Add per-IP rate limiting (login + general API)

2026-03-24 11:40:36 +01:00
parent e2d8bd344d
commit d9de02f08d
3 changed files with 127 additions and 1 deletions
--- a/internal/api/middleware/ratelimit.go
+++ b/internal/api/middleware/ratelimit.go
@@ -0,0 +1,118 @@
+package middleware
+
+import (
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/gin-gonic/gin"
+)
+
+type tokenBucket struct {
+	mu     sync.Mutex
+	rate   float64 // tokens per second
+	burst  float64 // max tokens
+	tokens float64
+	last   time.Time
+}
+
+func newTokenBucket(max int, per time.Duration, burst int) *tokenBucket {
+	if burst <= 0 {
+		burst = max
+	}
+	rate := float64(max) / per.Seconds()
+	b := float64(burst)
+	now := time.Now()
+	return &tokenBucket{rate: rate, burst: b, tokens: b, last: now}
+}
+
+func (b *tokenBucket) allow() bool {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	now := time.Now()
+	delta := now.Sub(b.last).Seconds()
+	b.last = now
+
+	b.tokens += delta * b.rate
+	if b.tokens > b.burst {
+		b.tokens = b.burst
+	}
+
+	if b.tokens < 1 {
+		return false
+	}
+	b.tokens -= 1
+	return true
+}
+
+type ipClient struct {
+	bucket   *tokenBucket
+	lastSeen time.Time
+}
+
+// RateLimitByIP returns a Gin middleware that rate limits requests per client IP.
+//
+// max: max requests per time window (per)
+// per: the time window duration
+// burst: optional burst capacity (defaults to max if <=0)
+// ttl: how long to keep idle IP buckets around
+func RateLimitByIP(max int, per time.Duration, burst int, ttl time.Duration) gin.HandlerFunc {
+	var (
+		mu      sync.Mutex
+		clients = make(map[string]*ipClient)
+	)
+
+	// opportunistic cleanup (runs at most once per minute)
+	var (
+		cleanupMu   sync.Mutex
+		lastCleanup time.Time
+	)
+
+	cleanup := func(now time.Time) {
+		cleanupMu.Lock()
+		defer cleanupMu.Unlock()
+		if !lastCleanup.IsZero() && now.Sub(lastCleanup) < time.Minute {
+			return
+		}
+		lastCleanup = now
+
+		mu.Lock()
+		defer mu.Unlock()
+		for ip, c := range clients {
+			if now.Sub(c.lastSeen) > ttl {
+				delete(clients, ip)
+			}
+		}
+	}
+
+	getClient := func(ip string, now time.Time) *ipClient {
+		mu.Lock()
+		defer mu.Unlock()
+		c, ok := clients[ip]
+		if !ok {
+			c = &ipClient{bucket: newTokenBucket(max, per, burst), lastSeen: now}
+			clients[ip] = c
+			return c
+		}
+		c.lastSeen = now
+		return c
+	}
+
+	return func(c *gin.Context) {
+		now := time.Now()
+		cleanup(now)
+
+		ip := c.ClientIP()
+		client := getClient(ip, now)
+
+		if !client.bucket.allow() {
+			c.AbortWithStatusJSON(http.StatusTooManyRequests, gin.H{
+				"error": "rate limit exceeded",
+			})
+			return
+		}
+
+		c.Next()
+	}
+}
--- a/internal/auth/routes.go
+++ b/internal/auth/routes.go
@@ -2,6 +2,7 @@ package auth

 import (
 	"ResendIt/internal/api/middleware"
+	"time"

 	"github.com/gin-gonic/gin"
 )
@@ -9,7 +10,9 @@ import (
 func RegisterRoutes(r *gin.RouterGroup, h *Handler) {
 	auth := r.Group("/auth")

-	auth.POST("/login", h.Login)
+	// Stricter rate limit on login to reduce brute-force / log spam.
+	// 5 attempts per minute per IP, burst 10.
+	auth.POST("/login", middleware.RateLimitByIP(5, time.Minute, 10, 15*time.Minute), h.Login)

 	protected := auth.Group("/")
 	protected.Use(middleware.AuthMiddleware())