add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
# Anfragelimits (Rate Limiting)
|
|
|
|
|
|
2026-03-14 15:57:44 +01:00
|
|
|
Letzte Aktualisierung: 2026-03-14
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
|
|
|
|
## Ziel
|
|
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
Brute-Force und API-Spam begrenzen, ohne Verfügbarkeit zu gefährden.
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
## Technischer Kern
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
2026-04-13 23:20:05 +02:00
|
|
|
- Service: `core/Service/Security/RateLimiterService.php`
|
|
|
|
|
- Repository: `core/Repository/Security/RateLimitRepository.php`
|
2026-03-04 15:56:58 +01:00
|
|
|
- Storage: `request_rate_limits`
|
|
|
|
|
- `scope`, `subject_hash`, `hits`, `window_started_at`, `blocked_until`
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
Wichtig:
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
- Subject wird gehasht (SHA-256), kein Klartext-Key.
|
|
|
|
|
- Verhalten ist fail-open bei Storage-Fehlern.
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
## API-Limits (global)
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
2026-04-13 23:20:05 +02:00
|
|
|
Durchgesetzt in `core/Http/ApiBootstrap.php`:
|
2026-02-24 08:49:40 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
1. IP-only (`api.ip`)
|
|
|
|
|
- 120 Requests / 60s
|
|
|
|
|
- Block 120s
|
|
|
|
|
2. Token+IP (`api.token_ip`)
|
|
|
|
|
- 300 Requests / 60s
|
|
|
|
|
- Block 120s
|
2026-02-24 08:49:40 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
Bei Block:
|
2026-02-24 08:49:40 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
- HTTP `429`
|
|
|
|
|
- `Retry-After`
|
|
|
|
|
- Body `{"error":"rate_limit_exceeded"}`
|
2026-02-24 08:49:40 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
## Web-Login-Limits
|
2026-02-24 08:49:40 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
In `pages/auth/login().php`:
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
1. Resolve-Phase pro IP (`login.resolve.ip`)
|
|
|
|
|
- 25 Versuche / 600s
|
|
|
|
|
- Block 300s
|
|
|
|
|
2. Passwortphase pro E-Mail+IP (`login.password.email_ip`)
|
|
|
|
|
- 5 Fehlversuche / 900s
|
|
|
|
|
- Block 900s
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
Erfolgreicher Passwort-Login setzt den Passwort-Scope zurück.
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
## API-Login-Limits
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
In `pages/api/v1/auth/login().php` (zusätzlich zu globalen API-Limits):
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
1. IP (`api.auth.login.ip`)
|
|
|
|
|
- 10 Fehlversuche / 600s
|
|
|
|
|
- Block 300s
|
|
|
|
|
2. E-Mail+IP (`api.auth.login.email_ip`)
|
|
|
|
|
- 5 Fehlversuche / 900s
|
|
|
|
|
- Block 900s
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
Erfolgreicher API-Login setzt `api.auth.login.email_ip` zurück.
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
2026-03-14 15:57:44 +01:00
|
|
|
## Remember-Token-Limits
|
|
|
|
|
|
2026-04-13 23:20:05 +02:00
|
|
|
In `core/Service/Auth/RememberMeRateLimiter.php` (Memcached-basiert):
|
2026-03-14 15:57:44 +01:00
|
|
|
|
|
|
|
|
1. Pro IP (`remember_rl:{ip}`)
|
|
|
|
|
- 5 Fehlversuche / 900s
|
|
|
|
|
- Block 900s (automatisch via Memcached-TTL)
|
|
|
|
|
|
|
|
|
|
Erfolgreicher Auto-Login setzt den Counter zurück.
|
|
|
|
|
|
|
|
|
|
Unterschied zu den DB-basierten Limits oben: Memcached statt `request_rate_limits`-Tabelle. Verhindert DB-Last bei Brute-Force gegen Remember-Cookies.
|
|
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
## Smoke-Test
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
1. API ohne Token >120 Requests/min gegen `/api/v1/*` -> `429` erwartet.
|
|
|
|
|
2. Web-Login mit falschem Passwort >5 pro E-Mail+IP -> `429` erwartet.
|
|
|
|
|
3. API-Login mit falschen Credentials wiederholt -> `429` erwartet.
|
2026-03-14 15:57:44 +01:00
|
|
|
4. Remember-Cookie mit falschem Token >5 pro IP -> Auto-Login blockiert, Cookie geloescht.
|