Add Rate-Limiter for RSS Feed

linkdotnet · linkdotnet · commit e94c5a3da1a6 · 2024-09-10T21:23:47.000+02:00
diff --git a/src/LinkDotNet.Blog.Web/Controller/RssFeedController.cs b/src/LinkDotNet.Blog.Web/Controller/RssFeedController.cs
@@ -12,12 +12,14 @@
 using LinkDotNet.Blog.Infrastructure.Persistence;
 using LinkDotNet.Blog.Web.Features;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.RateLimiting;
 using Microsoft.Extensions.Options;
 using InvalidOperationException = System.InvalidOperationException;
 
 namespace LinkDotNet.Blog.Web.Controller;
 
 [Route("feed.rss")]
+[EnableRateLimiting("ip")]
 public sealed class RssFeedController : ControllerBase
 {
     private static readonly XmlWriterSettings Settings = CreateXmlWriterSettings();
diff --git a/src/LinkDotNet.Blog.Web/Program.cs b/src/LinkDotNet.Blog.Web/Program.cs
@@ -1,3 +1,5 @@
+using System;
+using System.Threading.RateLimiting;
 using System.Threading.Tasks;
 using Blazored.Toast;
 using Blazorise;
@@ -8,6 +10,7 @@
 using LinkDotNet.Blog.Web.RegistrationExtensions;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Diagnostics.HealthChecks;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 
@@ -40,6 +43,17 @@ private static void RegisterServices(WebApplicationBuilder builder)
             options.MaximumReceiveMessageSize = 1024 * 1024;
         });
 
+        builder.Services.AddRateLimiter(options =>
+        {
+            options.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
+            options.AddPolicy<string>("ip", httpContext =>
+
+                RateLimitPartition.GetFixedWindowLimiter(
+                    httpContext.Connection.RemoteIpAddress?.ToString() ?? string.Empty,
+                    _ => new FixedWindowRateLimiterOptions { PermitLimit = 15, Window = TimeSpan.FromMinutes(1) })
+            );
+        });
+
         builder.Services.AddConfiguration();
 
         builder.Services.AddBlazoredToast();
@@ -91,6 +105,7 @@ private static void ConfigureApp(WebApplication app)
         app.UseAuthentication();
         app.UseAuthorization();
 
+        app.UseRateLimiter();
         app.MapControllers();
         app.MapBlazorHub();
         app.MapFallbackToPage("/_Host");
diff --git a/tests/LinkDotNet.Blog.IntegrationTests/SmokeTests.cs b/tests/LinkDotNet.Blog.IntegrationTests/SmokeTests.cs
@@ -63,13 +63,26 @@ public async Task ShouldAllowDotsForFreeTextSearch()
         result.IsSuccessStatusCode.ShouldBeTrue();
     }
 
+    [Fact]
+    public async Task RssFeedShouldBeRateLimited()
+    {
+        const int numberOfRequests = 16;
+        using var client = factory.CreateClient();
+        
+        for (var i = 0; i < numberOfRequests - 1; i++)
+        {
+            var result = await client.GetAsync("/feed.rss");
+            result.IsSuccessStatusCode.ShouldBeTrue();
+        }
+        
+        var lastResult = await client.GetAsync("/feed.rss");
+        lastResult.IsSuccessStatusCode.ShouldBeFalse();
+    }
+
     public void Dispose() => factory?.Dispose();
 
     public async ValueTask DisposeAsync()
     {
-        if (factory is not null)
-        {
-            await factory.DisposeAsync();
-        }
+        await factory.DisposeAsync();
     }
 }
