Move floodgate to middleware, add extender + integration tests (#2170)

src/Api/ApiServiceProvider.php

@@ -42,6 +42,20 @@ class ApiServiceProvider extends AbstractServiceProvider
             return $routes;
         });
 
+        $this->app->singleton('flarum.api.throttlers', function () {
+            return [
+                'bypassThrottlingAttribute' => function ($request) {
+                    if ($request->getAttribute('bypassThrottling')) {
+                        return false;
+                    }
+                }
+            ];
+        });
+
+        $this->app->bind(Middleware\ThrottleApi::class, function ($app) {
+            return new Middleware\ThrottleApi($app->make('flarum.api.throttlers'));
+        });
+
         $this->app->singleton('flarum.api.middleware', function () {
             return [
                 'flarum.api.error_handler',
@@ -53,7 +67,8 @@ class ApiServiceProvider extends AbstractServiceProvider
                 HttpMiddleware\AuthenticateWithHeader::class,
                 HttpMiddleware\SetLocale::class,
                 'flarum.api.route_resolver',
-                HttpMiddleware\CheckCsrfToken::class
+                HttpMiddleware\CheckCsrfToken::class,
+                Middleware\ThrottleApi::class
             ];
         });
 

src/Api/Controller/CreateDiscussionController.php

@@ -64,6 +64,9 @@ class CreateDiscussionController extends AbstractCreateController
         $actor = $request->getAttribute('actor');
         $ipAddress = Arr::get($request->getServerParams(), 'REMOTE_ADDR', '127.0.0.1');
 
+        /**
+         * @deprecated, remove in beta 15.
+         */
         if (! $request->getAttribute('bypassFloodgate')) {
             $this->floodgate->assertNotFlooding($actor);
         }

src/Api/Controller/CreatePostController.php

@@ -65,6 +65,9 @@ class CreatePostController extends AbstractCreateController
         $discussionId = Arr::get($data, 'relationships.discussion.data.id');
         $ipAddress = Arr::get($request->getServerParams(), 'REMOTE_ADDR', '127.0.0.1');
 
+        /**
+         * @deprecated, remove in beta 15.
+         */
         if (! $request->getAttribute('bypassFloodgate')) {
             $this->floodgate->assertNotFlooding($actor);
         }

src/Api/Middleware/ThrottleApi.php

@@ -0,0 +1,57 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\Api\Middleware;
+
+use Flarum\Post\Exception\FloodingException;
+use Psr\Http\Message\ResponseInterface as Response;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Psr\Http\Server\MiddlewareInterface as Middleware;
+use Psr\Http\Server\RequestHandlerInterface as Handler;
+
+class ThrottleApi implements Middleware
+{
+    protected $throttlers;
+
+    public function __construct(array $throttlers)
+    {
+        $this->throttlers = $throttlers;
+    }
+
+    public function process(Request $request, Handler $handler): Response
+    {
+        if ($this->throttle($request)) {
+            throw new FloodingException;
+        }
+
+        return $handler->handle($request);
+    }
+
+    /**
+     * @return bool
+     */
+    public function throttle(Request $request): bool
+    {
+        $throttle = false;
+        foreach ($this->throttlers as $throttler) {
+            $result = $throttler($request);
+
+            // Explicitly returning false overrides all throttling.
+            // Explicitly returning true marks the request to be throttled.
+            // Anything else is ignored.
+            if ($result === false) {
+                return false;
+            } elseif ($result === true) {
+                $throttle = true;
+            }
+        }
+
+        return $throttle;
+    }
+}