Remplacement de ActionThrottling par symfony/rate-limiter

app/config/packages/rate_limiter.yaml

@@ -0,0 +1,6 @@
+framework:
+    rate_limiter:
+        sponsor_token:
+            policy: sliding_window
+            limit: 10
+            interval: '1 hour'

app/config/packages/ting.yaml

@@ -38,10 +38,3 @@ ting:
                 default:
                     connection: main
                     database: "%database_name%"
-        throttling:
-            namespace : AppBundle\Security\ActionThrottling
-            directory : "@AppBundle/Security/ActionThrottling"
-            options:
-                default:
-                    connection: main
-                    database: '%database_name%'

app/config/reference.php

@@ -629,7 +629,7 @@
  *         }>,
  *     },
  *     rate_limiter?: bool|array{ // Rate limiter configuration
- *         enabled?: bool|Param, // Default: false
+ *         enabled?: bool|Param, // Default: true
  *         limiters?: array<string, array{ // Default: []
  *             lock_factory?: scalar|Param|null, // The service ID of the lock factory used by this limiter (or null to disable locking). // Default: "auto"
  *             cache_pool?: scalar|Param|null, // The cache pool to use for storing the current limiter state. // Default: "cache.rate_limiter"

composer.json

@@ -59,6 +59,7 @@
     "symfony/mailer": "^7.4",
     "symfony/mime": "7.4.*",
     "symfony/monolog-bundle": "^3.11",
+    "symfony/rate-limiter": "^8.1",
     "symfony/runtime": "7.4.*",
     "symfony/security-bundle": "7.4.*",
     "symfony/string": "7.4.*",

phpstan-baseline.php

@@ -11431,66 +11431,6 @@
 	'count' => 1,
 	'path' => __DIR__ . '/sources/AppBundle/Routing/LegacyRouter.php',
 ];
-$ignoreErrors[] = [
-	'message' => '#^Method AppBundle\\\\Security\\\\ActionThrottling\\\\ActionThrottling\\:\\:clearLogsForIp\\(\\) has parameter \\$action with no type specified\\.$#',
-	'identifier' => 'missingType.parameter',
-	'count' => 1,
-	'path' => __DIR__ . '/sources/AppBundle/Security/ActionThrottling/ActionThrottling.php',
-];
-$ignoreErrors[] = [
-	'message' => '#^Method AppBundle\\\\Security\\\\ActionThrottling\\\\ActionThrottling\\:\\:clearLogsForIp\\(\\) has parameter \\$ip with no type specified\\.$#',
-	'identifier' => 'missingType.parameter',
-	'count' => 1,
-	'path' => __DIR__ . '/sources/AppBundle/Security/ActionThrottling/ActionThrottling.php',
-];
-$ignoreErrors[] = [
-	'message' => '#^Parameter \\#1 \\$action of method AppBundle\\\\Security\\\\ActionThrottling\\\\LogRepository\\:\\:removeLogs\\(\\) expects string, mixed given\\.$#',
-	'identifier' => 'argument.type',
-	'count' => 1,
-	'path' => __DIR__ . '/sources/AppBundle/Security/ActionThrottling/ActionThrottling.php',
-];
-$ignoreErrors[] = [
-	'message' => '#^Parameter \\#1 \\$ip of method AppBundle\\\\Security\\\\ActionThrottling\\\\Log\\:\\:setIp\\(\\) expects string, string\\|null given\\.$#',
-	'identifier' => 'argument.type',
-	'count' => 1,
-	'path' => __DIR__ . '/sources/AppBundle/Security/ActionThrottling/ActionThrottling.php',
-];
-$ignoreErrors[] = [
-	'message' => '#^Parameter \\#1 \\$objectId of method AppBundle\\\\Security\\\\ActionThrottling\\\\Log\\:\\:setObjectId\\(\\) expects int, int\\|null given\\.$#',
-	'identifier' => 'argument.type',
-	'count' => 1,
-	'path' => __DIR__ . '/sources/AppBundle/Security/ActionThrottling/ActionThrottling.php',
-];
-$ignoreErrors[] = [
-	'message' => '#^Parameter \\#2 \\$ip of method AppBundle\\\\Security\\\\ActionThrottling\\\\LogRepository\\:\\:removeLogs\\(\\) expects string, mixed given\\.$#',
-	'identifier' => 'argument.type',
-	'count' => 1,
-	'path' => __DIR__ . '/sources/AppBundle/Security/ActionThrottling/ActionThrottling.php',
-];
-$ignoreErrors[] = [
-	'message' => '#^Method AppBundle\\\\Security\\\\ActionThrottling\\\\LogRepository\\:\\:getApplicableLogs\\(\\) should return array\\{ip\\: int, object\\: int\\} but returns mixed\\.$#',
-	'identifier' => 'return.type',
-	'count' => 1,
-	'path' => __DIR__ . '/sources/AppBundle/Security/ActionThrottling/LogRepository.php',
-];
-$ignoreErrors[] = [
-	'message' => '#^Method AppBundle\\\\Security\\\\ActionThrottling\\\\LogRepository\\:\\:initMetadata\\(\\) has parameter \\$options with no value type specified in iterable type array\\.$#',
-	'identifier' => 'missingType.iterableValue',
-	'count' => 1,
-	'path' => __DIR__ . '/sources/AppBundle/Security/ActionThrottling/LogRepository.php',
-];
-$ignoreErrors[] = [
-	'message' => '#^Method AppBundle\\\\Security\\\\ActionThrottling\\\\LogRepository\\:\\:initMetadata\\(\\) should return M of CCMBenchmark\\\\Ting\\\\Repository\\\\Metadata but returns CCMBenchmark\\\\Ting\\\\Repository\\\\Metadata\\<object\\>\\.$#',
-	'identifier' => 'return.type',
-	'count' => 1,
-	'path' => __DIR__ . '/sources/AppBundle/Security/ActionThrottling/LogRepository.php',
-];
-$ignoreErrors[] = [
-	'message' => '#^Parameter \\#1 \\$databaseName of method CCMBenchmark\\\\Ting\\\\Repository\\\\Metadata\\<object\\>\\:\\:setDatabase\\(\\) expects string, mixed given\\.$#',
-	'identifier' => 'argument.type',
-	'count' => 1,
-	'path' => __DIR__ . '/sources/AppBundle/Security/ActionThrottling/LogRepository.php',
-];
 $ignoreErrors[] = [
 	'message' => '#^Method AppBundle\\\\Security\\\\GithubAuthenticator\\:\\:onAuthenticationSuccess\\(\\) has parameter \\$firewallName with no type specified\\.$#',
 	'identifier' => 'missingType.parameter',

