feat: rate limiting configuration with IP-based partitioning

nanotaboada · nanotaboada · commit 98f133c581b3 · 2025-07-28T10:18:07.000-03:00
diff --git a/src/Dotnet.Samples.AspNetCore.WebApi/Extensions/ServiceCollectionExtensions.cs b/src/Dotnet.Samples.AspNetCore.WebApi/Extensions/ServiceCollectionExtensions.cs
@@ -14,9 +14,9 @@
 namespace Dotnet.Samples.AspNetCore.WebApi.Extensions;
 
 /// <summary>
-/// Extension methods for WebApplicationBuilder to encapsulate service configuration.
+/// Extension methods for IServiceCollection to encapsulate service configuration.
 /// </summary>
-public static class ServiceCollectionExtensions
+public static partial class ServiceCollectionExtensions
 {
     /// <summary>
     /// Adds DbContextPool with SQLite configuration for PlayerDbContext.
@@ -54,16 +54,25 @@ IWebHostEnvironment environment
     /// <see href="https://learn.microsoft.com/en-us/aspnet/core/security/cors"/>
     /// </summary>
     /// <param name="services">The IServiceCollection instance.</param>
+    /// <param name="environment">The web host environment.</param>
     /// <returns>The IServiceCollection for method chaining.</returns>
-    public static IServiceCollection AddCorsDefaultPolicy(this IServiceCollection services)
+    public static IServiceCollection AddCorsDefaultPolicy(
+        this IServiceCollection services,
+        IWebHostEnvironment environment
+    )
     {
-        services.AddCors(options =>
+        if (environment.IsDevelopment())
         {
-            options.AddDefaultPolicy(corsBuilder =>
+            services.AddCors(options =>
             {
-                corsBuilder.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader();
+                options.AddDefaultPolicy(corsBuilder =>
+                {
+                    corsBuilder.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader();
+                });
             });
-        });
+        }
+
+        // No CORS configured in Production or other environments
 
         return services;
     }
@@ -143,4 +152,39 @@ public static IServiceCollection RegisterPlayerRepository(this IServiceCollectio
         services.AddScoped<IPlayerRepository, PlayerRepository>();
         return services;
     }
+
+    /// <summary>
+    /// Adds rate limiting configuration with IP-based partitioning.
+    /// <br />
+    /// <see href="https://learn.microsoft.com/en-us/aspnet/core/performance/rate-limit"/>
+    /// </summary>
+    /// <param name="services">The IServiceCollection instance.</param>
+    /// <returns>The IServiceCollection for method chaining.</returns>
+    public static IServiceCollection AddFixedWindowRateLimiter(this IServiceCollection services)
+    {
+        services.AddRateLimiter(options =>
+        {
+            options.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(
+                httpContext =>
+                {
+                    var partitionKey = HttpContextUtilities.ExtractIpAddress(httpContext);
+
+                    return RateLimitPartition.GetFixedWindowLimiter(
+                        partitionKey: partitionKey,
+                        factory: _ => new FixedWindowRateLimiterOptions
+                        {
+                            PermitLimit = 60,
+                            Window = TimeSpan.FromSeconds(60),
+                            QueueProcessingOrder = QueueProcessingOrder.OldestFirst,
+                            QueueLimit = 0
+                        }
+                    );
+                }
+            );
+
+            options.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
+        });
+
+        return services;
+    }
 }
diff --git a/src/Dotnet.Samples.AspNetCore.WebApi/Program.cs b/src/Dotnet.Samples.AspNetCore.WebApi/Program.cs
@@ -22,10 +22,11 @@
 
 /* Controllers -------------------------------------------------------------- */
 
-builder.Services.AddControllers();
-builder.Services.AddCorsDefaultPolicy();
 builder.Services.AddHealthChecks();
+builder.Services.AddControllers();
 builder.Services.AddValidators();
+builder.Services.AddCorsDefaultPolicy(builder.Environment);
+builder.Services.AddFixedWindowRateLimiter();
 
 if (builder.Environment.IsDevelopment())
 {
@@ -54,17 +55,16 @@
  * -------------------------------------------------------------------------- */
 
 app.UseSerilogRequestLogging();
+app.UseHttpsRedirection();
+app.MapHealthChecks("/health");
+app.UseRateLimiter();
+app.MapControllers();
 
 if (app.Environment.IsDevelopment())
 {
+    app.UseCors();
     app.UseSwagger();
     app.UseSwaggerUI();
 }
 
-app.UseHttpsRedirection();
-app.UseCors();
-app.UseRateLimiter();
-app.MapHealthChecks("/health");
-app.MapControllers();
-
 await app.RunAsync();
diff --git a/src/Dotnet.Samples.AspNetCore.WebApi/Utilities/HttpContextUtilities.cs b/src/Dotnet.Samples.AspNetCore.WebApi/Utilities/HttpContextUtilities.cs
@@ -0,0 +1,47 @@
+using System.Net;
+
+namespace Dotnet.Samples.AspNetCore.WebApi.Utilities;
+
+/// <summary>
+/// Utility class for HTTP context operations.
+/// </summary>
+public static class HttpContextUtilities
+{
+    /// <summary>
+    /// This method checks for the "X-Forwarded-For" and "X-Real-IP" headers,
+    /// which are commonly used by proxies to forward the original client IP address.
+    /// If these headers are not present or the IP address cannot be parsed,
+    /// it falls back to the remote IP address from the connection.
+    /// If no valid IP address can be determined, it returns "unknown".
+    /// </summary>
+    /// <param name="httpContext">The HTTP context.</param>
+    /// <returns>The client IP address or "unknown" if not available.</returns>
+    public static string ExtractIpAddress(HttpContext httpContext)
+    {
+        ArgumentNullException.ThrowIfNull(httpContext);
+
+        var headers = httpContext.Request.Headers;
+        IPAddress? ipAddress;
+
+        if (headers.TryGetValue("X-Forwarded-For", out var xForwardedFor))
+        {
+            var clientIp = xForwardedFor
+                .ToString()
+                .Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)
+                .FirstOrDefault();
+
+            if (!string.IsNullOrWhiteSpace(clientIp) && IPAddress.TryParse(clientIp, out ipAddress))
+                return ipAddress.ToString();
+        }
+
+        if (
+            headers.TryGetValue("X-Real-IP", out var xRealIp)
+            && IPAddress.TryParse(xRealIp.ToString(), out ipAddress)
+        )
+        {
+            return ipAddress.ToString();
+        }
+
+        return httpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown-{Guid.NewGuid()}";
+    }
+}
