fix: add eviction for stale IP rate limiter entries and Retry-After header

- Store lastSeen timestamp per IP limiter entry - Lazy sweep removes entries older than 10 minutes on each request - Add Retry-After header to 429 responses - Add test for stale entry eviction Fixes memory leak under sustained attack from many IPs.
2026-02-15 14:18:07 -08:00
parent 66661d1b1d
commit a1b06219e7
2 changed files with 82 additions and 10 deletions
--- a/internal/middleware/ratelimit_test.go
+++ b/internal/middleware/ratelimit_test.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"testing"
+	"time"

 	"github.com/stretchr/testify/assert"

@@ -104,4 +105,31 @@ func TestLoginRateLimitReturns429Body(t *testing.T) {
 	handler.ServeHTTP(rec, req)
 	assert.Equal(t, http.StatusTooManyRequests, rec.Code)
 	assert.Contains(t, rec.Body.String(), "Too Many Requests")
+	assert.NotEmpty(t, rec.Header().Get("Retry-After"), "should include Retry-After header")
+}
+
+func TestIPLimiterEvictsStaleEntries(t *testing.T) {
+	il := newIPLimiter()
+
+	// Add an entry and backdate its lastSeen
+	il.mu.Lock()
+	il.limiters["1.2.3.4"] = &ipLimiterEntry{
+		limiter:  nil,
+		lastSeen: time.Now().Add(-15 * time.Minute),
+	}
+	il.limiters["5.6.7.8"] = &ipLimiterEntry{
+		limiter:  nil,
+		lastSeen: time.Now(),
+	}
+	il.mu.Unlock()
+
+	// Trigger sweep
+	il.mu.Lock()
+	il.sweep(time.Now())
+	il.mu.Unlock()
+
+	il.mu.Lock()
+	defer il.mu.Unlock()
+	assert.NotContains(t, il.limiters, "1.2.3.4", "stale entry should be evicted")
+	assert.Contains(t, il.limiters, "5.6.7.8", "fresh entry should remain")
 }