[HttpFoundation] Prevent accepted rate limits with no remaining token to be preferred over denied ones

MatTheCat · fabpot · commit f4bfe9611b11 · 2022-08-19T09:33:17.000+02:00
diff --git a/RateLimiter/AbstractRequestRateLimiter.php b/RateLimiter/AbstractRequestRateLimiter.php
@@ -35,9 +35,7 @@ public function consume(Request $request): RateLimit
         foreach ($limiters as $limiter) {
             $rateLimit = $limiter->consume(1);
 
-            if (null === $minimalRateLimit || $rateLimit->getRemainingTokens() < $minimalRateLimit->getRemainingTokens()) {
-                $minimalRateLimit = $rateLimit;
-            }
+            $minimalRateLimit = $minimalRateLimit ? self::getMinimalRateLimit($minimalRateLimit, $rateLimit) : $rateLimit;
         }
 
         return $minimalRateLimit;
@@ -54,4 +52,20 @@ public function reset(Request $request): void
      * @return LimiterInterface[] a set of limiters using keys extracted from the request
      */
     abstract protected function getLimiters(Request $request): array;
+
+    private static function getMinimalRateLimit(RateLimit $first, RateLimit $second): RateLimit
+    {
+        if ($first->isAccepted() !== $second->isAccepted()) {
+            return $first->isAccepted() ? $second : $first;
+        }
+
+        $firstRemainingTokens = $first->getRemainingTokens();
+        $secondRemainingTokens = $second->getRemainingTokens();
+
+        if ($firstRemainingTokens === $secondRemainingTokens) {
+            return $first->getRetryAfter() < $second->getRetryAfter() ? $second : $first;
+        }
+
+        return $firstRemainingTokens > $secondRemainingTokens ? $second : $first;
+    }
 }
diff --git a/Tests/RateLimiter/AbstractRequestRateLimiterTest.php b/Tests/RateLimiter/AbstractRequestRateLimiterTest.php
@@ -0,0 +1,64 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\HttpFoundation\Tests\RateLimiter;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\RateLimiter\LimiterInterface;
+use Symfony\Component\RateLimiter\RateLimit;
+
+class AbstractRequestRateLimiterTest extends TestCase
+{
+    /**
+     * @dataProvider provideRateLimits
+     */
+    public function testConsume(array $rateLimits, ?RateLimit $expected)
+    {
+        $rateLimiter = new MockAbstractRequestRateLimiter(array_map(function (RateLimit $rateLimit) {
+            $limiter = $this->createStub(LimiterInterface::class);
+            $limiter->method('consume')->willReturn($rateLimit);
+
+            return $limiter;
+        }, $rateLimits));
+
+        $this->assertSame($expected, $rateLimiter->consume(new Request()));
+    }
+
+    public function provideRateLimits()
+    {
+        $now = new \DateTimeImmutable();
+
+        yield 'Both accepted with different count of remaining tokens' => [
+            [
+                $expected = new RateLimit(0, $now, true, 1), // less remaining tokens
+                new RateLimit(1, $now, true, 1),
+            ],
+            $expected,
+        ];
+
+        yield 'Both accepted with same count of remaining tokens' => [
+            [
+                $expected = new RateLimit(0, $now->add(new \DateInterval('P1D')), true, 1), // longest wait time
+                new RateLimit(0, $now, true, 1),
+            ],
+            $expected,
+        ];
+
+        yield 'Accepted and denied' => [
+            [
+                new RateLimit(0, $now, true, 1),
+                $expected = new RateLimit(0, $now, false, 1), // denied
+            ],
+            $expected,
+        ];
+    }
+}
diff --git a/Tests/RateLimiter/MockAbstractRequestRateLimiter.php b/Tests/RateLimiter/MockAbstractRequestRateLimiter.php
@@ -0,0 +1,34 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\HttpFoundation\Tests\RateLimiter;
+
+use Symfony\Component\HttpFoundation\RateLimiter\AbstractRequestRateLimiter;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\RateLimiter\LimiterInterface;
+
+class MockAbstractRequestRateLimiter extends AbstractRequestRateLimiter
+{
+    /**
+     * @var LimiterInterface[]
+     */
+    private $limiters;
+
+    public function __construct(array $limiters)
+    {
+        $this->limiters = $limiters;
+    }
+
+    protected function getLimiters(Request $request): array
+    {
+        return $this->limiters;
+    }
+}
diff --git a/composer.json b/composer.json
@@ -27,7 +27,8 @@
         "symfony/dependency-injection": "^5.4|^6.0",
         "symfony/http-kernel": "^5.4.12|^6.0.12|^6.1.4",
         "symfony/mime": "^4.4|^5.0|^6.0",
-        "symfony/expression-language": "^4.4|^5.0|^6.0"
+        "symfony/expression-language": "^4.4|^5.0|^6.0",
+        "symfony/rate-limiter": "^5.2|^6.0"
     },
     "suggest" : {
         "symfony/mime": "To use the file extension guesser"
