feat: add per-IP rate limiting to login endpoint
All checks were successful
check / check (push) Successful in 1m15s
All checks were successful
check / check (push) Successful in 1m15s
Add a token-bucket rate limiter (golang.org/x/time/rate) that limits login attempts per client IP on POST /api/v1/login. Returns 429 Too Many Requests with a Retry-After header when the limit is exceeded. Configurable via LOGIN_RATE_LIMIT (requests/sec, default 1) and LOGIN_RATE_BURST (burst size, default 5). Stale per-IP entries are automatically cleaned up every 10 minutes. Only the login endpoint is rate-limited per sneak's instruction — session creation and registration use hashcash proof-of-work instead.
This commit is contained in:
user
106
internal/ratelimit/ratelimit_test.go
Normal file
106
internal/ratelimit/ratelimit_test.go
Normal file
@@ -0,0 +1,106 @@
|
||||
package ratelimit_test
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"git.eeqj.de/sneak/neoirc/internal/ratelimit"
|
||||
)
|
||||
|
||||
func TestNewCreatesLimiter(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
limiter := ratelimit.New(1.0, 5)
|
||||
defer limiter.Stop()
|
||||
|
||||
if limiter == nil {
|
||||
t.Fatal("expected non-nil limiter")
|
||||
}
|
||||
}
|
||||
|
||||
func TestAllowWithinBurst(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
limiter := ratelimit.New(1.0, 3)
|
||||
defer limiter.Stop()
|
||||
|
||||
for i := range 3 {
|
||||
if !limiter.Allow("192.168.1.1") {
|
||||
t.Fatalf(
|
||||
"request %d should be allowed within burst",
|
||||
i+1,
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestAllowExceedsBurst(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
// Rate of 0 means no token replenishment, only burst.
|
||||
limiter := ratelimit.New(0, 3)
|
||||
defer limiter.Stop()
|
||||
|
||||
for range 3 {
|
||||
limiter.Allow("10.0.0.1")
|
||||
}
|
||||
|
||||
if limiter.Allow("10.0.0.1") {
|
||||
t.Fatal("fourth request should be denied after burst exhausted")
|
||||
}
|
||||
}
|
||||
|
||||
func TestAllowSeparateKeys(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
// Rate of 0, burst of 1 — only one request per key.
|
||||
limiter := ratelimit.New(0, 1)
|
||||
defer limiter.Stop()
|
||||
|
||||
if !limiter.Allow("10.0.0.1") {
|
||||
t.Fatal("first request for key A should be allowed")
|
||||
}
|
||||
|
||||
if !limiter.Allow("10.0.0.2") {
|
||||
t.Fatal("first request for key B should be allowed")
|
||||
}
|
||||
|
||||
if limiter.Allow("10.0.0.1") {
|
||||
t.Fatal("second request for key A should be denied")
|
||||
}
|
||||
|
||||
if limiter.Allow("10.0.0.2") {
|
||||
t.Fatal("second request for key B should be denied")
|
||||
}
|
||||
}
|
||||
|
||||
func TestLenTracksKeys(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
limiter := ratelimit.New(1.0, 5)
|
||||
defer limiter.Stop()
|
||||
|
||||
if limiter.Len() != 0 {
|
||||
t.Fatalf("expected 0 entries, got %d", limiter.Len())
|
||||
}
|
||||
|
||||
limiter.Allow("10.0.0.1")
|
||||
limiter.Allow("10.0.0.2")
|
||||
|
||||
if limiter.Len() != 2 {
|
||||
t.Fatalf("expected 2 entries, got %d", limiter.Len())
|
||||
}
|
||||
|
||||
// Same key again should not increase count.
|
||||
limiter.Allow("10.0.0.1")
|
||||
|
||||
if limiter.Len() != 2 {
|
||||
t.Fatalf("expected 2 entries, got %d", limiter.Len())
|
||||
}
|
||||
}
|
||||
|
||||
func TestStopDoesNotPanic(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
limiter := ratelimit.New(1.0, 5)
|
||||
limiter.Stop()
|
||||
}
|
||||
Reference in New Issue
Block a user