php-commerce/tests/Feature/WebhookRateLimitTest.php

<?php

declare(strict_types=1);

use Illuminate\Cache\RateLimiter;
use Illuminate\Http\Request;
use Core\Mod\Commerce\Services\WebhookRateLimiter;

uses(\Illuminate\Foundation\Testing\RefreshDatabase::class);

// ============================================================================
// WebhookRateLimiter Unit Tests
// ============================================================================

describe('WebhookRateLimiter', function () {
    beforeEach(function () {
        // Clear rate limiter cache before each test
        app(RateLimiter::class)->clear('webhook:stripe:ip:127.0.0.1');
        app(RateLimiter::class)->clear('webhook:btcpay:ip:127.0.0.1');
        app(RateLimiter::class)->clear('webhook:stripe:ip:3.18.12.63');
    });

    describe('basic rate limiting', function () {
        it('allows requests under the limit', function () {
            $limiter = app(WebhookRateLimiter::class);

            $request = Request::create('/webhooks/stripe', 'POST');
            $request->server->set('REMOTE_ADDR', '127.0.0.1');

            // First request should be allowed
            expect($limiter->tooManyAttempts($request, 'stripe'))->toBeFalse();
        });

        it('blocks requests over the limit', function () {
            $limiter = app(WebhookRateLimiter::class);

            $request = Request::create('/webhooks/stripe', 'POST');
            $request->server->set('REMOTE_ADDR', '127.0.0.1');

            // Use a low limit for testing
            config(['commerce.webhooks.rate_limits.default' => 3]);

            // Make requests up to the limit
            for ($i = 0; $i < 3; $i++) {
                $limiter->increment($request, 'stripe');
            }

            // Next request should be blocked
            expect($limiter->tooManyAttempts($request, 'stripe'))->toBeTrue();
        });

        it('tracks attempts per gateway separately', function () {
            $limiter = app(WebhookRateLimiter::class);

            $request = Request::create('/webhooks/test', 'POST');
            $request->server->set('REMOTE_ADDR', '127.0.0.1');

            config(['commerce.webhooks.rate_limits.default' => 3]);

            // Exhaust Stripe limit
            for ($i = 0; $i < 3; $i++) {
                $limiter->increment($request, 'stripe');
            }

            // Stripe should be blocked
            expect($limiter->tooManyAttempts($request, 'stripe'))->toBeTrue();

            // BTCPay should still be allowed (separate counter)
            expect($limiter->tooManyAttempts($request, 'btcpay'))->toBeFalse();
        });

        it('tracks attempts per IP separately', function () {
            $limiter = app(WebhookRateLimiter::class);

            config(['commerce.webhooks.rate_limits.default' => 3]);

            $request1 = Request::create('/webhooks/stripe', 'POST');
            $request1->server->set('REMOTE_ADDR', '192.168.1.1');

            $request2 = Request::create('/webhooks/stripe', 'POST');
            $request2->server->set('REMOTE_ADDR', '192.168.1.2');

            // Exhaust limit for IP 1
            for ($i = 0; $i < 3; $i++) {
                $limiter->increment($request1, 'stripe');
            }

            // IP 1 should be blocked
            expect($limiter->tooManyAttempts($request1, 'stripe'))->toBeTrue();

            // IP 2 should still be allowed
            expect($limiter->tooManyAttempts($request2, 'stripe'))->toBeFalse();
        });

        it('reports remaining attempts correctly', function () {
            $limiter = app(WebhookRateLimiter::class);

            $request = Request::create('/webhooks/stripe', 'POST');
            $request->server->set('REMOTE_ADDR', '127.0.0.1');

            config(['commerce.webhooks.rate_limits.default' => 10]);

            expect($limiter->remainingAttempts($request, 'stripe'))->toBe(10);

            $limiter->increment($request, 'stripe');
            expect($limiter->remainingAttempts($request, 'stripe'))->toBe(9);

            $limiter->increment($request, 'stripe');
            expect($limiter->remainingAttempts($request, 'stripe'))->toBe(8);
        });

        it('returns retry-after time when rate limited', function () {
            $limiter = app(WebhookRateLimiter::class);

