feat: add rate limit

Author: Throyer

README.md

@@ -113,9 +113,9 @@ Creating database migration files
 
 ## Environment variables
 
-| **Descrição**                            | **Parameter**                      | **Default values**        |
+| **Description**                          | **Parameter**                      | **Default values**        |
 |------------------------------------------|------------------------------------|---------------------------|
-| Server port                              | `SERVER_PORT`                      | 8080                      |
+| server port                              | `SERVER_PORT`                      | 8080                      |
 | database url                             | `DB_URL`                           | localhost:5432/common_app |
 | username (database)                      | `DB_USERNAME`                      | root                      |
 | user password (database)                 | `DB_PASSWORD`                      | root                      |
@@ -129,6 +129,7 @@ Creating database migration files
 | SMTP username                            | `SMTP_USERNAME`                    | user                      |
 | SMTP server password                     | `SMTP_PASSWORD`                    | secret                    |
 | time for recovery email to expire        | `MINUTES_TO_EXPIRE_RECOVERY_CODE`  | 20                        |
+| max requests per minute                  | `MAX_REQUESTS_PER_MINUTE`          | 10                        |
 
 > these variables are defined in: [**application.properties**](./src/main/resources/application.properties)
 >

pom.xml

@@ -26,6 +26,7 @@
     </pluginRepositories>
 
     <dependencies>
+        <!-- spring boot -->
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-data-jpa</artifactId>
@@ -50,6 +51,8 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-thymeleaf</artifactId>
         </dependency>
+
+        <!-- https://mvnrepository.com/artifact/org.projectlombok/lombok -->
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
@@ -63,14 +66,12 @@
             <version>1.0.2</version>
         </dependency>
 
-
         <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-data -->
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-data</artifactId>
         </dependency>
 
-
         <!-- flyway database | migrations -->
         <dependency>
             <groupId>org.flywaydb</groupId>
@@ -85,17 +86,17 @@
         <dependency>
             <groupId>org.springdoc</groupId>
             <artifactId>springdoc-openapi-ui</artifactId>
-            <version>1.5.13</version>
+            <version>1.6.6</version>
         </dependency>
         <dependency>
             <groupId>org.springdoc</groupId>
             <artifactId>springdoc-openapi-webmvc-core</artifactId>
-            <version>1.5.13</version>
+            <version>1.6.6</version>
         </dependency>
         <dependency>
             <groupId>org.springdoc</groupId>
             <artifactId>springdoc-openapi-security</artifactId>
-            <version>1.5.13</version>
+            <version>1.6.5</version>
         </dependency>
 
         <!-- Token JWT -->
@@ -126,6 +127,7 @@
             <version>5.1.3</version>
         </dependency>
 
+        <!-- extras -->
         <dependency>
             <groupId>org.thymeleaf.extras</groupId>
             <artifactId>thymeleaf-extras-java8time</artifactId>
@@ -146,6 +148,7 @@
             <optional>true</optional>
         </dependency>
 
+        <!-- database -->
         <dependency>
             <groupId>com.h2database</groupId>
             <artifactId>h2</artifactId>
@@ -157,6 +160,21 @@
             <scope>runtime</scope>
         </dependency>
 
+        <!-- rate limit -->
+        <dependency>
+            <groupId>com.giffing.bucket4j.spring.boot.starter</groupId>
+            <artifactId>bucket4j-spring-boot-starter</artifactId>
+            <version>0.5.0</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-cache</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.ehcache</groupId>
+            <artifactId>ehcache</artifactId>
+        </dependency>
+
         <!-- tests -->
         <dependency>
             <groupId>org.springframework.boot</groupId>

src/main/java/com/github/throyer/common/springboot/Application.java

@@ -2,11 +2,12 @@
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.cache.annotation.EnableCaching;
 import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
 
