RateLimitFilter.java
/*
* UVerify Backend
* Copyright (C) 2025 Fabian Bormann
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package io.uverify.backend.filter;
import io.github.bucket4j.Bandwidth;
import io.github.bucket4j.Bucket;
import io.github.bucket4j.ConsumptionProbe;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import java.io.IOException;
import java.time.Duration;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
@Component
@Order(1)
public class RateLimitFilter extends OncePerRequestFilter {
private static final int MAX_BODY_BYTES = 512 * 1024;
@Value("${rate-limit.enabled:true}")
private boolean enabled;
@Value("${rate-limit.requests-per-minute:20}")
private int requestsPerMinute;
private final Map<String, Bucket> buckets = new ConcurrentHashMap<>();
private Bucket createBucket() {
return Bucket.builder()
.addLimit(Bandwidth.builder()
.capacity(requestsPerMinute)
.refillGreedy(requestsPerMinute, Duration.ofMinutes(1))
.build())
.build();
}
@Override
protected boolean shouldNotFilter(HttpServletRequest request) {
return !enabled
|| !"POST".equalsIgnoreCase(request.getMethod())
|| !request.getRequestURI().startsWith("/api/v1/");
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
int contentLength = request.getContentLength();
if (contentLength > MAX_BODY_BYTES) {
sendError(response, HttpStatus.PAYLOAD_TOO_LARGE, "Request body exceeds the 512 KB limit.");
return;
}
String ip = request.getRemoteAddr();
Bucket bucket = buckets.computeIfAbsent(ip, k -> createBucket());
ConsumptionProbe probe = bucket.tryConsumeAndReturnRemaining(1);
if (probe.isConsumed()) {
response.addHeader("X-Rate-Limit-Remaining", String.valueOf(probe.getRemainingTokens()));
chain.doFilter(request, response);
} else {
long retryAfter = TimeUnit.NANOSECONDS.toSeconds(probe.getNanosToWaitForRefill()) + 1;
response.addHeader("Retry-After", String.valueOf(retryAfter));
sendError(response, HttpStatus.TOO_MANY_REQUESTS, "Rate limit exceeded. Retry after " + retryAfter + " seconds.");
}
}
private void sendError(HttpServletResponse response, HttpStatus status, String message) throws IOException {
response.setStatus(status.value());
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.getWriter().write("{\"error\":\"" + message + "\"}");
}
}