            $request = Request::create('/webhooks/stripe', 'POST');
            $request->server->set('REMOTE_ADDR', '127.0.0.1');

            config(['commerce.webhooks.rate_limits.default' => 1]);

            $limiter->increment($request, 'stripe');

            // Should have a retry-after time
            $retryAfter = $limiter->availableIn($request, 'stripe');
            expect($retryAfter)->toBeGreaterThan(0)
                ->and($retryAfter)->toBeLessThanOrEqual(60);
        });
    });

    describe('trusted gateway IPs', function () {
        it('identifies trusted Stripe IPs', function () {
            $limiter = app(WebhookRateLimiter::class);

            // Configure a trusted IP
            config(['commerce.webhooks.trusted_ips.stripe' => ['3.18.12.63']]);

            $trustedRequest = Request::create('/webhooks/stripe', 'POST');
            $trustedRequest->server->set('REMOTE_ADDR', '3.18.12.63');

            $untrustedRequest = Request::create('/webhooks/stripe', 'POST');
            $untrustedRequest->server->set('REMOTE_ADDR', '192.168.1.1');

            expect($limiter->isTrustedGatewayIp($trustedRequest, 'stripe'))->toBeTrue();
            expect($limiter->isTrustedGatewayIp($untrustedRequest, 'stripe'))->toBeFalse();
        });

        it('gives higher limits to trusted IPs', function () {
            $limiter = app(WebhookRateLimiter::class);

            config([
                'commerce.webhooks.rate_limits.default' => 5,
                'commerce.webhooks.rate_limits.trusted' => 100,
                'commerce.webhooks.trusted_ips.stripe' => ['3.18.12.63'],
            ]);

            $trustedRequest = Request::create('/webhooks/stripe', 'POST');
            $trustedRequest->server->set('REMOTE_ADDR', '3.18.12.63');

            $untrustedRequest = Request::create('/webhooks/stripe', 'POST');
            $untrustedRequest->server->set('REMOTE_ADDR', '192.168.1.1');

            // Untrusted IP should have 5 remaining attempts
            expect($limiter->remainingAttempts($untrustedRequest, 'stripe'))->toBe(5);

            // Trusted IP should have 100 remaining attempts
            expect($limiter->remainingAttempts($trustedRequest, 'stripe'))->toBe(100);
        });

        it('supports CIDR ranges for trusted IPs', function () {
            $limiter = app(WebhookRateLimiter::class);

            config(['commerce.webhooks.trusted_ips.stripe' => ['10.0.0.0/24']]);

            $inRangeRequest = Request::create('/webhooks/stripe', 'POST');
            $inRangeRequest->server->set('REMOTE_ADDR', '10.0.0.50');

            $outOfRangeRequest = Request::create('/webhooks/stripe', 'POST');
            $outOfRangeRequest->server->set('REMOTE_ADDR', '10.0.1.50');

            expect($limiter->isTrustedGatewayIp($inRangeRequest, 'stripe'))->toBeTrue();
            expect($limiter->isTrustedGatewayIp($outOfRangeRequest, 'stripe'))->toBeFalse();
        });

        it('supports global trusted IPs', function () {
            $limiter = app(WebhookRateLimiter::class);

            config([
                'commerce.webhooks.trusted_ips.global' => ['10.10.10.10'],
                'commerce.webhooks.trusted_ips.stripe' => [],
                'commerce.webhooks.trusted_ips.btcpay' => [],
            ]);

            $request = Request::create('/webhooks/test', 'POST');
            $request->server->set('REMOTE_ADDR', '10.10.10.10');

            // Global IP should be trusted for both gateways
            expect($limiter->isTrustedGatewayIp($request, 'stripe'))->toBeTrue();
            expect($limiter->isTrustedGatewayIp($request, 'btcpay'))->toBeTrue();
        });
    });

    describe('gateway-specific configuration', function () {
        it('uses gateway-specific rate limits when configured', function () {
            $limiter = app(WebhookRateLimiter::class);

            config([
                'commerce.webhooks.rate_limits.default' => 60,
                'commerce.webhooks.rate_limits.stripe' => [
                    'default' => 30,
                    'trusted' => 150,
                ],
                'commerce.webhooks.rate_limits.btcpay' => [
                    'default' => 40,
                    'trusted' => 200,
                ],
            ]);

