diff --git a/cmd/server/main.go b/cmd/server/main.go index a0e6ef8..2d942b6 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -1,6 +1,7 @@ package main import ( + "ResendIt/internal/api/middleware" "ResendIt/internal/auth" "ResendIt/internal/db" "ResendIt/internal/file" @@ -14,6 +15,7 @@ import ( "html/template" "net/http" "os" + "time" "github.com/gin-gonic/gin" "github.com/joho/godotenv" @@ -74,6 +76,9 @@ func main() { createAdminUser(userService) apiRoute := r.Group("/api") + // General API rate limiting to reduce abuse/spam. + // ~60 req/min per IP with some burst room. + apiRoute.Use(middleware.RateLimitByIP(60, time.Minute, 30, 5*time.Minute)) auth.RegisterRoutes(apiRoute, authHandler) user.RegisterRoutes(apiRoute, userHandler) diff --git a/internal/api/middleware/ratelimit.go b/internal/api/middleware/ratelimit.go new file mode 100644 index 0000000..521e617 --- /dev/null +++ b/internal/api/middleware/ratelimit.go @@ -0,0 +1,118 @@ +package middleware + +import ( + "net/http" + "sync" + "time" + + "github.com/gin-gonic/gin" +) + +type tokenBucket struct { + mu sync.Mutex + rate float64 // tokens per second + burst float64 // max tokens + tokens float64 + last time.Time +} + +func newTokenBucket(max int, per time.Duration, burst int) *tokenBucket { + if burst <= 0 { + burst = max + } + rate := float64(max) / per.Seconds() + b := float64(burst) + now := time.Now() + return &tokenBucket{rate: rate, burst: b, tokens: b, last: now} +} + +func (b *tokenBucket) allow() bool { + b.mu.Lock() + defer b.mu.Unlock() + + now := time.Now() + delta := now.Sub(b.last).Seconds() + b.last = now + + b.tokens += delta * b.rate + if b.tokens > b.burst { + b.tokens = b.burst + } + + if b.tokens < 1 { + return false + } + b.tokens -= 1 + return true +} + +type ipClient struct { + bucket *tokenBucket + lastSeen time.Time +} + +// RateLimitByIP returns a Gin middleware that rate limits requests per client IP. +// +// max: max requests per time window (per) +// per: the time window duration +// burst: optional burst capacity (defaults to max if <=0) +// ttl: how long to keep idle IP buckets around +func RateLimitByIP(max int, per time.Duration, burst int, ttl time.Duration) gin.HandlerFunc { + var ( + mu sync.Mutex + clients = make(map[string]*ipClient) + ) + + // opportunistic cleanup (runs at most once per minute) + var ( + cleanupMu sync.Mutex + lastCleanup time.Time + ) + + cleanup := func(now time.Time) { + cleanupMu.Lock() + defer cleanupMu.Unlock() + if !lastCleanup.IsZero() && now.Sub(lastCleanup) < time.Minute { + return + } + lastCleanup = now + + mu.Lock() + defer mu.Unlock() + for ip, c := range clients { + if now.Sub(c.lastSeen) > ttl { + delete(clients, ip) + } + } + } + + getClient := func(ip string, now time.Time) *ipClient { + mu.Lock() + defer mu.Unlock() + c, ok := clients[ip] + if !ok { + c = &ipClient{bucket: newTokenBucket(max, per, burst), lastSeen: now} + clients[ip] = c + return c + } + c.lastSeen = now + return c + } + + return func(c *gin.Context) { + now := time.Now() + cleanup(now) + + ip := c.ClientIP() + client := getClient(ip, now) + + if !client.bucket.allow() { + c.AbortWithStatusJSON(http.StatusTooManyRequests, gin.H{ + "error": "rate limit exceeded", + }) + return + } + + c.Next() + } +} diff --git a/internal/auth/routes.go b/internal/auth/routes.go index a180f4d..6d1384b 100644 --- a/internal/auth/routes.go +++ b/internal/auth/routes.go @@ -2,6 +2,7 @@ package auth import ( "ResendIt/internal/api/middleware" + "time" "github.com/gin-gonic/gin" ) @@ -9,7 +10,9 @@ import ( func RegisterRoutes(r *gin.RouterGroup, h *Handler) { auth := r.Group("/auth") - auth.POST("/login", h.Login) + // Stricter rate limit on login to reduce brute-force / log spam. + // 5 attempts per minute per IP, burst 10. + auth.POST("/login", middleware.RateLimitByIP(5, time.Minute, 10, 15*time.Minute), h.Login) protected := auth.Group("/") protected.Use(middleware.AuthMiddleware())