feat: per-IP rate limiting on the public /api (120/min sliding window)

After a recent crawl pulled every API requirement sequentially from two
datacenter IPs, add Symfony RateLimiter throttling for /api.

- symfony/rate-limiter 7.4.* added (vendored via composer.lock)
- config/packages/rate_limiter.yaml: 'api' limiter, sliding_window, 120 req/min
  per IP, backed by cache.app (filesystem), no lock dep (single VPS)
- ApiRateLimitSubscriber: enforces it on /api at kernel.request, returns
  429 + Retry-After when exceeded; exempts loopback (health checks, internal
  calls, functional-test client)
- ApiRateLimitTest: asserts /api 429s past the limit and non-/api never throttles

Full suite green on PHP 8.4 (200/200). Deploy: composer install + cache:clear.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: CyberSecDef

cyber.trackr.live/composer.json

@@ -27,6 +27,7 @@
         "symfony/process": "7.4.*",
         "symfony/property-access": "7.4.*",
         "symfony/property-info": "7.4.*",
+        "symfony/rate-limiter": "7.4.*",
         "symfony/runtime": "7.4.*",
         "symfony/security-bundle": "7.4.*",
         "symfony/serializer": "7.4.*",

cyber.trackr.live/composer.lock

@@ -0,0 +1,14 @@
+framework:
+    rate_limiter:
+        # Per-client-IP limit for the public JSON API. 120 req/min sustained
+        # (~2/sec) is invisible to humans and normal API clients but throttles
+        # bulk crawlers hard. Enforced by App\EventSubscriber\ApiRateLimitSubscriber.
+        api:
+            policy: 'sliding_window'
+            limit: 120
+            interval: '1 minute'
+            # Single-VPS deployment: use the filesystem app cache for counters,
+            # and no lock factory (avoids a hard dep on symfony/lock; the slight
+            # imprecision under concurrency is irrelevant at this scale).
+            cache_pool: 'cache.app'
+            lock_factory: null

cyber.trackr.live/config/packages/rate_limiter.yaml

@@ -0,0 +1,62 @@
+<?php
+
+namespace App\EventSubscriber;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException;
+use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\RateLimiter\RateLimiterFactoryInterface;
+
+/**
+ * Per-IP rate limiting for the public JSON API.
+ *
+ * Applies the 'api' limiter (120 req/min/IP, sliding window — see
+ * config/packages/rate_limiter.yaml) to every /api request. Invisible to humans
+ * and normal API clients; throttles bulk crawlers. Returns 429 + Retry-After
+ * when the window is exhausted.
+ *
+ * Keyed by client IP, which is accurate on DreamHost where Apache serves PHP
+ * directly. If a CDN/reverse proxy is ever placed in front, configure
+ * framework.trusted_proxies so getClientIp() reads the forwarded address rather
+ * than the proxy's (otherwise every visitor shares one bucket).
+ */
+final class ApiRateLimitSubscriber implements EventSubscriberInterface
+{
+    public function __construct(
+        private readonly RateLimiterFactoryInterface $apiLimiter,
+    ) {
+    }
+
+    public function onKernelRequest(RequestEvent $event): void
+    {
+        if (!$event->isMainRequest()) {
+            return;
+        }
+
+        $request = $event->getRequest();
+        if (!str_starts_with($request->getPathInfo(), '/api')) {
+            return;
+        }
+
+        // Never throttle loopback — the server's own internal calls, health
+        // checks, and the functional-test client all originate from here.
+        $ip = $request->getClientIp();
+        if (null === $ip || '127.0.0.1' === $ip || '::1' === $ip) {
+            return;
+        }
+
+        $limit = $this->apiLimiter->create($ip)->consume(1);
+        if (!$limit->isAccepted()) {
+            $retryAfter = max(1, $limit->getRetryAfter()->getTimestamp() - time());
+            throw new TooManyRequestsHttpException($retryAfter, 'API rate limit exceeded — slow down.');
+        }
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        // Run early, before routing/controller work, so throttled requests are
+        // cheap to reject.
+        return [KernelEvents::REQUEST => [['onKernelRequest', 100]]];
+    }
+}

cyber.trackr.live/src/EventSubscriber/ApiRateLimitSubscriber.php

@@ -0,0 +1,64 @@
+<?php
+
+namespace App\Tests\EventSubscriber;
+
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+class ApiRateLimitTest extends WebTestCase
+{
+    /**
+     * After the configured per-IP limit (120/min) is exceeded, /api requests
+     * must return 429 with a Retry-After header.
+     */
+    public function testApiIsRateLimitedPerIp(): void
+    {
+        $client = static::createClient();
+        $client->disableReboot();          // keep one kernel so the flood is fast
+        $ip = '203.0.113.55';
+
+        // Deterministic start: clear this synthetic IP's window so prior runs
+        // (within the same minute) can't affect the result.
+        static::getContainer()->get('limiter.api')->create($ip)->reset();
+
+        $server = ['REMOTE_ADDR' => $ip];
+
+        // First request must pass.
+        $client->request('GET', '/api', [], [], $server);
+        $this->assertResponseIsSuccessful();
+
+        // Within the next ~120 it must start returning 429.
+        $got429 = false;
+        for ($i = 0; $i < 200; $i++) {
+            $client->request('GET', '/api', [], [], $server);
+            if (429 === $client->getResponse()->getStatusCode()) {
+                $got429 = true;
+                $this->assertNotEmpty(
+                    $client->getResponse()->headers->get('Retry-After'),
+                    '429 response should carry a Retry-After header'
+                );
+                break;
+            }
+        }
+        $this->assertTrue($got429, 'API should return 429 once the rate limit is exceeded');
+    }
+
+    /**
+     * Non-/api routes must never be throttled, even when the same IP has
+     * exhausted its API budget.
+     */
+    public function testNonApiPathIsNotRateLimited(): void
+    {
+        $client = static::createClient();
+        $ip = '203.0.113.56';
+
+        // Drain this IP's API limiter directly, then prove a normal page still loads.
+        $limiter = static::getContainer()->get('limiter.api')->create($ip);
+        $limiter->reset();
+        for ($i = 0; $i < 121; $i++) {
+            $limiter->consume(1);
+        }
+
+        $client->request('GET', '/', [], [], ['REMOTE_ADDR' => $ip]);
+        $this->assertResponseIsSuccessful();
+    }
+}