => [
|
'count' => 10,
|
'window' => 3600,
|
'burst_count' => 3,
|
'burst_window' => 60
|
],
|
];
|
|
/**
|
* Check if action is within rate limits (both hourly and burst)
|
*
|
* @param string $action The action being performed (login, register, etc.)
|
* @return bool True if within limits, false if exceeded
|
*/
|
public function checkLimit(string $action): bool
|
{
|
// Check burst protection first (stricter, prevents rapid-fire)
|
if (!$this->checkBurstLimit($action)) {
|
return false;
|
}
|
|
// Then check hourly limit
|
return $this->checkHourlyLimit($action);
|
}
|
|
/**
|
* Check burst protection (prevents rapid-fire attempts)
|
*
|
* Example: 5 login attempts in 10 seconds = blocked
|
*
|
* @param string $action The action being performed
|
* @return bool True if within burst limits, false if exceeded
|
*/
|
protected function checkBurstLimit(string $action): bool
|
{
|
$limit = $this->getLimit($action);
|
|
// Skip if no burst protection configured
|
if (!isset($limit['burst_count'])) {
|
return true;
|
}
|
|
$key = $this->getCacheKey($action) . '_burst';
|
$data = get_transient($key);
|
|
if (!$data) {
|
$data = ['count' => 0, 'first_attempt' => time()];
|
}
|
|
// Check if burst window expired
|
$elapsed = time() - $data['first_attempt'];
|
if ($elapsed >= $limit['burst_window']) {
|
// Window expired, reset
|
$data = ['count' => 0, 'first_attempt' => time()];
|
}
|
|
// Check if burst limit exceeded
|
if ($data['count'] >= $limit['burst_count']) {
|
// Log for security monitoring
|
error_log(sprintf(
|
'Burst rate limit exceeded for %s from %s: %d attempts in %d seconds',
|
$action,
|
$this->getClientIp(),
|
$data['count'],
|
$elapsed
|
));
|
return false;
|
}
|
|
// Increment and save
|
$data['count']++;
|
set_transient($key, $data, $limit['burst_window']);
|
|
return true;
|
}
|
|
/**
|
* Check hourly rate limit
|
*
|
* @param string $action The action being performed
|
* @return bool True if within hourly limits, false if exceeded
|
*/
|
protected function checkHourlyLimit(string $action): bool
|
{
|
$key = $this->getCacheKey($action);
|
$limit = $this->getLimit($action);
|
|
// Get current count
|
$data = get_transient($key);
|
if (!$data) {
|
$data = ['count' => 0, 'first_attempt' => time()];
|
}
|
|
// Check if window has expired
|
if (time() - $data['first_attempt'] >= $limit['window']) {
|
// Window expired, reset
|
$data = ['count' => 0, 'first_attempt' => time()];
|
}
|
|
// Check if limit exceeded
|
if ($data['count'] >= $limit['count']) {
|
// Log for security monitoring
|
error_log(sprintf(
|
'Hourly rate limit exceeded for %s from %s: %d attempts',
|
$action,
|
$this->getClientIp(),
|
$data['count']
|
));
|
return false;
|
}
|
|
// Increment and save
|
$data['count']++;
|
set_transient($key, $data, $limit['window']);
|
|
return true;
|
}
|
|
/**
|
* Get remaining attempts for an action
|
*
|
* @param string $action The action being performed
|
* @return array ['remaining' => int, 'reset_at' => int, 'burst_remaining' => int, 'burst_reset_at' => int]
|
*/
|
public function getRemaining(string $action): array
|
{
|
$limit = $this->getLimit($action);
|
|
// Hourly remaining
|
$key = $this->getCacheKey($action);
|
$data = get_transient($key);
|
|
$hourly_remaining = $limit['count'];
|
$hourly_reset_at = time() + $limit['window'];
|
|
if ($data) {
|
$hourly_remaining = max(0, $limit['count'] - $data['count']);
|
$hourly_reset_at = $data['first_attempt'] + $limit['window'];
|
}
|
|
// Burst remaining (if configured)
|
$burst_remaining = $limit['burst_count'] ?? null;
|
$burst_reset_at = null;
|
|
if (isset($limit['burst_count'])) {
|
$burst_key = $key . '_burst';
|
$burst_data = get_transient($burst_key);
