more fixes

2026-03-12 07:22:38 +01:00
parent 547215cbe8
commit 4f576ceb04
226 changed files with 14380 additions and 4453 deletions
--- a/app/Providers/AppServiceProvider.php
+++ b/app/Providers/AppServiceProvider.php
@@ -63,6 +63,8 @@ class AppServiceProvider extends ServiceProvider
        $this->configureAuthRateLimiters();
        $this->configureUploadRateLimiters();
        $this->configureMessagingRateLimiters();
+        $this->configureDownloadRateLimiter();
+        $this->configureSettingsRateLimiters();
        $this->configureMailFailureLogging();

        ArtworkAward::observe(ArtworkAwardObserver::class);
@@ -143,6 +145,20 @@ class AppServiceProvider extends ServiceProvider

            $view->with(compact('userId','uploadCount', 'favCount', 'msgCount', 'noticeCount', 'avatarHash', 'displayName'));
        });
+
+        // Replace the framework HandleCors with our ConditionalCors so the
+        // CP_ENABLE_CORS / config('cors.paths') toggle takes effect.
+        try {
+            $middlewareConfig = $this->app->make(\Illuminate\Foundation\Configuration\Middleware::class);
+            $middlewareConfig->replace(
+                \Illuminate\Http\Middleware\HandleCors::class,
+                \App\Http\Middleware\ConditionalCors::class
+            );
+        } catch (\Throwable $_) {
+            // Fallback: push to kernel if replace isn't available in this app instance
+            $this->app->make(\Illuminate\Contracts\Http\Kernel::class)
+                ->pushMiddleware(\App\Http\Middleware\ConditionalCors::class);
+        }
    }

    private function configureAuthRateLimiters(): void
@@ -244,4 +260,40 @@ class AppServiceProvider extends ServiceProvider
            ];
        });
    }
+
+    private function configureDownloadRateLimiter(): void
+    {
+        RateLimiter::for('downloads', function (Request $request): array {
+            $userId = $request->user()?->id;
+
+            // Higher user-based allowance prevents false positives for active users,
+            // while IP limit still protects guest endpoints from bursts.
+            return [
+                Limit::perMinute(60)->by('downloads:user:' . ($userId ?? 'guest')),
+                Limit::perMinute(120)->by('downloads:ip:' . $request->ip()),
+            ];
+        });
+    }
+
+    private function configureSettingsRateLimiters(): void
+    {
+        RateLimiter::for('username-check', function (Request $request): Limit {
+            $key = 'username-check:ip:' . $request->ip();
+
+            if (method_exists(Limit::class, 'perSecond')) {
+                return Limit::perSecond(5)->by($key);
+            }
+
+            return Limit::perMinute(300)->by($key);
+        });
+
+        RateLimiter::for('email-change-request', function (Request $request): Limit {
+            $userId = $request->user()?->id;
+            $key = $userId !== null
+                ? 'email-change-request:user:' . $userId
+                : 'email-change-request:ip:' . $request->ip();
+
+            return Limit::perHour(1)->by($key);
+        });
+    }
 }