Add support for ratelimiting via annotations

This allows adding rate limiting via annotations to controllers, as one example:

```
@UserRateThrottle(limit=5, period=100)
@AnonRateThrottle(limit=1, period=100)
```

Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

1 files changed, 58 insertions, 0 deletions

diff --git a/build/integration/features/ratelimiting.feature b/build/integration/features/ratelimiting.feature
new file mode 100644
index 00000000000..bd8b2e30a73
--- /dev/null
+++ b/build/integration/features/ratelimiting.feature
@@ -0,0 +1,58 @@
+Feature: ratelimiting
+  
+  Background:
+    Given user "user0" exists
+    Given As an "admin"
+    Given app "testing" is enabled
+
+  Scenario: Accessing a page with only an AnonRateThrottle as user
+    Given user "user0" exists
+    # First request should work
+    When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+    # Second one should fail
+    When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "429"
+    # After 11 seconds the next request should work
+    And Sleep for "11" seconds
+    When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+
+  Scenario: Accessing a page with only an AnonRateThrottle as guest
+    Given Sleep for "11" seconds
+    # First request should work
+    When requesting "/index.php/apps/testing/anonProtected" with "GET"
+    Then the HTTP status code should be "200"
+    # Second one should fail
+    When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "429"
+    # After 11 seconds the next request should work
+    And Sleep for "11" seconds
+    When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+
+  Scenario: Accessing a page with UserRateThrottle and AnonRateThrottle
+    # First request should work as guest
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
+    Then the HTTP status code should be "200"
+    # Second request should fail as guest
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
+    Then the HTTP status code should be "429"
+    # First request should work as user
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+    # Second request should work as user
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+    # Third request should work as user
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+    # Fourth request should work as user
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+    # Fifth request should work as user
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+    # Sixth request should fail as user
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
+    Then the HTTP status code should be "429"