[FEATURE] Add fingerprint-based rate limiting for tracking endpoints

Implements configurable rate limiter to prevent abuse and bot attacks:
- RateLimiterCache: TTL-based request counter with 60s window
- RateLimiter: Event listener on StopAnyProcessBeforePersistenceEvent
- RateLimitException: Dedicated exception for rate limit violations
- Configuration options: enable/disable toggle and requests per minute
- Default limit: 20 requests per minute per fingerprint
- Unit tests: 4 tests covering limit enforcement and edge cases

Integration follows existing StopTracking pattern for seamless tracking
prevention. Cache backend configurable (Database/Redis/Memcached).

Author: einpraegsam

Classes/Domain/Cache/RateLimiterCache.php

@@ -0,0 +1,62 @@
+<?php
+
+declare(strict_types=1);
+namespace In2code\Lux\Domain\Cache;
+
+use TYPO3\CMS\Core\Cache\Frontend\FrontendInterface;
+
+/**
+ * Cache layer for rate limiting
+ *
+ * Stores request counters per fingerprint with 60-second TTL
+ * Uses TYPO3 cache framework for automatic expiration and backend flexibility
+ */
+class RateLimiterCache
+{
+    public const CACHE_KEY = 'luxratelimiter';
+    public const TTL = 60; // 60 seconds = 1 minute window
+
+    protected FrontendInterface $cache;
+
+    public function __construct(FrontendInterface $cache)
+    {
+        $this->cache = $cache;
+    }
+
+    public function getCount(string $fingerprintHash): int
+    {
+        $cacheIdentifier = $this->getCacheIdentifier($fingerprintHash);
+        $data = $this->cache->get($cacheIdentifier);
+        return (int)($data['count'] ?? 0);
+    }
+
+    public function incrementAndGet(string $fingerprintHash): int
+    {
+        $cacheIdentifier = $this->getCacheIdentifier($fingerprintHash);
+        $currentCount = $this->getCount($fingerprintHash);
+        $newCount = $currentCount + 1;
+
+        // Store with 60-second TTL
+        $this->cache->set(
+            $cacheIdentifier,
+            ['count' => $newCount, 'timestamp' => time()],
+            [self::CACHE_KEY],
+            self::TTL
+        );
+
+        return $newCount;
+    }
+
+    /**
+     * Generate cache identifier from fingerprint hash
+     * Format: ratelimit_[first-16-chars-of-hash]
+     *
+     * @param string $fingerprintHash
+     * @return string
+     */
+    protected function getCacheIdentifier(string $fingerprintHash): string
+    {
+        $shortHash = substr($fingerprintHash, 0, 16);
+        return 'ratelimit_' . $shortHash;
+    }
+}