+@EnableCaching
 @SpringBootApplication
 public class Application {
-
     public static void main(String... args) {
         SpringApplication.run(Application.class, args);
     }

src/main/java/com/github/throyer/common/springboot/utils/Constants.java

@@ -17,13 +17,15 @@ public Constants(
         @Value("${token.secret}") String tokenSecret,
         @Value("${token.expiration-in-hours}") Integer tokenExpirationInHours,
         @Value("${token.refresh.expiration-in-days}") Integer refreshTokenExpirationInDays,
-        @Value("${recovery.minutes-to-expire}") Integer recoveryMinutesToExpire
+        @Value("${recovery.minutes-to-expire}") Integer recoveryMinutesToExpire,
+        @Value("${bucket4j.filters[0].rate-limits[0].bandwidths[0].capacity}") Integer maxRequestsPerMinute
     ) {
         Constants.SECURITY.TOKEN_SECRET = tokenSecret;
         Constants.SECURITY.TOKEN_EXPIRATION_IN_HOURS = tokenExpirationInHours;
         Constants.SECURITY.REFRESH_TOKEN_EXPIRATION_IN_DAYS = refreshTokenExpirationInDays;
 
         Constants.MAIL.MINUTES_TO_EXPIRE_RECOVERY_CODE = recoveryMinutesToExpire;
+        Constants.RATE_LIMIT.MAX_REQUESTS_PER_MINUTE = maxRequestsPerMinute;
     }
 
     public static class SECURITY {
@@ -84,6 +86,10 @@ public static class MAIL {
         public static final String UNABLE_TO_SEND_EMAIL_MESSAGE_TEMPLATE = "Unable to send email to: %s";
     }
 
+    public static class RATE_LIMIT {
+        public static Integer MAX_REQUESTS_PER_MINUTE;
+    }
+
     /**
      * Validation messages.
      * @see "resources/messages.properties"

src/main/resources/application.properties

@@ -59,4 +59,23 @@ server.servlet.encoding.force-response=true
 # locale
 spring.web.locale=en
 spring.messages.encoding=UTF-8
-spring.messages.fallback-to-system-locale=false
+spring.messages.fallback-to-system-locale=false
+
+# rate limit
+spring.cache.jcache.config=classpath:ehcache.xml
+bucket4j.enabled=true
+bucket4j.filters[0].cache-name=buckets
+bucket4j.filters[0].filter-method=servlet
+bucket4j.filters[0].http-response-body={ "status": 249, "message": "Too many requests" }
+bucket4j.filters[0].url=.*
+bucket4j.filters[0].metrics.enabled=true
+bucket4j.filters[0].metrics.tags[0].key=IP
+bucket4j.filters[0].metrics.tags[0].expression=getRemoteAddr()
+bucket4j.filters[0].strategy=first
+bucket4j.filters[0].rate-limits[0].skip-condition=getRequestURI().contains('/swagger-ui') || getRequestURI().contains('/documentation')
+bucket4j.filters[0].rate-limits[0].expression=getRemoteAddr()
+bucket4j.filters[0].rate-limits[0].bandwidths[0].capacity=${MAX_REQUESTS_PER_MINUTE:10}
+bucket4j.filters[0].rate-limits[0].bandwidths[0].time=1
+bucket4j.filters[0].rate-limits[0].bandwidths[0].unit=minutes
+bucket4j.filters[0].rate-limits[0].bandwidths[0].fixed-refill-interval=0
+bucket4j.filters[0].rate-limits[0].bandwidths[0].fixed-refill-interval-unit=minutes

src/main/resources/ehcache.xml

@@ -0,0 +1,14 @@
+<config xmlns='http://www.ehcache.org/v3'
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns:jsr107="http://www.ehcache.org/v3/jsr107"
+        xsi:schemaLocation="http://www.ehcache.org/v3 http://www.ehcache.org/schema/ehcache-core-3.0.xsd
+							http://www.ehcache.org/v3/jsr107 http://www.ehcache.org/schema/ehcache-107-ext-3.0.xsd">
+    <cache alias="buckets">
+        <expiry>
+            <ttl unit="seconds">3600</ttl>
+        </expiry>
+        <heap unit="entries">1000000</heap>
+        <jsr107:mbeans enable-statistics="true"/>
+    </cache>
+
+</config>

src/test/java/com/github/throyer/common/springboot/localization/InternationalizationTests.java renamed to src/test/java/com/github/throyer/common/springboot/InternationalizationTests.java

