PHP download

Download the PHP package maba/gentle-force-bundle without Composer

On this page you can find all versions of the php package maba/gentle-force-bundle. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

Table of contents
Download maba/gentle-force-bundle
More information about maba/gentle-force-bundle
Files in maba/gentle-force-bundle

Vendor maba
Package gentle-force-bundle
Short Description Symfony bundle that integrates gentle-force library for limiting both brute-force attempts and ordinary requests, using leaky/token bucket algorithm, based on Redis
License MIT

Keywords security throttle rate limiting rate limit Symfony Bundle brute-force DOS protection token bucket bruteforce rate limiter leaky bucket brute force protection threshold

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:

If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.

Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
To use Composer is sometimes complicated. Especially for beginners.
Composer needs much resources. Sometimes they are not available on a simple webspace.
If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.

Please rate this library. Is it a good library?

Example code of maba/gentle-force-bundle

Informations about the package gentle-force-bundle

Gentle-force bundle: brute-force, error and request rate limiting

This is a symfony bundle for rate-limiting both brute-force attempts (like invalid credentials) and ordinary requests.

It integrates standalone gentle-force library into Symfony framework.

Features

can be used to limit brute-force attempts;
can be used for request rate limiting;
uses leaky / token bucket algorithm. This means that user does not have to wait for next hour or day - additional attempts are possible as time goes by. This also means that requests do not come in big batches when every hour starts;
handles race-conditions. This is important for brute-force limiting. For example, if 1000 requests are issued at the same time to check same user's password, only configured number of attempts will be possible;
can have several limits configured for single use-case (for example maximum of 100 requests per minute and 200 per hour);
does not make assumptions about where and what it's used for - it can be used with user identifiers, API tokens, IP addresses or any other data to group usages;
provides integration with Google reCAPTCHA.

Installation

If using recaptcha

Import routing in app/routing.yml:

Usage

Usually it's enough to configure listeners in config.yml file.

You can also inject limiting service and incorporate your custom logic - see advanced usage below.

Configuration

Examples

Example configuration for API request limiting by IP address and user:

Example configuration for limiting failures in login form:

Limits

Limits are defined by concrete use-case. It may be your API request, credentials failure, password reset attempt, registering for email subscription, checking if username is available etc.

Use any unique key for identifying limit configuration - use same limit key later to calculate if concrete limit is reached.

Each limit configuration can have several limits defined. This is useful if you want to have blocking with bigger intervals on more repeating failures or requests. For example, you can have different limits for minute, day and week for the same use-case. If any of defined limits is reached, request is blocked.

You can configure following keys for limits:

max_usages;
period. Measured in seconds, you can use suffixes s (seconds), m (minutes), h (hours), d (days) or w (weeks);
bucketed_usages. Optional, additional usages available on top of max_usages. Does not effect speed of additional tokens (see token bucket);
bucketed_period. Optional, mutually exclusive with bucketed_usages. Period for additional usages to be added on top of max_usages if not being used. Period suffixes available.

Listeners

Each configured listener can potentially block the request.

Filtering

To filter requests on which limit must be applied, use following keys:

path. Regex to match request path;
methods. List of request methods;
hosts. List of hosts.

Limiting

You must always configure limits_key and identifiers for each listener to use for limiting requests.

identifiers are used to specify items from request that will be used for limiting. ip and username identifiers are available by default, you can also register additional identifiers.

If several identifiers are specified, all of them must match for available limit to be decreased.

Keep in mind, that if at least one identifier is unavailable, limit is not applied at all. So, if limiting by [ip, username], unauthorised requests will not be limited at all.

Handling successful requests

For brute-force attempts, bundle needs to check if request was successful or not. By design, bundle checks and increases usage count in advance, even before checking if everything is fine. Thus, if request was valid, this count must be decreased.

For configuring what's considered successful response, use one of the following:

success_statuses. Provide list of HTTP response statuses that indicates successful response;
failure_statuses. Same as success_statuses, but in reverse - everything else is considered successful;
success_matcher. Service ID to use for identifying whether response is successful. Service must implement SuccessMatcherInterface.

If you skip all three, all requests are considered as a failure - that is, functionality handles basic request limiting.