Classes/Domain/Tracker/RateLimiter.php

@@ -0,0 +1,75 @@
+<?php
+
+declare(strict_types=1);
+namespace In2code\Lux\Domain\Tracker;
+
+use In2code\Lux\Domain\Cache\RateLimiterCache;
+use In2code\Lux\Events\StopAnyProcessBeforePersistenceEvent;
+use In2code\Lux\Exception\RateLimitException;
+use In2code\Lux\Utility\ConfigurationUtility;
+use Psr\Log\LoggerInterface;
+use TYPO3\CMS\Core\Configuration\Exception\ExtensionConfigurationExtensionNotConfiguredException;
+use TYPO3\CMS\Core\Configuration\Exception\ExtensionConfigurationPathDoesNotExistException;
+
+class RateLimiter
+{
+    protected RateLimiterCache $cache;
+    protected LoggerInterface $logger;
+
+    public function __construct(
+        RateLimiterCache $cache,
+        LoggerInterface $logger
+    ) {
+        $this->cache = $cache;
+        $this->logger = $logger;
+    }
+
+    public function __invoke(StopAnyProcessBeforePersistenceEvent $event)
+    {
+        if ($this->isRateLimitingEnabled()) {
+            $fingerprint = $event->getFingerprint();
+            $fingerprintHash = $fingerprint->getValue();
+
+            if ($fingerprintHash !== '') {
+                $currentCount = $this->cache->incrementAndGet($fingerprintHash);
+                if ($currentCount > $this->getRateLimit()) {
+                    $this->logRateLimitExceeded($fingerprintHash, $currentCount, $this->getRateLimit());
+                    throw new RateLimitException(
+                        'Rate limit exceeded: ' . $currentCount . ' requests in last minute',
+                        1768214806
+                    );
+                }
+            }
+        }
+    }
+
+    protected function isRateLimitingEnabled(): bool
+    {
+        try {
+            return ConfigurationUtility::isRateLimitingEnabled();
+        } catch (ExtensionConfigurationExtensionNotConfiguredException | ExtensionConfigurationPathDoesNotExistException $exception) {
+            return true;
+        }
+    }
+
+    protected function getRateLimit(): int
+    {
+        try {
+            return ConfigurationUtility::getRateLimitRequestsPerMinute();
+        } catch (ExtensionConfigurationExtensionNotConfiguredException | ExtensionConfigurationPathDoesNotExistException $exception) {
+            return ConfigurationUtility::RATE_LIMIT;
+        }
+    }
+
+    protected function logRateLimitExceeded(string $fingerprintHash, int $currentCount, int $limit): void
+    {
+        if (ConfigurationUtility::isExceptionLoggingActivated()) {
+            $this->logger->warning('Rate limit exceeded', [
+                'fingerprint' => $fingerprintHash,
+                'count' => $currentCount,
+                'limit' => $limit,
+                'component' => 'RateLimiter',
+            ]);
+        }
+    }
+}

Classes/Exception/RateLimitException.php

@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+namespace In2code\Lux\Exception;
+
+use Exception;
+
+class RateLimitException extends Exception
+{
+}

Classes/Utility/ConfigurationUtility.php

@@ -12,6 +12,8 @@
 
 class ConfigurationUtility
 {
+    public const RATE_LIMIT = 20;
+
     /**
      * @return string
      * @throws ExtensionConfigurationExtensionNotConfiguredException
@@ -217,6 +219,32 @@ public static function isExceptionLoggingActivated(): bool
         return ($extensionConfig['enableExceptionLogging'] ?? '0') === '1';
     }
 
+    /**
+     * Check if rate limiting is enabled
+     *
+     * @return bool
+     * @throws ExtensionConfigurationExtensionNotConfiguredException
+     * @throws ExtensionConfigurationPathDoesNotExistException
+     */
+    public static function isRateLimitingEnabled(): bool
+    {
+        $extensionConfig = self::getExtensionConfiguration();
+        return ($extensionConfig['enableRateLimiting'] ?? '1') === '1';
+    }
+
+    /**
+     * Get rate limit (requests per minute)
+     *
+     * @return int
+     * @throws ExtensionConfigurationExtensionNotConfiguredException
+     * @throws ExtensionConfigurationPathDoesNotExistException
+     */
+    public static function getRateLimitRequestsPerMinute(): int
+    {
+        $extensionConfig = self::getExtensionConfiguration();
+        return (int)($extensionConfig['rateLimitRequestsPerMinute'] ?? self::RATE_LIMIT);
+    }
+
     /**
      * @return bool
      * @throws ExtensionConfigurationExtensionNotConfiguredException

Configuration/Services.yaml

@@ -17,6 +17,16 @@ services:
     arguments:
       $cache: '@cache.luxcachelayer'
 
+  cache.luxratelimiter:
+    class: TYPO3\CMS\Core\Cache\Frontend\FrontendInterface
+    factory: [ '@TYPO3\CMS\Core\Cache\CacheManager', 'getCache' ]
+    arguments: [ 'luxratelimiter' ]
+
+  In2code\Lux\Domain\Cache\RateLimiterCache:
+    public: true
+    arguments:
+      $cache: '@cache.luxratelimiter'
+
   In2code\Lux\Command\LuxAnonymizeCommand:
     tags:
       - name: 'console.command'
@@ -243,6 +253,12 @@ services:
         identifier: 'lux/stopTracking'
         event: In2code\Lux\Events\StopAnyProcessBeforePersistenceEvent
 
