Add rate limiting on login, order, invitation, contact routes

- Login: 5 attempts / 15 min (Symfony login_throttling) - Order create: 10 / 5 min (sliding window) - Invitation respond/register: 5 / 15 min - Contact form: 3 / 10 min - RateLimiterSubscriber with route-to-limiter mapping - Returns 429 when rate limited Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-22 20:01:01 +01:00
parent 207e985821
commit 36456e8dfe
8 changed files with 227 additions and 2 deletions
--- a/config/packages/rate_limiter.yaml
+++ b/config/packages/rate_limiter.yaml
@@ -0,0 +1,14 @@
+framework:
+    rate_limiter:
+        order_create:
+            policy: 'sliding_window'
+            limit: 10
+            interval: '5 minutes'
+        invitation_respond:
+            policy: 'sliding_window'
+            limit: 5
+            interval: '15 minutes'
+        contact_form:
+            policy: 'sliding_window'
+            limit: 3
+            interval: '10 minutes'
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -15,6 +15,9 @@ security:
        main:
            lazy: true
            provider: app_user_provider
+            login_throttling:
+                max_attempts: 5
+                interval: '15 minutes'
            form_login:
                login_path: app_login
                check_path: app_login
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -20,6 +20,13 @@ services:
    App\:
        resource: '../src/'

+    App\EventSubscriber\RateLimiterSubscriber:
+        arguments:
+            $limiters:
+                order_create: '@limiter.order_create'
+                invitation_respond: '@limiter.invitation_respond'
+                contact_form: '@limiter.contact_form'
+
    # add more service definitions when explicit configuration is needed
    # please note that last definitions always *replace* previous ones