sources/AppBundle/Controller/Event/Ticket/SponsorTicketAction.php

@@ -6,16 +6,16 @@
 
 use AppBundle\Controller\Event\EventActionHelper;
 use AppBundle\Event\Model\Repository\SponsorTicketRepository;
-use AppBundle\Security\ActionThrottling\ActionThrottling;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\RateLimiter\RateLimiterFactoryInterface;
 
 final class SponsorTicketAction extends AbstractController
 {
     public function __construct(
-        private readonly ActionThrottling $actionThrottling,
+        private readonly RateLimiterFactoryInterface $sponsorTokenLimiter,
         private readonly EventActionHelper $eventActionHelper,
         private readonly SponsorTicketRepository $sponsorTicketRepository,
     ) {}
@@ -39,19 +39,15 @@ public function __invoke(Request $request, $eventSlug): Response
                 $errors[] = 'Token absent';
             } else {
                 $token = $request->request->get('sponsor_token');
+                $limiter = $this->sponsorTokenLimiter->create($request->getClientIp());
+                $rateLimit = $limiter->consume(1);
                 $sponsorTicket = $this->sponsorTicketRepository->getOneBy(['token' => $token]);
-                if (
-                    $this->actionThrottling->isActionBlocked('sponsor_token', $request->getClientIp())
-                    || $sponsorTicket === null
-                ) {
-                    // Si l'IP a fait trop de tentatives, on affiche le meme message que si le token n'existe pas
-                    // L'ip est bloquée pendant un temps mais il ne faut pas en informer celui qui tente - pour éviter
-                    // qu'il ne change d'IP
+                if (!$rateLimit->isAccepted() || $sponsorTicket === null) {
+                    // Même message que si le token n'existe pas, pour ne pas révéler le blocage
                     $errors[] = 'Ce token n\'existe pas.';
-                    $this->actionThrottling->log('sponsor_token', $request->getClientIp());
                 } else {
+                    $limiter->reset();
                     $session->set('sponsor_ticket_id', $sponsorTicket->getId());
-                    $this->actionThrottling->clearLogsForIp('sponsor_token', $request->getClientIp());
 
                     return $this->redirectToRoute('sponsor_ticket_form', ['eventSlug' => $eventSlug]);
                 }