# 🔧 CORS & Rate Limit Yönetim API'si ## Yeni Endpoint'ler ### Base URL ``` http://localhost:8080/v1/settings ``` **Not:** Tüm settings endpoint'leri authentication gerektirir (Bearer token). --- ## 📋 CORS Whitelist Yönetimi ### 1. Tüm Whitelist Kayıtlarını Getir ``` GET /v1/settings/cors/whitelist Authorization: Bearer {token} ``` **Response:** ```json [ { "id": "uuid", "origin": "http://localhost:3000", "description": "Default local frontend", "is_active": true, "created_by": "system", "created_at": "2026-02-04T00:00:00Z", "updated_at": "2026-02-04T00:00:00Z" } ] ``` ### 2. Yeni Whitelist Ekle ``` POST /v1/settings/cors/whitelist Authorization: Bearer {token} Content-Type: application/json ``` **Request Body:** ```json { "origin": "https://example.com", "description": "Production frontend" } ``` **Response (201):** ```json { "id": "uuid", "origin": "https://example.com", "description": "Production frontend", "is_active": true, "created_by": "user@example.com", "created_at": "2026-02-04T00:00:00Z", "updated_at": "2026-02-04T00:00:00Z" } ``` ### 3. Whitelist Güncelle ``` PUT /v1/settings/cors/whitelist/{id} Authorization: Bearer {token} Content-Type: application/json ``` **Request Body:** ```json { "origin": "https://newdomain.com", "description": "Updated description", "is_active": false } ``` **Response (200):** ```json { "message": "Whitelist updated successfully" } ``` ### 4. Whitelist Sil ``` DELETE /v1/settings/cors/whitelist/{id} Authorization: Bearer {token} ``` **Response (200):** ```json { "message": "Whitelist entry deleted successfully" } ``` --- ## 🚫 CORS Blacklist Yönetimi ### 1. Tüm Blacklist Kayıtlarını Getir ``` GET /v1/settings/cors/blacklist Authorization: Bearer {token} ``` **Response:** ```json [ { "id": "uuid", "origin": "http://malicious-site.com", "reason": "Security threat", "is_active": true, "created_by": "admin@example.com", "created_at": "2026-02-04T00:00:00Z", "updated_at": "2026-02-04T00:00:00Z" } ] ``` ### 2. Yeni Blacklist Ekle ``` POST /v1/settings/cors/blacklist Authorization: Bearer {token} Content-Type: application/json ``` **Request Body:** ```json { "origin": "http://spam-site.com", "reason": "Spam attempts detected" } ``` **Response (201):** ```json { "id": "uuid", "origin": "http://spam-site.com", "reason": "Spam attempts detected", "is_active": true, "created_by": "user@example.com", "created_at": "2026-02-04T00:00:00Z", "updated_at": "2026-02-04T00:00:00Z" } ``` ### 3. Blacklist Güncelle ``` PUT /v1/settings/cors/blacklist/{id} Authorization: Bearer {token} Content-Type: application/json ``` **Request Body:** ```json { "origin": "http://updated-domain.com", "reason": "Updated reason", "is_active": true } ``` **Response (200):** ```json { "message": "Blacklist updated successfully" } ``` ### 4. Blacklist Sil ``` DELETE /v1/settings/cors/blacklist/{id} Authorization: Bearer {token} ``` **Response (200):** ```json { "message": "Blacklist entry deleted successfully" } ``` --- ## ⚡ Rate Limit Ayarları Yönetimi ### 1. Tüm Rate Limit Ayarlarını Getir ``` GET /v1/settings/ratelimit Authorization: Bearer {token} ``` **Response:** ```json [ { "id": "uuid", "name": "login", "description": "Login endpoint rate limit", "max_requests": 5, "window_seconds": 60, "is_active": true, "updated_by": "admin@example.com", "created_at": "2026-02-04T00:00:00Z", "updated_at": "2026-02-04T00:00:00Z" }, { "id": "uuid", "name": "register", "description": "Registration endpoint rate limit", "max_requests": 3, "window_seconds": 