|
|
if ($burst_data) {
|
$burst_remaining = max(0, $limit['burst_count'] - $burst_data['count']);
|
$burst_reset_at = $burst_data['first_attempt'] + $limit['burst_window'];
|
} else {
|
$burst_reset_at = time() + $limit['burst_window'];
|
}
|
}
|
|
return [
|
'remaining' => $hourly_remaining,
|
'reset_at' => $hourly_reset_at,
|
'burst_remaining' => $burst_remaining,
|
'burst_reset_at' => $burst_reset_at
|
];
|
}
|
|
/**
|
* Generate cache key based on IP and action
|
*
|
* @param string $action The action being performed
|
* @return string Cache key
|
*/
|
protected function getCacheKey(string $action): string
|
{
|
$ip = $this->getClientIp();
|
$user_id = get_current_user_id(); // 0 if not logged in
|
|
return BASE . 'ajax_rate_limit_' . md5($ip . '_' . $user_id . '_' . $action);
|
}
|
|
/**
|
* Get client IP address (supports proxies)
|
*
|
* @return string IP address
|
*/
|
protected function getClientIp(): string
|
{
|
// Check for proxy headers first
|
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
|
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
|
// X-Forwarded-For can contain multiple IPs, get the first one
|
$ips = explode(',', $ip);
|
return trim($ips[0]);
|
}
|
|
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
|
return $_SERVER['HTTP_CLIENT_IP'];
|
}
|
|
return $_SERVER['REMOTE_ADDR'] ?? '0.0.0.0';
|
}
|
|
/**
|
* Get limit configuration for an action
|
*
|
* @param string $action The action being performed
|
* @return array Limit configuration
|
*/
|
protected function getLimit(string $action): array
|
{
|
return $this->limits[$action] ?? $this->limits['login'];
|
}
|
|
/**
|
* Clear rate limit for a specific action (useful for testing)
|
*
|
* @param string $action The action to clear
|
* @return bool True if cleared, false otherwise
|
*/
|
public function clearLimit(string $action): bool
|
{
|
$key = $this->getCacheKey($action);
|
$burst_key = $key . '_burst';
|
|
$result1 = delete_transient($key);
|
$result2 = delete_transient($burst_key);
|
|
return $result1 || $result2;
|
}
|
|
/**
|
* Update limit configuration
|
*
|
* @param string $action The action to update
|
* @param int $count Max attempts per window
|
* @param int $window Time window in seconds
|
* @param int|null $burst_count Optional burst limit
|
* @param int|null $burst_window Optional burst window
|
*/
|
public function setLimit(
|
string $action,
|
int $count,
|
int $window,
|
?int $burst_count = null,
|
?int $burst_window = null
|
): void {
|
$this->limits[$action] = [
|
'count' => $count,
|
'window' => $window
|
];
|
|
if ($burst_count !== null && $burst_window !== null) {
|
$this->limits[$action]['burst_count'] = $burst_count;
|
$this->limits[$action]['burst_window'] = $burst_window;
|
}
|
}
|
|
/**
|
* Check if IP is currently rate limited
|
*
|
* @param string $action The action to check
|
* @return bool True if rate limited, false otherwise
|
*/
|
public function isRateLimited(string $action): bool
|
{
|
// Check both burst and hourly without incrementing
|
$limit = $this->getLimit($action);
|
|
// Check burst
|
if (isset($limit['burst_count'])) {
|
$burst_key = $this->getCacheKey($action) . '_burst';
|
$burst_data = get_transient($burst_key);
|
|
if ($burst_data) {
|
$elapsed = time() - $burst_data['first_attempt'];
|
if ($elapsed < $limit['burst_window'] && $burst_data['count'] >= $limit['burst_count']) {
|
return true;
|
}
|
}
|
}
|
|
// Check hourly
|
$key = $this->getCacheKey($action);
|
$data = get_transient($key);
|
|
if ($data) {
|
$elapsed = time() - $data['first_attempt'];
|
if ($elapsed < $limit['window'] && $data['count'] >= $limit['count']) {
|
return true;
|
}
|
}
|
|
return false;
|
}
|
}
|
