Skip to content

feat: Implement atomic operations and rate limiting#2566

Open
khushal-winner wants to merge 6 commits intoOWASP:masterfrom
khushal-winner:feat/rate-limiting-atomic-operations
Open

feat: Implement atomic operations and rate limiting#2566
khushal-winner wants to merge 6 commits intoOWASP:masterfrom
khushal-winner:feat/rate-limiting-atomic-operations

Conversation

@khushal-winner
Copy link
Contributor

@khushal-winner khushal-winner commented Mar 8, 2026
edited
Loading

Closes - #2559

  • Add atomic card play operations to prevent race conditions
  • Implement comprehensive rate limiting for API endpoints
  • Add rate limiting plug to API pipeline
  • Add comprehensive test coverage for rate limiting
  • Fix CAPEC-212 functionality misuse vulnerabilities

Security improvements: prevents DoS attacks and race conditions

@khushal-winner
feat: Implement atomic operations and rate limiting
66ddc85 
- Add atomic card play operations to prevent race conditions
- Implement comprehensive rate limiting for API endpoints
- Add rate limiting plug to API pipeline
- Add comprehensive test coverage for rate limiting
- Fix CAPEC-212 functionality misuse vulnerabilities

Security improvements: prevents DoS attacks and race conditions
@khushal-winner
fix: Address code review feedback and improve test coverage
5ba67d0 
- Fix atomic operations to enforce one-card-per-round invariant in DB transaction
- Fix error handling to propagate failures to HTTP responses instead of always returning 200
- Fix rate limiter plug to handle stateless API requests without sessions
- Add synchronous clear_ip_sync function for reliable test setup
- Fix API rate limiter tests to include x-forwarded-for headers and test actual rate limiting
- Fix integration tests to wait for rate limit windows to expire and use synchronous clears
- Improve test reliability by handling GenServer already_started cases

Security improvements: ensures atomic invariants and proper error propagation
@khushal-winner
fix: Implement database transactions for atomic operations
0bee443 
- Use Repo.transaction to enforce one-card-per-round invariant atomically
- Fix rate limiter handle_call to preserve map structure properly
- Fix rate limiter plug to use String.ends_with? for stricter path matching
- Fix API rate limiter test loop range (1..9 instead of 1..10)
- Fix integration test to use CopiWeb.Router.call for proper endpoint testing
@khushal-winner
fix: Complete code review feedback implementation
cd819f9 
- Unwrap transaction result to return flat tuple structure
- Anonymize IP addresses in rate limiter logs using SHA-256 hash
- Fix integration test Task.async block to handle %Plug.Conn{} properly
- Fix integration test assertions to count specific status codes (200/409/429)
- Fix time window test to convert seconds to milliseconds
- Fix API rate limiter tests to use dynamic limits from config
@khushal-winner
fix: Address critical security vulnerabilities and test issues
e8dd7d4 
- Fix play_card to verify player exists before accessing dealt_cards
- Remove localhost rate limiter bypass that could be spoofed via X-Forwarded-For
- Only bypass rate limiting when actual connection IP is loopback
- Fix integration test to use proper router calls instead of direct plug calls
- Fix integration test to use short test windows instead of production durations
- Add proper test config restoration to prevent test interference
sydseter
sydseter requested changes Mar 12, 2026
View reviewed changes
Copy link
Collaborator

@sydseter sydseter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may not work on fly, but I’ll try it out.

copi.owasp.org/lib/copi/rate_limiter.ex
@doc """
Synchronously clears all rate limit data for a specific IP address (useful for testing).
"""
def clear_ip_sync(ip) do
Copy link
Collaborator

@sydseter sydseter Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this useful?

Copy link
Contributor Author

@khushal-winner khushal-winner Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Helps troubleshoot rate limit behavior in dev/test environments

@khushal-winner
Copy link
Contributor Author

khushal-winner commented Mar 13, 2026

@sydseter , fixed the changes

@khushal-winner khushal-winner requested a review from sydseter March 13, 2026 14:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rewtd rewtd Awaiting requested review from rewtd rewtd is a code owner

@cw-owasp cw-owasp Awaiting requested review from cw-owasp cw-owasp is a code owner

@sydseter sydseter Awaiting requested review from sydseter sydseter is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@khushal-winner @sydseter