Defining strategy for reached limit

Use strategy key to identify strategy to use if limit for this listener is reached. See strategies below for more information.

Strategies

Following strategies are available:

headers. Returns pre-configured response with 429 Too Many Requests status code. This is default one;
log. Does not modify response, just logs failures. Usable in configuration testing phase;
recaptcha_headers. Same as headers but adds recaptcha site key. Can be used by JavaScript code to initiate recaptcha widget;
recaptcha_template. Returns HTML response with recaptcha widget. After successfully submitting recaptcha, current page is refreshed.

You can configure and use your own strategy - just provide service ID instead of pre-configured key. Strategy must implement StrategyInterface and optionally ResponseModifyingStrategyInterface to modify successful responses.

Headers

Configuration options:

content. Content to return in response;
content_type. Content type for response;
wait_for_header. Header name to use in rate exceeded responses. This response header defines minimum time to wait in seconds before repeating the request;
requests_available_header. Header name to use in successful responses to identify how many requests are available at this moment.

Log

You can configure level to use for logging (defaults to error).

Recaptcha

For recaptcha_headers you can configure site_key_header and unlock_url_header to specify header names to use in rate exceeded response to provide configured recaptcha site key and unlock absolute url.

For recaptcha_template you can configure template to use for generating response. See templates inside the bundle for more information about what data is passed. TwigBundle is needed for this strategy to work.

For both strategies, you must install recaptcha (see installation) and configure recaptcha site data (see configuration examples).

When routing is imported, maba_gentle_force_unlock_recaptcha route is available (POST method). Pass recaptcha response in g-recaptcha-response field using application/x-www-form-urlencoded encoding. Empty 200 response means that rate limit was reset. In case of error, 400 response is returned with JSON content, errors key will hold array of errors from recaptcha service. See RecaptchaUnlockController and JavaScript code in twig templates for more information.

Redis

To configure redis client, either use host (defaults to localhost) or parameters and options (allows to configure connection to redis sentinels) or service_id to provide custom Predis\Redis service

You can configure prefix for additional prefix for all created keys.

If you prefer to avoid rate limiting at all if redis connection would fail, but still serve requests as usual, configure failure_strategy as ignore. In case of connection failure, you'd get error logged instead of unhandled exception causing 500 responses.

Full configuration reference

Additional identifiers

You can provide additional identifiers to configure in your listeners.

You need to create service which implements IdentifierProviderInterface and tag it with maba_gentle_force.identifier_provider (provide name in identifierType attribute).

For example:

Advanced usage

Rate limiting:

Brute force limiting:

Resetting specific limits manually

There are two commands that can reset the limit manually, if needed.

maba:gentle-force:reset command interactively asks for wanted listener configuration and each identifier (like username, IP etc.)

maba:gentle-force:reset-limit command takes 2 arguments - limit key and identifier to reset the limit. This could be used when limits are set with advanced usage and concrete identifier to use is known.

Semantic versioning

This bundle follows semantic versioning.

Public API of this bundle (in other words, you should only use these features if you want to easily update to new versions):

only services that are not marked as public="false"
only classes, interfaces and class methods that are marked with @api
console commands
supported DIC tags
configuration reference
routing keys and controllers with routes

For example, if only class method is marked with @api, you should not extend that class, as constructor could change in any release.

See Symfony BC rules for basic information about what can be changed and what not in the API. Keep in mind, that in this bundle everything is @internal by default.

Running tests

Contributing

Feel free to create issues and give pull requests.

You can fix any code style issues using this command:

All versions of gentle-force-bundle with dependencies

PHP Build Version

Package Version

Version 0.6.3 Release 26. Aug 2021
create-project require 1 people choosed require and
0 people choosed create-project.

Download

Download latest version of gentle-force-bundle from vendor maba

Requires php Version ^7.1 | ^8.0
maba/gentle-force Version ^0.2.1|^0.3
symfony/framework-bundle Version ^4.3|^5.0
maba/dependency-injection-extra Version ^0.1.1|^1.0
psr/log Version ^1.0

Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package maba/gentle-force-bundle contains the following files

Loading the files please wait ....