InstallationExtensionsAPI ReferenceFeedback 📣
Search…
v6.4.0 (stable)
Home
Concepts
Commerce
Framework
Extensions
API
Products
Editions
Plugins
Cloud
PWA
Guides
Installation
Extensions
Overview
Plugins
Plugin Base Guide
Plugins for Symfony developers
Plugin fundamentals
Checkout
Content
Elasticsearch
Framework
Data Handling / DataAbstractionLayer
Custom Fields
Event
Message Queue
Rule
Store API
Filesystem
Flow
Rate Limiter
Add Rate Limiter to API Route
Administration
Storefront
Testing
Themes
Apps
Hosting
Integrations / API
Resources
References
Guidelines
Tooling
Powered By GitBook
Add Rate Limiter to API Route

Overview

In this guide you'll learn how to secure API routes with a rate limit to reduce the risk against bruteforce attacks. If you want to learn more about the configuration of the rate limiter in Shopware, have a look at the rate limiter guide.

Prerequisites

This guide is built upon both the Plugin base guide as well as the Dependency injection guide.
Furthermore you need an existing API route, to create a new one, head over to our Add store API route guide.

Creating a new rate limit

Basic configuration for plugins

First of all, we have to create a new configuration file for our rate limit. In this example we named it rate_limiter.yaml located in <plugin root>/src/Resources/config/. The root key of the configuration is the name which has to be a unique key. In this example we named it example_route.
Each rate limit configuration needs the following keys:
  • enabled: Enables / Disables the rate limit for the specific route (default value: true).
  • policy: Possible policies are fixed_window, sliding_window, token_bucket, time_backoff. For more information check the Symfony documentation.
If you plan to configure the time_backoff policy, head over to rate limiter guide. Otherwise, check the Symfony documentation for the other keys you need for each policy.
<plugin root>/src/Resources/config/rate_limiter.yaml
1
example_route:
2
enabled: true
3
policy: 'time_backoff'
Copied!

Extending rate limit configuration in the DI-container

In this section we will create a small compiler pass called RateLimiterCompilerPass. If you are not very familiar with compiler passes, head over to the Symfony documentation.

Creating compiler pass

<plugin root>/src/CompilerPass/RateLimiterCompilerPass.php
1
<?php declare(strict_types=1);
2
​
3
namespace Swag\BasicExample\CompilerPass;
4
​
5
use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
6
use Symfony\Component\DependencyInjection\ContainerBuilder;
7
use Symfony\Component\Yaml\Yaml;
8
​
9
class RateLimiterCompilerPass implements CompilerPassInterface
10
{
11
public function process(ContainerBuilder $container): void
12
{
13
/** @var array<string, array<string, string>> $rateLimiterConfig */
14
$rateLimiterConfig = $container->getParameter('shopware.api.rate_limiter');
15
​
16
$rateLimiterConfig += Yaml::parseFile(__DIR__ . '/../Resources/config/rate_limiter.yaml');
17
​
18
$container->setParameter('shopware.api.rate_limiter', $rateLimiterConfig);
19
}
20
}
Copied!
As you can see, we're getting the current configuration of the rate limit from the DI-container and extend it by our rate_limiter.yaml and reassign it with the merged configuration.

Adding compiler pass to the container

Now, we have to add our compiler pass to the container. This will be done by overriding the build() method of our SwagBasicExample plugin class. Important here is to use Symfony\Component\DependencyInjection\Compiler\PassConfig::TYPE_BEFORE_OPTIMIZATION with a higher priority, otherwise it will be built too late.
<plugin root>/src/SwagBasicExample.php
1
<?php declare(strict_types=1);
2
​
3
namespace Swag\BasicExample;
4
​
5
use Swag\BasicExample\CompilerPass\RateLimiterCompilerPass;
6
use Shopware\Core\Framework\Plugin;
7
use Shopware\Core\Framework\Plugin\Context\InstallContext;
8
use Symfony\Component\DependencyInjection\Compiler\PassConfig;
9
use Symfony\Component\DependencyInjection\ContainerBuilder;
10
​
11
class SwagBasicExample extends Plugin
12
{
13
public function build(ContainerBuilder $container): void
14
{
15
parent::build($container);
16
​
17
$container->addCompilerPass(new RateLimiterCompilerPass(), PassConfig::TYPE_BEFORE_OPTIMIZATION, 500);
18
}
19
}
Copied!

Implementing rate limit in API route

Inject service

After we've configured our rate limit, we want to use it in our API route. For this we need to inject the Shopware\Core\Framework\RateLimiter\RateLimiter service.
<plugin root>/src/Core/Content/Example/SalesChannel/ExampleRoute.php
1
<?php declare(strict_types=1);
2
​
3
namespace Swag\BasicExample\Core\Content\Example\SalesChannel;
4
​
5
use Shopware\Core\Framework\RateLimiter\RateLimiter;
6
...
7
​
8
/**
9
* @RouteScope(scopes={"store-api"})
10
*/
11
class ExampleRoute extends AbstractExampleRoute
12
{
13
private RateLimiter $rateLimiter;
14
​
15
public function __construct(RateLimiter $rateLimiter)
16
{
17
$this->rateLimiter = $rateLimiter;
18
}
19
​
20
...
21
}
Copied!

Call the rate limiter

After we've injected the service into our API route, we can call the limiter in our route method.
To do this, we call the method ensureAccepted of the rate limiter which accepts the following arguments:
  • route: Unique name of the rate limit, we defined in the configuration.
  • key: Key we want to use to limit the request e.g., the client IP.
When calling the ensureAccepted method it counts the request for the key in the defined cache. If the limit has been exceeded, it throws Shopware\Core\Framework\RateLimiter\Exception\RateLimitExceededException.
<plugin root>/src/Core/Content/Example/SalesChannel/ExampleRoute.php
1
/**
2
* @Route("/store-api/example", name="store-api.example.search", methods={"GET", "POST"})
3
*/
4
public function load(Request $request, SalesChannelContext $context): ExampleRouteResponse
5
{
6
// Limit ip address
7
$this->rateLimiter->ensureAccepted('example_route', $request->getClientIp());
8
9
...
10
}
Copied!

Reset the rate limit

Once we've made a successful request, we want to reset the rate limit for the client. We just have to call the reset method as you can see below.
<plugin root>/src/Core/Content/Example/SalesChannel/ExampleRoute.php
1
/**
2
* @Route("/store-api/example", name="store-api.example.search", methods={"GET", "POST"})
3
*/
4
public function load(Request $request, SalesChannelContext $context): ExampleRouteResponse
5
{
6
// Limit ip address for example
7
$this->rateLimiter->ensureAccepted('example_route', $request->getClientIp());
8
9
// if action was successfully, reset limit
10
if ($this->doAction() === true) {
11
$this->rateLimiter->reset('example_route', $request->getClientIp());
12
}
13
14
...
15
}
Copied!
Previous
Rate Limiter
Next
Administration
Last modified 3mo ago
Copy link
Edit on GitHub
Contents
Overview
Prerequisites
Creating a new rate limit
Basic configuration for plugins
Extending rate limit configuration in the DI-container
Creating compiler pass
Adding compiler pass to the container
Implementing rate limit in API route
Inject service
Call the rate limiter
Reset the rate limit