Merge branch '5-support-rate-limiting-headers' - Fix rate limiting implementation

Vitexus · Vitexus · commit 7d72d7c466f4 · 2025-11-21T15:02:40.000+01:00
Rate limits are now correctly enforced per certificate instead of per X-IBM-Client-Id
diff --git a/.openapi-generator/templates/ApiClient.mustache b/.openapi-generator/templates/ApiClient.mustache
@@ -45,6 +45,16 @@ class ApiClient extends \GuzzleHttp\Client
     protected bool $mockMode = false;
     private RateLimiter $rateLimiter;
 
+    /**
+     * Path to the certificate file used for mTLS authentication.
+     */
+    private string $certFilePath = '';
+
+    /**
+     * Cached certificate fingerprint for rate limiting.
+     */
+    private ?string $certFingerprint = null;
+
     /**
      * Initialize the API client with configuration, certificate validation, and a rate limiter.
      *
@@ -87,6 +97,8 @@ class ApiClient extends \GuzzleHttp\Client
             }
         }
 
+        $this->certFilePath = $config['cert'][0];
+
         if (\array_key_exists('debug', $config) === false) {
             $config['debug'] = \Ease\Shared::cfg('API_DEBUG', false);
         }
@@ -231,9 +243,65 @@ class ApiClient extends \GuzzleHttp\Client
         return substr(self::sourceString().'#'.time(), -59);
     }
 
+    /**
+     * Calculate and return the SHA1 fingerprint of the certificate used for mTLS.
+     *
+     * This fingerprint is used as the client identifier for rate limiting,
+     * as rate limits in the API are tied to the certificate, not to X-IBM-Client-Id.
+     *
+     * @throws \Exception if unable to read or parse the certificate
+     *
+     * @return string SHA1 fingerprint of the certificate in lowercase hex format
+     */
+    public function getCertificateFingerprint(): string
+    {
+        if ($this->certFingerprint !== null) {
+            return $this->certFingerprint;
+        }
+
+        if (empty($this->certFilePath)) {
+            throw new \Exception('Certificate file path not set');
+        }
+
+        $certContent = file_get_contents($this->certFilePath);
+
+        if ($certContent === false) {
+            throw new \Exception('Unable to read certificate file: '.$this->certFilePath);
+        }
+
+        $certs = [];
+
+        if (openssl_pkcs12_read($certContent, $certs, $this->getConfig()['cert'][1]) === false) {
+            throw new \Exception('Unable to parse PKCS12 certificate: '.openssl_error_string());
+        }
+
+        if (!isset($certs['cert'])) {
+            throw new \Exception('Certificate not found in PKCS12 file');
+        }
+
+        $certResource = openssl_x509_read($certs['cert']);
+
+        if ($certResource === false) {
+            throw new \Exception('Unable to read X509 certificate: '.openssl_error_string());
+        }
+
+        $fingerprint = openssl_x509_fingerprint($certResource, 'sha1');
+
+        if ($fingerprint === false) {
+            throw new \Exception('Unable to calculate certificate fingerprint: '.openssl_error_string());
+        }
+
+        $this->certFingerprint = strtolower($fingerprint);
+
+        return $this->certFingerprint;
+    }
+
     /**
      * Send an HTTP request while enforcing and updating client rate limits.
      *
+     * Rate limits are enforced per certificate (not per X-IBM-Client-Id).
+     * The certificate fingerprint is used as the client identifier.
+     *
      * @param \Psr\Http\Message\RequestInterface $request the HTTP request to send
      * @param array                              $options Request options to apply to the transfer. See \GuzzleHttp\RequestOptions.
      *
@@ -244,7 +312,9 @@ class ApiClient extends \GuzzleHttp\Client
      */
     public function send(\Psr\Http\Message\RequestInterface $request, array $options = []): \Psr\Http\Message\ResponseInterface
     {
-        $this->rateLimiter->checkBeforeRequest($this->xIBMClientId);
+        $certFingerprint = $this->getCertificateFingerprint();
+
+        $this->rateLimiter->checkBeforeRequest($certFingerprint);
 
         $response = parent::send($request, $options);
 
@@ -254,7 +324,7 @@ class ApiClient extends \GuzzleHttp\Client
 
         if ($statusCode === 429) { // 429 Too Many Requests
             if ($this->rateLimiter->isWaitMode()) {
-                $this->rateLimiter->checkBeforeRequest($this->xIBMClientId);
+                $this->rateLimiter->checkBeforeRequest($certFingerprint);
                 $response = parent::send($request, $options);
 