+  In2code\Lux\Domain\Tracker\RateLimiter:
+    tags:
+      - name: 'event.listener'
+        identifier: 'lux/rateLimiter'
+        event: In2code\Lux\Events\StopAnyProcessBeforePersistenceEvent
+
   In2code\Lux\Domain\Tracker\UtmTracker:
     public: true
     tags:

Tests/Unit/Domain/Tracker/RateLimiterTest.php

@@ -0,0 +1,144 @@
+<?php
+
+namespace In2code\Lux\Tests\Unit\Domain\Tracker;
+
+use In2code\Lux\Domain\Cache\RateLimiterCache;
+use In2code\Lux\Domain\Model\Fingerprint;
+use In2code\Lux\Domain\Tracker\RateLimiter;
+use In2code\Lux\Events\StopAnyProcessBeforePersistenceEvent;
+use In2code\Lux\Exception\RateLimitException;
+use In2code\Lux\Tests\Helper\TestingHelper;
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\Test;
+use Psr\Log\LoggerInterface;
+use TYPO3\TestingFramework\Core\Unit\UnitTestCase;
+
+#[CoversClass(RateLimiter::class)]
+class RateLimiterTest extends UnitTestCase
+{
+    protected bool $resetSingletonInstances = true;
+
+    public function setUp(): void
+    {
+        parent::setUp();
+        TestingHelper::setDefaultConstants();
+    }
+
+    #[Test]
+    public function itAllowsRequestsUnderLimit(): void
+    {
+        // Mock cache to return count below limit
+        $cacheMock = $this->createMock(RateLimiterCache::class);
+        $cacheMock->expects(self::once())
+            ->method('incrementAndGet')
+            ->with('test1234567890abcdef1234567890ab1234567890abcdef1234567890abcdef')
+            ->willReturn(10); // 10 < 20 (default limit)
+
+        $loggerMock = $this->createMock(LoggerInterface::class);
+        $loggerMock->expects(self::never())
+            ->method('warning'); // Should not log when under limit
+
+        $rateLimiter = new RateLimiter($cacheMock, $loggerMock);
+
+        // Create real fingerprint and event objects (they are final)
+        $fingerprint = $this->createFingerprintWithValue('test1234567890abcdef1234567890ab1234567890abcdef1234567890abcdef');
+        $event = new StopAnyProcessBeforePersistenceEvent($fingerprint);
+
+        // Should not throw exception
+        $rateLimiter->__invoke($event);
+
+        // If we reach here, the test passes
+        self::assertTrue(true);
+    }
+
+    #[Test]
+    public function itBlocksRequestsOverLimit(): void
+    {
+        // Mock cache to return count over limit
+        $cacheMock = $this->createMock(RateLimiterCache::class);
+        $cacheMock->expects(self::once())
+            ->method('incrementAndGet')
+            ->with('test1234567890abcdef1234567890ab1234567890abcdef1234567890abcdef')
+            ->willReturn(21); // 21 > 20 (default limit)
+
+        $loggerMock = $this->createMock(LoggerInterface::class);
+
+        $rateLimiter = new RateLimiter($cacheMock, $loggerMock);
+
+        // Create real fingerprint and event objects (they are final)
+        $fingerprint = $this->createFingerprintWithValue('test1234567890abcdef1234567890ab1234567890abcdef1234567890abcdef');
+        $event = new StopAnyProcessBeforePersistenceEvent($fingerprint);
+
+        // Should throw exception
+        $this->expectException(RateLimitException::class);
+        $this->expectExceptionMessage('Rate limit exceeded');
+        $this->expectExceptionCode(1768214806);
+
+        $rateLimiter->__invoke($event);
+    }
+
+    #[Test]
+    public function itHandlesEmptyFingerprint(): void
+    {
+        // Mock cache should not be called
+        $cacheMock = $this->createMock(RateLimiterCache::class);
+        $cacheMock->expects(self::never())
+            ->method('incrementAndGet');
+
+        $loggerMock = $this->createMock(LoggerInterface::class);
+
+        $rateLimiter = new RateLimiter($cacheMock, $loggerMock);
+
+        // Create fingerprint with empty value
+        $fingerprint = new Fingerprint('example.com', 'TestUA');
+        // Note: value is empty by default since we don't call setValue()
+        $event = new StopAnyProcessBeforePersistenceEvent($fingerprint);
+
+        // Should return early without exception
+        $rateLimiter->__invoke($event);
+
+        // If we reach here, the test passes
+        self::assertTrue(true);
+    }
+
+    #[Test]
+    public function itIncrementsCounterOnEachRequest(): void
+    {
+        // Mock cache to verify incrementAndGet is called
+        $cacheMock = $this->createMock(RateLimiterCache::class);
+        $cacheMock->expects(self::once())
+            ->method('incrementAndGet')
+            ->with('test1234567890abcdef1234567890ab1234567890abcdef1234567890abcdef')
+            ->willReturn(1); // First request
+
+        $loggerMock = $this->createMock(LoggerInterface::class);
+
+        $rateLimiter = new RateLimiter($cacheMock, $loggerMock);
+
+        // Create real fingerprint and event objects (they are final)
+        $fingerprint = $this->createFingerprintWithValue('test1234567890abcdef1234567890ab1234567890abcdef1234567890abcdef');
+        $event = new StopAnyProcessBeforePersistenceEvent($fingerprint);
+
+        $rateLimiter->__invoke($event);
+
+        // Test passes if incrementAndGet was called
+        self::assertTrue(true);
+    }
+
+    /**
+     * Helper method to create a Fingerprint with a specific value
+     * Uses reflection to set the protected value property
+     *
+     * @param string $value
+     * @return Fingerprint
+     */
+    protected function createFingerprintWithValue(string $value): Fingerprint
+    {
+        $fingerprint = new Fingerprint('example.com', 'TestUA');
+        $reflection = new \ReflectionClass($fingerprint);
+        $property = $reflection->getProperty('value');
+        $property->setAccessible(true);
+        $property->setValue($fingerprint, $value);
+        return $fingerprint;
+    }
+}