            $stripeRequest = Request::create('/webhooks/stripe', 'POST');
            $stripeRequest->server->set('REMOTE_ADDR', '127.0.0.1');

            $btcpayRequest = Request::create('/webhooks/btcpay', 'POST');
            $btcpayRequest->server->set('REMOTE_ADDR', '127.0.0.2');

            // Stripe should have 30 limit
            expect($limiter->remainingAttempts($stripeRequest, 'stripe'))->toBe(30);

            // BTCPay should have 40 limit
            expect($limiter->remainingAttempts($btcpayRequest, 'btcpay'))->toBe(40);
        });
    });
});

// ============================================================================
// Webhook Controller Rate Limiting Integration Tests
// ============================================================================

describe('Webhook Controller Rate Limiting', function () {
    beforeEach(function () {
        // Clear rate limiters
        app(RateLimiter::class)->clear('webhook:stripe:ip:127.0.0.1');
        app(RateLimiter::class)->clear('webhook:btcpay:ip:127.0.0.1');
    });

    it('returns 429 when Stripe webhook rate limit exceeded', function () {
        config(['commerce.webhooks.rate_limits.default' => 2]);

        // Make requests until rate limited
        for ($i = 0; $i < 2; $i++) {
            $this->postJson(route('api.webhook.stripe'), [], [
                'Stripe-Signature' => 'invalid',
            ]);
        }

        // Next request should be rate limited
        $response = $this->postJson(route('api.webhook.stripe'), [], [
            'Stripe-Signature' => 'invalid',
        ]);

        $response->assertStatus(429);
        $response->assertHeader('Retry-After');
        $response->assertHeader('X-RateLimit-Remaining', '0');
    });

    it('returns 429 when BTCPay webhook rate limit exceeded', function () {
        config(['commerce.webhooks.rate_limits.default' => 2]);

        // Make requests until rate limited
        for ($i = 0; $i < 2; $i++) {
            $this->postJson(route('api.webhook.btcpay'), [], [
                'BTCPay-Sig' => 'invalid',
            ]);
        }

        // Next request should be rate limited
        $response = $this->postJson(route('api.webhook.btcpay'), [], [
            'BTCPay-Sig' => 'invalid',
        ]);

        $response->assertStatus(429);
        $response->assertHeader('Retry-After');
    });

    it('allows requests from trusted IPs with higher limits', function () {
        config([
            'commerce.webhooks.rate_limits.default' => 2,
            'commerce.webhooks.rate_limits.trusted' => 100,
            'commerce.webhooks.trusted_ips.stripe' => ['127.0.0.1'],
        ]);

        // Trusted IP should be able to make many requests
        for ($i = 0; $i < 10; $i++) {
            $response = $this->postJson(route('api.webhook.stripe'), [], [
                'Stripe-Signature' => 'invalid',
            ]);

            // Should get 401 (invalid signature) not 429 (rate limited)
            $response->assertStatus(401);
        }
    });
});
security(webhooks): add per-IP rate limiting for webhook endpoints (P2-075) Add WebhookRateLimiter service with IP-based rate limiting for webhook endpoints to prevent rate limit exhaustion attacks against legitimate payment webhooks. Changes: - Add WebhookRateLimiter service with per-IP tracking - Default: 60 req/min for unknown IPs, 300 req/min for trusted gateway IPs - Support CIDR ranges for IP allowlisting - Configure via commerce.webhooks.rate_limits and trusted_ips - Update BTCPayWebhookController and StripeWebhookController - Return proper 429 responses with Retry-After headers - Replace global throttle:120,1 middleware with granular controls - Add comprehensive tests for rate limiting behaviour Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 18:11:02 +00:00			`<?php`

			`declare(strict_types=1);`

			`use Illuminate\Cache\RateLimiter;`
			`use Illuminate\Http\Request;`
			`use Core\Mod\Commerce\Services\WebhookRateLimiter;`