                 $this->updateRateLimitsFromResponse($response);
@@ -268,13 +338,21 @@ class ApiClient extends \GuzzleHttp\Client
         return $response;
     }
 
+    /**
+     * Update rate limits from API response headers.
+     *
+     * Uses the certificate fingerprint as the client identifier for storing rate limits.
+     *
+     * @param \Psr\Http\Message\ResponseInterface $response the HTTP response containing rate limit headers
+     */
     private function updateRateLimitsFromResponse(\Psr\Http\Message\ResponseInterface $response): void
     {
         if ($response->hasHeader('x-ratelimit-remaining-second') && $response->hasHeader('x-ratelimit-remaining-day')) {
             $remainingSecond = (int) $response->getHeaderLine('x-ratelimit-remaining-second');
             $remainingDay = (int) $response->getHeaderLine('x-ratelimit-remaining-day');
             $timestamp = time();
-            $this->rateLimiter->handleRateLimits($this->xIBMClientId, $remainingSecond, $remainingDay, $timestamp);
+            $certFingerprint = $this->getCertificateFingerprint();
+            $this->rateLimiter->handleRateLimits($certFingerprint, $remainingSecond, $remainingDay, $timestamp);
         }
     }
 }
diff --git a/WARP.md b/WARP.md
@@ -52,6 +52,7 @@ composer test\nnpm test
 - **Main Components**: Core functionality and modules
 - **Configuration**: Configuration files and environment variables
 - **Integration Points**: External services and dependencies
+- **Rate Limiting**: API rate limits are enforced per certificate (mTLS client certificate), not per X-IBM-Client-Id. The library automatically calculates the SHA1 fingerprint of the certificate and uses it as the client identifier for rate limit tracking.
 
 ## Common Tasks
 
diff --git a/debian/changelog b/debian/changelog
@@ -1,4 +1,13 @@
-php-vitexsoftware-rbczpremiumapi (1.5.0) UNRELEASED; urgency=medium
+php-vitexsoftware-rbczpremiumapi (1.5.1) UNRELEASED; urgency=medium
+
+  * Fix rate limiting to use certificate fingerprint instead of X-IBM-Client-Id
+    - Rate limits are enforced per certificate as per API documentation
+    - Added getCertificateFingerprint() method to calculate SHA1 fingerprint
+    - Updated ApiClient to use certificate fingerprint for rate limit tracking
+
+ -- vitex <info@vitexsoftware.cz>  Thu, 21 Nov 2025 14:54:00 +0100
+
+php-vitexsoftware-rbczpremiumapi (1.5.0) unstable; urgency=medium
 
   * Rate limiting support added
 
diff --git a/debian/composer.json b/debian/composer.json
@@ -1,7 +1,6 @@
 {
   "name": "deb/rbczpremiumapi",
   "description": "An Core of PHP Framework for Ease of writing Applications (debianized)",
-  "version": "1.4.1",
   "authors": [
     {
       "name": "Vítězslav Dvořák",
diff --git a/lib/ApiClient.php b/lib/ApiClient.php
@@ -45,6 +45,16 @@ class ApiClient extends \GuzzleHttp\Client
     protected bool $mockMode = false;
     private RateLimiter $rateLimiter;
 
+    /**
+     * Path to the certificate file used for mTLS authentication.
+     */
+    private string $certFilePath = '';
+
+    /**
+     * Cached certificate fingerprint for rate limiting.
+     */
+    private ?string $certFingerprint = null;
+
     /**
      * Initialize the API client with configuration, certificate validation, and a rate limiter.
      *
@@ -87,6 +97,8 @@ public function __construct(array $config = [])
             }
         }
 
+        $this->certFilePath = $config['cert'][0];
+
         if (\array_key_exists('debug', $config) === false) {
             $config['debug'] = \Ease\Shared::cfg('API_DEBUG', false);
         }
@@ -231,9 +243,65 @@ public static function getxRequestId()
         return substr(self::sourceString().'#'.time(), -59);
     }
 
