sneak/chat
1
0
Fork 0
Code Issues 5 Pull Requests 2 Actions Packages Projects Releases Wiki Activity
93 Commits 17 Branches 0 Tags
48072cd26ee6a6e28746190e4972b8d5d220df60
Commit Graph

6 Commits

Author SHA1 Message Date
clawbot
08f57bc105 feat: add per-IP rate limiting to login endpoint (#78)
All checks were successful
check / check (push) Successful in 6s
Details 
## Summary

Adds per-IP rate limiting to `POST /api/v1/login` to prevent brute-force password attacks.

closes #35

## What Changed

### New package: `internal/ratelimit/`

A generic per-key token-bucket rate limiter built on `golang.org/x/time/rate`:
- `New(ratePerSec, burst)` creates a limiter with automatic background cleanup of stale entries
- `Allow(key)` checks if a request from the given key should be permitted
- `Stop()` terminates the background sweep goroutine
- Stale entries (unused for 15 minutes) are pruned every 10 minutes

### Login handler integration

The login handler (`internal/handlers/auth.go`) now:
1. Extracts the client IP from `X-Forwarded-For`, `X-Real-IP`, or `RemoteAddr`
2. Checks the per-IP rate limiter before processing the login
3. Returns **429 Too Many Requests** with a `Retry-After: 1` header when the limit is exceeded

### Configuration

Two new environment variables (via Viper):

| Variable | Default | Description |
|---|---|---|
| `LOGIN_RATE_LIMIT` | `1` | Allowed login attempts per second per IP |
| `LOGIN_RATE_BURST` | `5` | Maximum burst of login attempts per IP |

### Scope

Per [sneak's instruction](#35), only the login endpoint is rate-limited. Session creation and registration use hashcash proof-of-work instead.

## Tests

- 6 unit tests for the `ratelimit` package (constructor, burst, burst exceeded, key isolation, key tracking, stop)
- 2 integration tests in `api_test.go`:
  - `TestLoginRateLimitExceeded`: exhausts burst with rapid requests, verifies 429 response and `Retry-After` header
  - `TestLoginRateLimitAllowsNormalUse`: verifies normal login still works

## README

- Added "Login Rate Limiting" subsection under "Rate Limiting & Abuse Prevention"
- Added `LOGIN_RATE_LIMIT` and `LOGIN_RATE_BURST` to the Configuration table

Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de>
Reviewed-on: #78
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>
 2026-03-22 00:39:38 +01:00
clawbot
f2e7a6ec85 [deps] Migrate from chi v1 to chi/v5 (#73)
All checks were successful
check / check (push) Successful in 5s
Details 
## Summary

Migrates all `go-chi/chi` imports from v1 (v1.5.5) to v5 (v5.2.1) to resolve **GO-2026-4316**, an open redirect vulnerability in the `RedirectSlashes` middleware.

## Changes

- `go.mod`: replaced `github.com/go-chi/chi v1.5.5` with `github.com/go-chi/chi/v5 v5.2.1`
- Updated import paths in 4 files:
  - `internal/server/server.go`
  - `internal/server/routes.go`
  - `internal/middleware/middleware.go`
  - `internal/handlers/api.go`
- `go.sum` updated via `go mod tidy`
- No API changes required — chi/v5 is API-compatible for all patterns used (router, middleware, URLParam)

## Verification

- `go mod tidy` 
- `make fmt` 
- `docker build .` (runs `make check`: lint, fmt-check, test) 
- All tests pass with 58.1% handler coverage, 100% IRC numerics coverage

closes #42

Reviewed-on: #73
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>
 2026-03-13 00:32:10 +01:00
clawbot
2da7f11484 Rename app from chat to neoirc, binary to neoircd (closes #46) (#47)
All checks were successful
check / check (push) Successful in 2m24s
Details 
Complete rename of the application from `chat` to `neoirc` with binary name `neoircd`.

closes #46

## Changes

- **Go module path**: `git.eeqj.de/sneak/chat` → `git.eeqj.de/sneak/neoirc`
- **Server binary**: `chatd` → `neoircd`
- **CLI binary**: `chat-cli` → `neoirc-cli`
- **Cmd directories**: `cmd/chatd` → `cmd/neoircd`, `cmd/chat-cli` → `cmd/neoirc-cli`
- **Go package**: `chatapi` → `neoircapi`
- **Makefile**: binary name, build targets, docker image tag, clean target
- **Dockerfile**: binary paths, user/group names (`chat` → `neoirc`), ENTRYPOINT
- **`.gitignore`/`.dockerignore`**: artifact names
- **All Go imports and doc comments**
- **Default server name**: `chat` → `neoirc`
- **Web client**: localStorage keys (`chat_token`/`chat_channels` → `neoirc_token`/`neoirc_channels`), page title, default server display name
- **Schema files**: all `$id` URLs and example hostnames
- **README.md**: project name, all binary references, examples, directory tree
- **AGENTS.md**: build command reference
- **Test fixtures**: app name and channel names

Docker build passes. All tests pass.

<!-- session: agent:sdlc-manager:subagent:a4b8dbd3-a7c8-4fad-8239-bb5a64a9b3d6 -->

Co-authored-by: clawbot <clawbot@noreply.eeqj.de>
Reviewed-on: #47
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>
 2026-03-07 14:43:58 +01:00
clawbot
70aa15e758 Add RegisterUser and LoginUser DB functions with bcrypt 2026-02-27 04:55:06 -08:00
clawbot
df2217a38b Add embedded web chat client (closes #7) (#8) 2026-02-11 03:02:41 +01:00
clawbot
8bb083a7f8 Add project scaffolding with fx DI, SQLite migrations, and healthcheck 
- go.mod with git.eeqj.de/sneak/chat module
- internal packages: globals, logger, config, db, healthcheck, middleware, handlers, server
- SQLite database with embedded migration system (schema_migrations tracking)
- Migration 001: schema_migrations table
- Migration 002: channels table
- Config with chat-specific vars (MAX_HISTORY, SESSION_TIMEOUT, MAX_MESSAGE_SIZE, MOTD, SERVER_NAME, FEDERATION_KEY)
- Healthcheck endpoint at /.well-known/healthcheck.json
- Makefile, .gitignore
- cmd/chatd/main.go entry point
 2026-02-09 12:22:28 -08:00