300, "is_active": true, "updated_by": null, "created_at": "2026-02-04T00:00:00Z", "updated_at": "2026-02-04T00:00:00Z" }, { "id": "uuid", "name": "api", "description": "General API rate limit", "max_requests": 100, "window_seconds": 60, "is_active": true, "updated_by": null, "created_at": "2026-02-04T00:00:00Z", "updated_at": "2026-02-04T00:00:00Z" } ] ``` ### 2. Rate Limit Ayarını Güncelle ``` PUT /v1/settings/ratelimit/{id} Authorization: Bearer {token} Content-Type: application/json ``` **Request Body:** ```json { "max_requests": 10, "window_seconds": 120, "description": "Updated rate limit", "is_active": true } ``` **Response (200):** ```json { "message": "Rate limit setting updated successfully" } ``` --- ## 🔄 Çalışma Mantığı ### CORS Kontrolü 1. **Request gelir** → Origin header okunur 2. **Blacklist kontrolü** → Origin blacklist'te var mı? - Varsa → **403 Forbidden** 3. **Whitelist kontrolü** → Origin whitelist'te var mı? - Varsa → **İzin ver** - Yoksa → **403 Forbidden** ### Cache Stratejisi - **Whitelist/Blacklist**: 1 saat cache - **Rate Limit Settings**: 1 saat cache - Her CRUD işleminden sonra ilgili cache **invalidate** edilir - Database'den tekrar okunur ve cache'lenir ### Rate Limiting 1. **Database'den ayarlar okunur** (cache'den veya DB'den) 2. **IP bazlı sayaç** Redis'te tutulur 3. **Limit aşılırsa** → **429 Too Many Requests** --- ## 📝 Kullanım Örnekleri ### JavaScript/TypeScript ```javascript const API_BASE = 'http://localhost:8080/v1/settings'; const token = localStorage.getItem('access_token'); // Whitelist'e yeni origin ekle async function addToWhitelist(origin, description) { const response = await fetch(`${API_BASE}/cors/whitelist`, { method: 'POST', headers: { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' }, body: JSON.stringify({ origin, description }) }); return response.json(); } // Rate limit ayarlarını getir async function getRateLimits() { const response = await fetch(`${API_BASE}/ratelimit`, { headers: { 'Authorization': `Bearer ${token}` } }); return response.json(); } // Rate limit güncelle async function updateRateLimit(id, maxRequests, windowSeconds) { const response = await fetch(`${API_BASE}/ratelimit/${id}`, { method: 'PUT', headers: { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' }, body: JSON.stringify({ max_requests: maxRequests, window_seconds: windowSeconds }) }); return response.json(); } // Blacklist'e ekle async function addToBlacklist(origin, reason) { const response = await fetch(`${API_BASE}/cors/blacklist`, { method: 'POST', headers: { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' }, body: JSON.stringify({ origin, reason }) }); return response.json(); } ``` ### cURL Örnekleri ```bash # Token al (önce login) TOKEN="your_access_token_here" # Whitelist'i görüntüle curl -X GET http://localhost:8080/v1/settings/cors/whitelist \ -H "Authorization: Bearer $TOKEN" # Yeni origin ekle curl -X POST http://localhost:8080/v1/settings/cors/whitelist \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{ "origin": "https://myapp.com", "description": "Production app" }' # Whitelist güncelle curl -X PUT http://localhost:8080/v1/settings/cors/whitelist/UUID_HERE \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{ "is_active": false }' # Blacklist'e ekle curl -X POST http://localhost:8080/v1/settings/cors/blacklist \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{ "origin": "http://bad-site.com", "reason": "Security threat" }' # Rate limit ayarlarını görüntüle curl -X GET http://localhost:8080/v1/settings/ratelimit \ -H "Authorization: Bearer $TOKEN" # Rate limit güncelle curl -X