ext_conf_template.txt

@@ -57,3 +57,9 @@ useCacheLayer = 1
 
 # cat=advanced/enable/280; type=boolean; label= Enable exception logging: If the user is not logged in into backend and an exception happens, those exceptions can be logged as warning in var/log/typo3_[hash].log
 enableExceptionLogging = 0
+
+# cat=advanced/enable/290; type=boolean; label= Enable rate limiting: Protect tracking endpoints from abuse by limiting requests per fingerprint. Recommended to keep enabled.
+enableRateLimiting = 1
+
+# cat=advanced/enable/300; type=number; label= Rate limit requests per minute: Maximum number of tracking requests allowed per fingerprint per minute. Default is 100.
+rateLimitRequestsPerMinute = 20

ext_localconf.php

@@ -69,7 +69,8 @@ function () {
         $cacheKeys = [
             \In2code\Lux\Domain\Service\Image\VisitorImageService::CACHE_KEY,
             \In2code\Lux\Domain\Service\Image\CompanyImageService::CACHE_KEY,
-            \In2code\Lux\Domain\Cache\CacheLayer::CACHE_KEY
+            \In2code\Lux\Domain\Cache\CacheLayer::CACHE_KEY,
+            \In2code\Lux\Domain\Cache\RateLimiterCache::CACHE_KEY,
         ];
         foreach ($cacheKeys as $cacheKey) {
             if (!isset($GLOBALS['TYPO3_CONF_VARS']['SYS']['caching']['cacheConfigurations'][$cacheKey])) {