@@ -1,4 +1,4 @@
-package com.github.throyer.common.springboot.localization;
+package com.github.throyer.common.springboot;
 
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;

src/test/java/com/github/throyer/common/springboot/RateLimitTests.java

@@ -0,0 +1,46 @@
+package com.github.throyer.common.springboot;
+
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestInstance;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static com.github.throyer.common.springboot.utils.Constants.RATE_LIMIT.MAX_REQUESTS_PER_MINUTE;
+import static java.lang.String.valueOf;
+import static org.junit.jupiter.api.TestInstance.Lifecycle.PER_CLASS;
+import static org.springframework.boot.test.context.SpringBootTest.WebEnvironment.MOCK;
+import static org.springframework.http.HttpHeaders.CONTENT_TYPE;
+import static org.springframework.http.MediaType.APPLICATION_JSON;
+import static org.springframework.test.annotation.DirtiesContext.ClassMode.BEFORE_CLASS;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@AutoConfigureMockMvc
+@TestInstance(PER_CLASS)
+@SpringBootTest(webEnvironment = MOCK)
+@DirtiesContext(classMode = BEFORE_CLASS)
+public class RateLimitTests {
+    @Autowired
+    private MockMvc api;
+
+    @Test
+    @DisplayName("Deve retornar TOO_MANY_REQUESTS quando a quantidade de requests passar do limite.")
+    public void should_return_TOO_MANY_REQUESTS_when_number_of_requests_exceeds_the_limit() throws Exception {
+        var request = get("/api")
+                .header(CONTENT_TYPE, APPLICATION_JSON);
+
+        for (int index = MAX_REQUESTS_PER_MINUTE; index > 0; index--) {
+            api.perform(request)
+                    .andExpect(header().string("X-Rate-Limit-Remaining", valueOf(index - 1)))
+                    .andExpect(status().isOk());
+        }
+
+        api.perform(request)
+                .andExpect(status().isTooManyRequests());
+    }
+}

src/test/resources/application.properties

@@ -47,4 +47,23 @@ server.servlet.encoding.force-response=true
 # locale
 spring.web.locale=en
 spring.messages.encoding=UTF-8
-spring.messages.fallback-to-system-locale=false
+spring.messages.fallback-to-system-locale=false
+
+# rate limit
+spring.cache.jcache.config=classpath:ehcache.xml
+bucket4j.enabled=true
+bucket4j.filters[0].cache-name=buckets
+bucket4j.filters[0].filter-method=servlet
+bucket4j.filters[0].http-response-body={ "status": 249, "message": "Too many requests" }
+bucket4j.filters[0].url=/api
+bucket4j.filters[0].metrics.enabled=true
+bucket4j.filters[0].metrics.tags[0].key=IP
+bucket4j.filters[0].metrics.tags[0].expression=getRemoteAddr()
+bucket4j.filters[0].strategy=first
+bucket4j.filters[0].rate-limits[0].skip-condition=getRequestURI().contains('/swagger-ui') || getRequestURI().contains('/documentation')
+bucket4j.filters[0].rate-limits[0].expression=getRemoteAddr()
+bucket4j.filters[0].rate-limits[0].bandwidths[0].capacity=${MAX_REQUESTS_PER_MINUTE:10}
+bucket4j.filters[0].rate-limits[0].bandwidths[0].time=1
+bucket4j.filters[0].rate-limits[0].bandwidths[0].unit=minutes
+bucket4j.filters[0].rate-limits[0].bandwidths[0].fixed-refill-interval=0
+bucket4j.filters[0].rate-limits[0].bandwidths[0].fixed-refill-interval-unit=minutes