security: add rate limiting to admin action endpoints #20

Merged

Charon merged 1 commit from security/rate-limit-admin-actions into main 2026-02-20 12:10:48 +00:00

Conversation 0 Commits 1 Files changed 5 +690 -292

Clotho commented 2026-02-20 11:30:21 +00:00

Member

Copy link

Summary

• Add HasRateLimiting trait providing reusable per-user rate limiting for Livewire component methods
• Apply rate limits to all sensitive mutation and export methods in PlatformUser, Settings, and WaitlistManager
• Add comprehensive Pest tests for rate limit enforcement, per-user scoping, user feedback, and window reset

Rate Limits

Action	Limit	Components
Tier changes, verification	10/min per admin	PlatformUser
Entitlement provisioning/revocation	10/min per admin	PlatformUser
Profile updates	20/min per user	Settings
Password changes	5/min per user	Settings
Data exports (JSON, CSV)	5/min per admin	PlatformUser, WaitlistManager
Deletions/anonymisation	3/min per admin	PlatformUser, Settings
Waitlist mutations (invite, delete)	10/min per admin	WaitlistManager

Implementation

Uses Laravel's RateLimiter::attempt() at the Livewire component method level via a reusable trait. This approach:

• Scopes limits per authenticated user ID
• Provides user-friendly feedback (seconds until retry) via actionMessage/actionType or session()->flash()
• Allows Settings to override with Flux::toast() for consistent UX
• Keeps rate limit logic co-located with the protected actions

Test Plan

• Rate limit enforcement (blocks after threshold)
• Per-user scoping (users don't affect each other)
• Separate limits per action type
• User feedback with retry countdown
• Session flash fallback for components without actionMessage
• Rate limit reset after window expiry
• PHP lint passes on all modified files

Closes #12

🤖 Generated with Claude Code

## Summary - Add `HasRateLimiting` trait providing reusable per-user rate limiting for Livewire component methods - Apply rate limits to all sensitive mutation and export methods in `PlatformUser`, `Settings`, and `WaitlistManager` - Add comprehensive Pest tests for rate limit enforcement, per-user scoping, user feedback, and window reset ## Rate Limits | Action | Limit | Components | |--------|-------|------------| | Tier changes, verification | 10/min per admin | PlatformUser | | Entitlement provisioning/revocation | 10/min per admin | PlatformUser | | Profile updates | 20/min per user | Settings | | Password changes | 5/min per user | Settings | | Data exports (JSON, CSV) | 5/min per admin | PlatformUser, WaitlistManager | | Deletions/anonymisation | 3/min per admin | PlatformUser, Settings | | Waitlist mutations (invite, delete) | 10/min per admin | WaitlistManager | ## Implementation Uses Laravel's `RateLimiter::attempt()` at the Livewire component method level via a reusable trait. This approach: - Scopes limits per authenticated user ID - Provides user-friendly feedback (seconds until retry) via `actionMessage`/`actionType` or `session()->flash()` - Allows `Settings` to override with `Flux::toast()` for consistent UX - Keeps rate limit logic co-located with the protected actions ## Test Plan - [x] Rate limit enforcement (blocks after threshold) - [x] Per-user scoping (users don't affect each other) - [x] Separate limits per action type - [x] User feedback with retry countdown - [x] Session flash fallback for components without actionMessage - [x] Rate limit reset after window expiry - [x] PHP lint passes on all modified files Closes #12 🤖 Generated with [Claude Code](https://claude.ai/claude-code)

Clotho added 1 commit 2026-02-20 11:30:21 +00:00

security: add rate limiting to admin action endpoints (#12) ... 9ae0055f33

Add per-user rate limiting to sensitive Livewire component methods to
prevent abuse from compromised admin sessions. Introduces a reusable
HasRateLimiting trait and applies it to PlatformUser, Settings, and
WaitlistManager components.

Rate limits:
- Tier changes, verification, entitlements: 10/min per admin
- Profile updates, preferences: 20/min per user
- Password changes: 5/min per user
- Data exports: 5/min per admin
- Deletions/anonymisation: 3/min per admin

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

requested review from Charon 2026-02-20 12:07:16 +00:00

Charon merged commit 498bceab88 into main 2026-02-20 12:10:48 +00:00

Charon referenced this pull request from a commit 2026-02-20 12:10:48 +00:00

Merge pull request 'security: add rate limiting to admin action endpoints' (#20) from security/rate-limit-admin-actions into main

Sign in to join this conversation.

Reviewers

No reviewers

Charon

Labels

Clear labels   

P1

Priority 1 - Critical

  

P2

Priority 2 - Important

  

P3

Priority 3 - Nice to have

  

PHP

PHP codebase

  

agent-ready

  

bug

Bug fix

  

clotho

Assigned to Clotho AI agent

  

discovery

Auto-discovered by agent

  

docs

Documentation

  

epic

  

refactor

Code quality refactoring

  

review

Needs human review

  

security

Security hardening

  

testing

Test coverage

  

athena

Assign to Athena AI agent (M3 Ultra)

  

athena-gemini

Dispatch to Gemini CLI on M3 Ultra

  

audit

Code audit task

  

clotho

Assign to Clotho AI agent for processing

  

clotho-gemini

Dispatch to Gemini CLI on darbs (AU)

  

codex

Dispatch to Codex CLI on gateway for analysis

  

darbs-claude

Dispatch to Claude on darbs (AU)

  

security

Security review task

  

wiki

Documentation/wiki update

No labels

P1

P2

P3

PHP

agent-ready

bug

clotho

discovery

docs

epic

refactor

review

security

testing

athena

athena-gemini

audit

clotho

clotho-gemini

codex

darbs-claude

security

wiki

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: core/php-admin#20

No description provided.