* Add rate limiting to cart endpoints based on session
* Handle nonce and rate checks in permission_callback
* Rate limit checkout only
* Debug
* Unused AbstractRoute
* Code standards
* Modify core rate limit table
* Add rate limit at rest api level, not route level
* Rate limit helper
* Remove rate limit from routes
* Usused dep
* Remove custom error logic no longer needed
* Remove dependency
* Remove custom permission_callback
* Hash IP and handle null
* Remove error response handler
* revert error_to_response changes
* Remove add_response_headers
* Remove IDENTIFIER
* Remove white space
* Increase limit
* Missing class comment
* Move rate limiting code within store api codebase
* white space
* Fix return type
* Check rate limit expiry greater than now
* Remove x- prefix
* reorder functions
* remove table
* pass request to add_nonce_headers
* return early and avoid elseif on AbstractCartRoute:get_response()
* Refactor get_ip_address() before implementing options for functionality
* Change rate limit to 5 requests
Co-authored-by: Seghir Nadir <nadir.seghir@gmail.com>
* Change rate limit window to 60 seconds
Co-authored-by: Seghir Nadir <nadir.seghir@gmail.com>
* Disable rate limiting by default
Co-authored-by: Seghir Nadir <nadir.seghir@gmail.com>
* Updated limits comment
* Example for Forwarded header
* Updated "woocommerce_store_api_enable_rate_limit_check" filter doc
* Added filter for the Store API rate limit check proxy support
* Add an action here that carries over the IP address being blocked.
* Added logic around setting the action_id, and returns an error when ip cannot be determined for users not logged in.
* Renamed action for limit exceeded.
* Common rate limiting header naming prefix, and fixed comment typos.
* Doc for Rate Limiting (wip)
* Example for Rate Limiting docs
* Remove private IP range block for rate limiting
* Refactored get_response() to add nonce headers to response instead of request
* Disable batching for Checkout calls to prevent bypassing Rate Limiting.
* Removed redundant arg.
* package-lock.json update
* Removed repeated func calls.
* Fix failing tests.
* Tests wip.
* Request limit and timeframe are now constants for RateLimits utility class.
* Tests for Rate Limit headers.
* Reverted PHPUnit config to enable all tests again.
* Update src/StoreApi/Authentication.php comment wording
Co-authored-by: Thomas Roberts <5656702+opr@users.noreply.github.com>
* Removed possibly unnecessary get_ip_address() call.
* Changed wording on comment for get_ip_address() method.
* Simplified validate_ip() method.
* Fixed wrong header entry for "Forwarded" check.
* Unit testing for Authentication::get_ip_address()
* Comment explaining the reason to use ReflectionClass for testing get_ip_address().
* Support for error output outside batch request.
* MD linting.
* Refactor to implement options through a single filter.
* fixed md lint error and config file
* reverted accidental default func arg value removal
* re-enabled batch support for checkout
* action for limit exceed now also triggered in case we can't resolve the IP.
* Doc tweak.
* Return unresolved IP address when REMOTE_ADDR isn't set with proxy support disabled.
* Group unresolved ips for rate limiting
* Fixed bug where current limit wasn't properly initialized.
Co-authored-by: Nadir Seghir <nadir.seghir@gmail.com>
Co-authored-by: Paulo Arromba <17236129+wavvves@users.noreply.github.com>
Co-authored-by: Thomas Roberts <5656702+opr@users.noreply.github.com>
07a612f575