Initial commit: Open sourcing all of the Maple Open Technologies code.

2025-12-02 14:33:08 -05:00 · 2025-12-02 14:33:08 -05:00 · 755d54a99d
commit 755d54a99d
2010 changed files with 448675 additions and 0 deletions
--- a/cloud/maplepress-backend/internal/http/middleware/ratelimit_provider.go
+++ b/cloud/maplepress-backend/internal/http/middleware/ratelimit_provider.go
@ -0,0 +1,53 @@
+package middleware
+
+import (
+	"github.com/redis/go-redis/v9"
+	"go.uber.org/zap"
+
+	"codeberg.org/mapleopentech/monorepo/cloud/maplepress-backend/config"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplepress-backend/pkg/ratelimit"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplepress-backend/pkg/security/clientip"
+)
+
+// RateLimitMiddlewares holds all four rate limiting middlewares
+type RateLimitMiddlewares struct {
+	Registration *RateLimitMiddleware // CWE-307: Account creation protection (IP-based)
+	Generic      *RateLimitMiddleware // CWE-770: CRUD endpoint protection (User-based)
+	PluginAPI    *RateLimitMiddleware // CWE-770: Plugin API protection (Site-based)
+	// Note: Login rate limiter is specialized and handled directly in login handler
+}
+
+// ProvideRateLimitMiddlewares provides all rate limiting middlewares for dependency injection
+// CWE-348: Injects clientip.Extractor for secure IP extraction with trusted proxy validation
+// CWE-770: Provides four-tier rate limiting architecture
+func ProvideRateLimitMiddlewares(redisClient *redis.Client, cfg *config.Config, ipExtractor *clientip.Extractor, logger *zap.Logger) *RateLimitMiddlewares {
+	// 1. Registration rate limiter (CWE-307: strict, IP-based)
+	// Default: 5 requests per hour per IP
+	registrationRateLimiter := ratelimit.NewRateLimiter(redisClient, ratelimit.Config{
+		MaxRequests: cfg.RateLimit.RegistrationMaxRequests,
+		Window:      cfg.RateLimit.RegistrationWindow,
+		KeyPrefix:   "ratelimit:registration",
+	}, logger)
+
+	// 3. Generic CRUD endpoints rate limiter (CWE-770: lenient, user-based)
+	// Default: 100 requests per hour per user
+	genericRateLimiter := ratelimit.NewRateLimiter(redisClient, ratelimit.Config{
+		MaxRequests: cfg.RateLimit.GenericMaxRequests,
+		Window:      cfg.RateLimit.GenericWindow,
+		KeyPrefix:   "ratelimit:generic",
+	}, logger)
+
+	// 4. Plugin API rate limiter (CWE-770: very lenient, site-based)
+	// Default: 1000 requests per hour per site
+	pluginAPIRateLimiter := ratelimit.NewRateLimiter(redisClient, ratelimit.Config{
+		MaxRequests: cfg.RateLimit.PluginAPIMaxRequests,
+		Window:      cfg.RateLimit.PluginAPIWindow,
+		KeyPrefix:   "ratelimit:plugin",
+	}, logger)
+
+	return &RateLimitMiddlewares{
+		Registration: NewRateLimitMiddleware(registrationRateLimiter, ipExtractor, logger),
+		Generic:      NewRateLimitMiddleware(genericRateLimiter, ipExtractor, logger),
+		PluginAPI:    NewRateLimitMiddleware(pluginAPIRateLimiter, ipExtractor, logger),
+	}
+}