+    /**
+     * Calculate and return the SHA1 fingerprint of the certificate used for mTLS.
+     *
+     * This fingerprint is used as the client identifier for rate limiting,
+     * as rate limits in the API are tied to the certificate, not to X-IBM-Client-Id.
+     *
+     * @throws \Exception if unable to read or parse the certificate
+     *
+     * @return string SHA1 fingerprint of the certificate in lowercase hex format
+     */
+    public function getCertificateFingerprint(): string
+    {
+        if ($this->certFingerprint !== null) {
+            return $this->certFingerprint;
+        }
+
+        if (empty($this->certFilePath)) {
+            throw new \Exception('Certificate file path not set');
+        }
+
+        $certContent = file_get_contents($this->certFilePath);
+
+        if ($certContent === false) {
+            throw new \Exception('Unable to read certificate file: '.$this->certFilePath);
+        }
+
+        $certs = [];
+
+        if (openssl_pkcs12_read($certContent, $certs, $this->getConfig()['cert'][1]) === false) {
+            throw new \Exception('Unable to parse PKCS12 certificate: '.openssl_error_string());
+        }
+
+        if (!isset($certs['cert'])) {
+            throw new \Exception('Certificate not found in PKCS12 file');
+        }
+
+        $certResource = openssl_x509_read($certs['cert']);
+
+        if ($certResource === false) {
+            throw new \Exception('Unable to read X509 certificate: '.openssl_error_string());
+        }
+
+        $fingerprint = openssl_x509_fingerprint($certResource, 'sha1');
+
+        if ($fingerprint === false) {
+            throw new \Exception('Unable to calculate certificate fingerprint: '.openssl_error_string());
+        }
+
+        $this->certFingerprint = strtolower($fingerprint);
+
+        return $this->certFingerprint;
+    }
+
     /**
      * Send an HTTP request while enforcing and updating client rate limits.
      *
+     * Rate limits are enforced per certificate (not per X-IBM-Client-Id).
+     * The certificate fingerprint is used as the client identifier.
+     *
      * @param \Psr\Http\Message\RequestInterface $request the HTTP request to send
      * @param array                              $options Request options to apply to the transfer. See \GuzzleHttp\RequestOptions.
      *
@@ -244,7 +312,9 @@ public static function getxRequestId()
      */
     public function send(\Psr\Http\Message\RequestInterface $request, array $options = []): \Psr\Http\Message\ResponseInterface
     {
-        $this->rateLimiter->checkBeforeRequest($this->xIBMClientId);
+        $certFingerprint = $this->getCertificateFingerprint();
+
+        $this->rateLimiter->checkBeforeRequest($certFingerprint);
 
         $response = parent::send($request, $options);
 
@@ -254,7 +324,7 @@ public function send(\Psr\Http\Message\RequestInterface $request, array $options
 
         if ($statusCode === 429) { // 429 Too Many Requests
             if ($this->rateLimiter->isWaitMode()) {
-                $this->rateLimiter->checkBeforeRequest($this->xIBMClientId);
+                $this->rateLimiter->checkBeforeRequest($certFingerprint);
                 $response = parent::send($request, $options);
 
                 $this->updateRateLimitsFromResponse($response);
@@ -268,13 +338,21 @@ public function send(\Psr\Http\Message\RequestInterface $request, array $options
         return $response;
     }
 
+    /**
+     * Update rate limits from API response headers.
+     *
+     * Uses the certificate fingerprint as the client identifier for storing rate limits.
+     *
+     * @param \Psr\Http\Message\ResponseInterface $response the HTTP response containing rate limit headers
+     */
     private function updateRateLimitsFromResponse(\Psr\Http\Message\ResponseInterface $response): void
     {
         if ($response->hasHeader('x-ratelimit-remaining-second') && $response->hasHeader('x-ratelimit-remaining-day')) {
             $remainingSecond = (int) $response->getHeaderLine('x-ratelimit-remaining-second');
             $remainingDay = (int) $response->getHeaderLine('x-ratelimit-remaining-day');
             $timestamp = time();
-            $this->rateLimiter->handleRateLimits($this->xIBMClientId, $remainingSecond, $remainingDay, $timestamp);
+            $certFingerprint = $this->getCertificateFingerprint();
+            $this->rateLimiter->handleRateLimits($certFingerprint, $remainingSecond, $remainingDay, $timestamp);
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "deb/rbczpremiumapi",`
`3`	`3`	`"description": "An Core of PHP Framework for Ease of writing Applications (debianized)",`
`4`		`- "version": "1.4.1",`
`5`	`4`	`"authors": [`
`6`	`5`	`{`
`7`	`6`	`"name": "Vítězslav Dvořák",`