Queue ip addresses for block whenever they exceed the rate limit too much

2025-12-18 17:23:28 +00:00 · 2016-11-30 21:51:43 -05:00
parent 2d045859e7
commit b87c9c1a5a
7 changed files with 93 additions and 10 deletions
--- a/src/Api/Middleware/CustomIpRateLimitMiddleware.cs
+++ b/src/Api/Middleware/CustomIpRateLimitMiddleware.cs
@@ -1,6 +1,8 @@
 using AspNetCoreRateLimit;
 using Bit.Api.Models.Response;
+using Bit.Core.Services;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Caching.Memory;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Newtonsoft.Json;
@@ -11,17 +13,25 @@ namespace Bit.Api.Middleware
    public class CustomIpRateLimitMiddleware : IpRateLimitMiddleware
    {
        private readonly IpRateLimitOptions _options;
+        private readonly IMemoryCache _memoryCache;
+        private readonly IBlockIpService _blockIpService;
+        private readonly ILogger<IpRateLimitMiddleware> _logger;

        public CustomIpRateLimitMiddleware(
+            IMemoryCache memoryCache,
+            IBlockIpService blockIpService,
            RequestDelegate next,
            IOptions<IpRateLimitOptions> options,
            IRateLimitCounterStore counterStore,
            IIpPolicyStore policyStore,
            ILogger<IpRateLimitMiddleware> logger,
-            IIpAddressParser ipParser = null
-            ) : base(next, options, counterStore, policyStore, logger, ipParser)
+            IIpAddressParser ipParser = null)
+            : base(next, options, counterStore, policyStore, logger, ipParser)
        {
+            _memoryCache = memoryCache;
+            _blockIpService = blockIpService;
            _options = options.Value;
+            _logger = logger;
        }

        public override Task ReturnQuotaExceededResponse(HttpContext httpContext, RateLimitRule rule, string retryAfter)
@@ -35,5 +45,27 @@ namespace Bit.Api.Middleware
            var errorModel = new ErrorResponseModel { Message = message };
            return httpContext.Response.WriteAsync(JsonConvert.SerializeObject(errorModel));
        }
+
+        public override void LogBlockedRequest(HttpContext httpContext, ClientRequestIdentity identity,
+            RateLimitCounter counter, RateLimitRule rule)
+        {
+            base.LogBlockedRequest(httpContext, identity, counter, rule);
+            var key = $"blockedIp_{identity.ClientIp}";
+
+            int blockedCount;
+            _memoryCache.TryGetValue(key, out blockedCount);
+
+            blockedCount++;
+            if(blockedCount > 10)
+            {
+                _blockIpService.BlockIpAsync(identity.ClientIp, false);
+                _logger.LogDebug("Blocked " + identity.ClientIp);
+            }
+            else
+            {
+                _memoryCache.Set(key, blockedCount,
+                    new MemoryCacheEntryOptions().SetSlidingExpiration(new System.TimeSpan(0, 5, 0)));
+            }
+        }
    }
 }