			`uses(\Illuminate\Foundation\Testing\RefreshDatabase::class);`

			`// ============================================================================`
			`// WebhookRateLimiter Unit Tests`
			`// ============================================================================`

			`describe('WebhookRateLimiter', function () {`
			`beforeEach(function () {`
			`// Clear rate limiter cache before each test`
			`app(RateLimiter::class)->clear('webhook:stripe:ip:127.0.0.1');`
			`app(RateLimiter::class)->clear('webhook:btcpay:ip:127.0.0.1');`
			`app(RateLimiter::class)->clear('webhook:stripe:ip:3.18.12.63');`
			`});`

			`describe('basic rate limiting', function () {`
			`it('allows requests under the limit', function () {`
			`$limiter = app(WebhookRateLimiter::class);`

			`$request = Request::create('/webhooks/stripe', 'POST');`
			`$request->server->set('REMOTE_ADDR', '127.0.0.1');`

			`// First request should be allowed`
			`expect($limiter->tooManyAttempts($request, 'stripe'))->toBeFalse();`
			`});`

			`it('blocks requests over the limit', function () {`
			`$limiter = app(WebhookRateLimiter::class);`

			`$request = Request::create('/webhooks/stripe', 'POST');`
			`$request->server->set('REMOTE_ADDR', '127.0.0.1');`

			`// Use a low limit for testing`
			`config(['commerce.webhooks.rate_limits.default' => 3]);`

			`// Make requests up to the limit`
			`for ($i = 0; $i < 3; $i++) {`
			`$limiter->increment($request, 'stripe');`
			`}`

			`// Next request should be blocked`
			`expect($limiter->tooManyAttempts($request, 'stripe'))->toBeTrue();`
			`});`

			`it('tracks attempts per gateway separately', function () {`
			`$limiter = app(WebhookRateLimiter::class);`

			`$request = Request::create('/webhooks/test', 'POST');`
			`$request->server->set('REMOTE_ADDR', '127.0.0.1');`

			`config(['commerce.webhooks.rate_limits.default' => 3]);`

			`// Exhaust Stripe limit`
			`for ($i = 0; $i < 3; $i++) {`
			`$limiter->increment($request, 'stripe');`
			`}`

			`// Stripe should be blocked`
			`expect($limiter->tooManyAttempts($request, 'stripe'))->toBeTrue();`

			`// BTCPay should still be allowed (separate counter)`
			`expect($limiter->tooManyAttempts($request, 'btcpay'))->toBeFalse();`
			`});`

			`it('tracks attempts per IP separately', function () {`
			`$limiter = app(WebhookRateLimiter::class);`

			`config(['commerce.webhooks.rate_limits.default' => 3]);`

			`$request1 = Request::create('/webhooks/stripe', 'POST');`
			`$request1->server->set('REMOTE_ADDR', '192.168.1.1');`

			`$request2 = Request::create('/webhooks/stripe', 'POST');`
			`$request2->server->set('REMOTE_ADDR', '192.168.1.2');`

			`// Exhaust limit for IP 1`
			`for ($i = 0; $i < 3; $i++) {`
			`$limiter->increment($request1, 'stripe');`
			`}`

			`// IP 1 should be blocked`
			`expect($limiter->tooManyAttempts($request1, 'stripe'))->toBeTrue();`

			`// IP 2 should still be allowed`
			`expect($limiter->tooManyAttempts($request2, 'stripe'))->toBeFalse();`
			`});`

			`it('reports remaining attempts correctly', function () {`
			`$limiter = app(WebhookRateLimiter::class);`

			`$request = Request::create('/webhooks/stripe', 'POST');`
			`$request->server->set('REMOTE_ADDR', '127.0.0.1');`

			`config(['commerce.webhooks.rate_limits.default' => 10]);`

			`expect($limiter->remainingAttempts($request, 'stripe'))->toBe(10);`

			`$limiter->increment($request, 'stripe');`
			`expect($limiter->remainingAttempts($request, 'stripe'))->toBe(9);`