PUT http://localhost:8080/v1/settings/ratelimit/UUID_HERE \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{ "max_requests": 20, "window_seconds": 60, "description": "Updated login limit" }' ``` --- ## 🗄️ Database Tabloları ### cors_whitelists ```sql CREATE TABLE cors_whitelists ( id UUID PRIMARY KEY, origin VARCHAR(255) UNIQUE NOT NULL, description TEXT, is_active BOOLEAN DEFAULT true, created_by VARCHAR(255), created_at TIMESTAMP, updated_at TIMESTAMP ); ``` ### cors_blacklists ```sql CREATE TABLE cors_blacklists ( id UUID PRIMARY KEY, origin VARCHAR(255) UNIQUE NOT NULL, reason TEXT, is_active BOOLEAN DEFAULT true, created_by VARCHAR(255), created_at TIMESTAMP, updated_at TIMESTAMP ); ``` ### rate_limit_settings ```sql CREATE TABLE rate_limit_settings ( id UUID PRIMARY KEY, name VARCHAR(100) UNIQUE NOT NULL, description TEXT, max_requests BIGINT NOT NULL, window_seconds INTEGER NOT NULL, is_active BOOLEAN DEFAULT true, updated_by VARCHAR(255), created_at TIMESTAMP, updated_at TIMESTAMP ); ``` --- ## ⚙️ Default Ayarlar Uygulama ilk kez başlatıldığında otomatik olarak şu ayarlar oluşturulur: ### CORS Whitelist - `http://localhost:3000` - Default local frontend - `http://localhost:8080` - Backend self ### Rate Limit Settings - **login**: 5 istek / 60 saniye - **register**: 3 istek / 300 saniye - **api**: 100 istek / 60 saniye --- ## 🔐 Güvenlik Notları 1. **Authentication Zorunlu**: Tüm settings endpoint'leri authentication gerektirir 2. **Admin Kontrolü**: Şu anda tüm authenticated kullanıcılar yönetebilir (TODO: Admin role check eklenecek) 3. **Cache**: Değişiklikler 1 saat boyunca cache'de kalır 4. **Blacklist Önceliği**: Blacklist kontrolü whitelist'ten önce yapılır --- ## 📊 Frontend Admin Panel Örneği ```javascript // Admin Panel Component class CorsManagement { constructor() { this.api = 'http://localhost:8080/v1/settings'; this.token = localStorage.getItem('access_token'); } async getWhitelist() { const res = await fetch(`${this.api}/cors/whitelist`, { headers: { 'Authorization': `Bearer ${this.token}` } }); return res.json(); } async addWhitelist(origin, description) { const res = await fetch(`${this.api}/cors/whitelist`, { method: 'POST', headers: { 'Authorization': `Bearer ${this.token}`, 'Content-Type': 'application/json' }, body: JSON.stringify({ origin, description }) }); return res.json(); } async updateWhitelist(id, data) { const res = await fetch(`${this.api}/cors/whitelist/${id}`, { method: 'PUT', headers: { 'Authorization': `Bearer ${this.token}`, 'Content-Type': 'application/json' }, body: JSON.stringify(data) }); return res.json(); } async deleteWhitelist(id) { const res = await fetch(`${this.api}/cors/whitelist/${id}`, { method: 'DELETE', headers: { 'Authorization': `Bearer ${this.token}` } }); return res.json(); } } // Kullanım const corsManager = new CorsManagement(); // Whitelist listele corsManager.getWhitelist().then(data => { console.log('Whitelist:', data); }); // Yeni ekle corsManager.addWhitelist('https://myapp.com', 'Production app'); // Güncelle corsManager.updateWhitelist('uuid-here', { is_active: false }); // Sil corsManager.deleteWhitelist('uuid-here'); ``` --- ## ✅ Özet Artık CORS whitelist/blacklist ve rate limit ayarlarını: - ✅ **Database'de** saklayabiliyorsunuz - ✅ **Redis ile cache**'leyebiliyorsunuz - ✅ **Frontend'den yönetebiliyorsunuz** - ✅ **CRUD işlemleri** yapabiliyorsunuz - ✅ **Dinamik olarak** güncelleyebiliyorsunuz Tüm ayarlar database'de tutulur, değişiklikler anında Redis cache'ini invalidate eder ve yeni değerler kullanılmaya başlanır!