bedrockstreaming/rate-limit-bundle

Manage rate limitation for your routes

Maintainers

Details

github.com/BedrockStreaming/RateLimitBundle

Source

Issues

Installs: 23 847

Dependents: 0

Suggesters: 0

Security: 0

Stars: 3

Watchers: 33

Forks: 1

Open Issues: 1

Type:symfony-bundle

pkg:composer/bedrockstreaming/rate-limit-bundle

v4.1.0 2023-02-17 13:37 UTC

Requires

Requires (Dev)

Suggests

MIT 5fe0d723396757224a8f30cddca58db7228380b8

  • Bedrock <opensource.woop@bedrockstreaming.com>

This package is auto-updated.

Last update: 2025-10-17 08:06:03 UTC

README

This bundle provides an easy way to protect your project by limiting access to your controllers.

Install the bundle

composer require bedrockstreaming/rate-limit-bundle

Update your config/bundles.php file to add the bundle for all env

<?php

return [
    ...
    Bedrock\Bundle\RateLimitBundle\RateLimitBundle::class => ['all' => true],
    ...
];

Configure the bundle

Add the config/packages/bedrock_rate_limit.yaml file with the following data.

bedrock_rate_limit:
    limit: 25 # 1000 requests by default
    period: 600 # 60 seconds by default
    limit_by_route: true|false # false by default
    display_headers: true|false # false by default

By default, the limitation is common to all routes annotated #[RateLimit]. For example, if you keep the default configuration and you configure the #[RateLimit] attribute in 2 routes. Limit will shared between this 2 routes, if user consume all authorized calls on the first route, the second route couldn't be called. If you swicth limit_by_route to true, users will be allowed to reach the limit on each route annotated.

#[GraphQLRateLimit]attribute allows you to rate limit by graphQL query or mutation. /!\ To use this attribute, you will need to install suggested package.

If you switch display_headers to true, 3 headers will be added x-rate-limit, x-rate-limit-hits, x-rate-limit-untils to your responses. This can be usefull to debug your limitations. display_headers is used to display a verbose return if limit is reached.

Configure your storage

You must tell Symfony which storage implementation you want to use.

Update your config/services.yml like this:

    ...
    Bedrock\Bundle\RateLimitBundle\Storage\RateLimitStorageInterface: '@Bedrock\Bundle\RateLimitBundle\Storage\RateLimitInMemoryStorage'
    ...

By default, only RateLimitInMemory is provided. But feel free to create your own by implementing RateLimitStorageInterface or ManuallyResetableRateLimitStorageInterface. If your database has a TTL system (like Redis), you can implement only RateLimitStorageInterface. Otherwhise you must implement also ManuallyResetableRateLimitStorageInterface to manually delete rate limit in your database.

Configure your modifiers

Modifiers are a way to customize the rate limit.

This bundle provides 2 modifiers:

  • HttpMethodRateLimitModifier limits the requests by http_method.
  • RequestAttributeRateLimitModifier limits the requests by attributes value (taken from the $request->attributes Symfony's bag).

Update your config/services.yml like this:

    ...
    Bedrock\Bundle\RateLimitBundle\RateLimitModifier\HttpMethodRateLimitModifier:
        tags: [ 'rate_limit.modifiers' ]   

    Bedrock\Bundle\RateLimitBundle\RateLimitModifier\RequestAttributeRateLimitModifier:
            arguments:
                $attributeName: 'myRequestAttribute'
            tags: [ 'rate_limit.modifiers' ]
 
    ...

You can also create your own rate limit modifier by implementing RateLimitModifierInterface and tagging your service accordingly.

Configure your routes

With attribute

Add the #[RateLimit] attribute to your controller methods (by default, the limit will be 1000 requests per minute). This attribute accepts parameters to customize the rate limit. The following example shows how to limit requests on a route at the rate of 10 requests max every 2 minutes. :warning: This customization only works if the limit_by_route parameter is true

#[RateLimit(limit: 10, period: 120)]

To rate limit your graphQL API, add the #[GraphQlRateLimit] attribute to your graphQL controller. This attribute requires a list of endpoints and accepts parameters to customize the rate limit. The following example shows how to limit requests on an endpoint at the rate of 10 requests max every 2 minutes and on default limitations.

#[GraphQlRateLimit(
    endpoints: [
        [ 'endpoint' => 'GetMyQuery', 'limit' => 10, 'period' => 12],
        [ 'endpoint' => 'EditMyMutation'],
    ]
)]

In YAML

You also may add your rate limits in configuration files (Yaml) with the route name. If period or limit is not defined for a route, the bundle will take the common option.

bedrock_rate_limit:
    limit: 1000
    period: 60

    routes:
        get_foobar:
            limit: 500
            period: 10
        post_foobar:
            period: 10

Migration to php8

If you use rector you can use those rules to automatically migrate annotation to attributes :

$rectorConfig->ruleWithConfiguration(
    \Rector\Php80\Rector\Class_\AnnotationToAttributeRector::class,
    [
        new \Rector\Php80\ValueObject\AnnotationToAttribute(
        'Bedrock\Bundle\RateLimitBundle\Annotation\GraphQLRateLimit',
        \Bedrock\Bundle\RateLimitBundle\Attribute\GraphQLRateLimit::class
        ),
        new \Rector\Php80\ValueObject\AnnotationToAttribute(
            'Bedrock\Bundle\RateLimitBundle\Annotation\RateLimit',
            \Bedrock\Bundle\RateLimitBundle\Attribute\RateLimit::class
        )
    ],
);