			`$limiter->increment($request, 'stripe');`
			`expect($limiter->remainingAttempts($request, 'stripe'))->toBe(8);`
			`});`

			`it('returns retry-after time when rate limited', function () {`
			`$limiter = app(WebhookRateLimiter::class);`

			`$request = Request::create('/webhooks/stripe', 'POST');`
			`$request->server->set('REMOTE_ADDR', '127.0.0.1');`

			`config(['commerce.webhooks.rate_limits.default' => 1]);`

			`$limiter->increment($request, 'stripe');`

			`// Should have a retry-after time`
			`$retryAfter = $limiter->availableIn($request, 'stripe');`
			`expect($retryAfter)->toBeGreaterThan(0)`
			`->and($retryAfter)->toBeLessThanOrEqual(60);`
			`});`
			`});`

			`describe('trusted gateway IPs', function () {`
			`it('identifies trusted Stripe IPs', function () {`
			`$limiter = app(WebhookRateLimiter::class);`

			`// Configure a trusted IP`
			`config(['commerce.webhooks.trusted_ips.stripe' => ['3.18.12.63']]);`

			`$trustedRequest = Request::create('/webhooks/stripe', 'POST');`
			`$trustedRequest->server->set('REMOTE_ADDR', '3.18.12.63');`

			`$untrustedRequest = Request::create('/webhooks/stripe', 'POST');`
			`$untrustedRequest->server->set('REMOTE_ADDR', '192.168.1.1');`

			`expect($limiter->isTrustedGatewayIp($trustedRequest, 'stripe'))->toBeTrue();`
			`expect($limiter->isTrustedGatewayIp($untrustedRequest, 'stripe'))->toBeFalse();`
			`});`

			`it('gives higher limits to trusted IPs', function () {`
			`$limiter = app(WebhookRateLimiter::class);`

			`config([`
			`'commerce.webhooks.rate_limits.default' => 5,`
			`'commerce.webhooks.rate_limits.trusted' => 100,`
			`'commerce.webhooks.trusted_ips.stripe' => ['3.18.12.63'],`
			`]);`

			`$trustedRequest = Request::create('/webhooks/stripe', 'POST');`
			`$trustedRequest->server->set('REMOTE_ADDR', '3.18.12.63');`

			`$untrustedRequest = Request::create('/webhooks/stripe', 'POST');`
			`$untrustedRequest->server->set('REMOTE_ADDR', '192.168.1.1');`

			`// Untrusted IP should have 5 remaining attempts`
			`expect($limiter->remainingAttempts($untrustedRequest, 'stripe'))->toBe(5);`

			`// Trusted IP should have 100 remaining attempts`
			`expect($limiter->remainingAttempts($trustedRequest, 'stripe'))->toBe(100);`
			`});`

			`it('supports CIDR ranges for trusted IPs', function () {`
			`$limiter = app(WebhookRateLimiter::class);`

			`config(['commerce.webhooks.trusted_ips.stripe' => ['10.0.0.0/24']]);`

			`$inRangeRequest = Request::create('/webhooks/stripe', 'POST');`
			`$inRangeRequest->server->set('REMOTE_ADDR', '10.0.0.50');`

			`$outOfRangeRequest = Request::create('/webhooks/stripe', 'POST');`
			`$outOfRangeRequest->server->set('REMOTE_ADDR', '10.0.1.50');`

			`expect($limiter->isTrustedGatewayIp($inRangeRequest, 'stripe'))->toBeTrue();`
			`expect($limiter->isTrustedGatewayIp($outOfRangeRequest, 'stripe'))->toBeFalse();`
			`});`

			`it('supports global trusted IPs', function () {`
			`$limiter = app(WebhookRateLimiter::class);`

			`config([`
			`'commerce.webhooks.trusted_ips.global' => ['10.10.10.10'],`
			`'commerce.webhooks.trusted_ips.stripe' => [],`
			`'commerce.webhooks.trusted_ips.btcpay' => [],`
			`]);`

			`$request = Request::create('/webhooks/test', 'POST');`
			`$request->server->set('REMOTE_ADDR', '10.10.10.10');`

			`// Global IP should be trusted for both gateways`
			`expect($limiter->isTrustedGatewayIp($request, 'stripe'))->toBeTrue();`
			`expect($limiter->isTrustedGatewayIp($request, 'btcpay'))->toBeTrue();`
			`});`
			`});`

			`describe('gateway-specific configuration', function () {`
			`it('uses gateway-specific rate limits when configured', function () {`
			`$limiter = app(WebhookRateLimiter::class);`

			`config([`
			`'commerce.webhooks.rate_limits.default' => 60,`
			`'commerce.webhooks.rate_limits.stripe' => [`
			`'default' => 30,`
			`'trusted' => 150,`
			`],`
			`'commerce.webhooks.rate_limits.btcpay' => [`
			`'default' => 40,`
			`'trusted' => 200,`
			`],`
			`]);`

			`$stripeRequest = Request::create('/webhooks/stripe', 'POST');`
			`$stripeRequest->server->set('REMOTE_ADDR', '127.0.0.1');`

			`$btcpayRequest = Request::create('/webhooks/btcpay', 'POST');`
			`$btcpayRequest->server->set('REMOTE_ADDR', '127.0.0.2');`

			`// Stripe should have 30 limit`
			`expect($limiter->remainingAttempts($stripeRequest, 'stripe'))->toBe(30);`

			`// BTCPay should have 40 limit`
			`expect($limiter->remainingAttempts($btcpayRequest, 'btcpay'))->toBe(40);`
			`});`
			`});`
			`});`

			`// ============================================================================`
			`// Webhook Controller Rate Limiting Integration Tests`
			`// ============================================================================`

			`describe('Webhook Controller Rate Limiting', function () {`
			`beforeEach(function () {`
			`// Clear rate limiters`
			`app(RateLimiter::class)->clear('webhook:stripe:ip:127.0.0.1');`
			`app(RateLimiter::class)->clear('webhook:btcpay:ip:127.0.0.1');`
			`});`

			`it('returns 429 when Stripe webhook rate limit exceeded', function () {`
			`config(['commerce.webhooks.rate_limits.default' => 2]);`

			`// Make requests until rate limited`
			`for ($i = 0; $i < 2; $i++) {`
			`$this->postJson(route('api.webhook.stripe'), [], [`
			`'Stripe-Signature' => 'invalid',`
			`]);`
			`}`

			`// Next request should be rate limited`
			`$response = $this->postJson(route('api.webhook.stripe'), [], [`
			`'Stripe-Signature' => 'invalid',`
			`]);`

			`$response->assertStatus(429);`
			`$response->assertHeader('Retry-After');`
			`$response->assertHeader('X-RateLimit-Remaining', '0');`
			`});`

			`it('returns 429 when BTCPay webhook rate limit exceeded', function () {`
			`config(['commerce.webhooks.rate_limits.default' => 2]);`

			`// Make requests until rate limited`
			`for ($i = 0; $i < 2; $i++) {`
			`$this->postJson(route('api.webhook.btcpay'), [], [`
			`'BTCPay-Sig' => 'invalid',`
			`]);`
			`}`

			`// Next request should be rate limited`
			`$response = $this->postJson(route('api.webhook.btcpay'), [], [`
			`'BTCPay-Sig' => 'invalid',`
			`]);`

			`$response->assertStatus(429);`
			`$response->assertHeader('Retry-After');`
			`});`

			`it('allows requests from trusted IPs with higher limits', function () {`
			`config([`
			`'commerce.webhooks.rate_limits.default' => 2,`
			`'commerce.webhooks.rate_limits.trusted' => 100,`
			`'commerce.webhooks.trusted_ips.stripe' => ['127.0.0.1'],`
			`]);`

			`// Trusted IP should be able to make many requests`
			`for ($i = 0; $i < 10; $i++) {`
			`$response = $this->postJson(route('api.webhook.stripe'), [], [`
			`'Stripe-Signature' => 'invalid',`
			`]);`

			`// Should get 401 (invalid signature) not 429 (rate limited)`
			`$response->assertStatus(401);`
			`}`
			`});`
			`});`