53 lines
2.4 KiB
Go
53 lines
2.4 KiB
Go
package middleware
|
|
|
|
import (
|
|
"github.com/redis/go-redis/v9"
|
|
"go.uber.org/zap"
|
|
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplepress-backend/config"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplepress-backend/pkg/ratelimit"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplepress-backend/pkg/security/clientip"
|
|
)
|
|
|
|
// RateLimitMiddlewares holds all four rate limiting middlewares
|
|
type RateLimitMiddlewares struct {
|
|
Registration *RateLimitMiddleware // CWE-307: Account creation protection (IP-based)
|
|
Generic *RateLimitMiddleware // CWE-770: CRUD endpoint protection (User-based)
|
|
PluginAPI *RateLimitMiddleware // CWE-770: Plugin API protection (Site-based)
|
|
// Note: Login rate limiter is specialized and handled directly in login handler
|
|
}
|
|
|
|
// ProvideRateLimitMiddlewares provides all rate limiting middlewares for dependency injection
|
|
// CWE-348: Injects clientip.Extractor for secure IP extraction with trusted proxy validation
|
|
// CWE-770: Provides four-tier rate limiting architecture
|
|
func ProvideRateLimitMiddlewares(redisClient *redis.Client, cfg *config.Config, ipExtractor *clientip.Extractor, logger *zap.Logger) *RateLimitMiddlewares {
|
|
// 1. Registration rate limiter (CWE-307: strict, IP-based)
|
|
// Default: 5 requests per hour per IP
|
|
registrationRateLimiter := ratelimit.NewRateLimiter(redisClient, ratelimit.Config{
|
|
MaxRequests: cfg.RateLimit.RegistrationMaxRequests,
|
|
Window: cfg.RateLimit.RegistrationWindow,
|
|
KeyPrefix: "ratelimit:registration",
|
|
}, logger)
|
|
|
|
// 3. Generic CRUD endpoints rate limiter (CWE-770: lenient, user-based)
|
|
// Default: 100 requests per hour per user
|
|
genericRateLimiter := ratelimit.NewRateLimiter(redisClient, ratelimit.Config{
|
|
MaxRequests: cfg.RateLimit.GenericMaxRequests,
|
|
Window: cfg.RateLimit.GenericWindow,
|
|
KeyPrefix: "ratelimit:generic",
|
|
}, logger)
|
|
|
|
// 4. Plugin API rate limiter (CWE-770: very lenient, site-based)
|
|
// Default: 1000 requests per hour per site
|
|
pluginAPIRateLimiter := ratelimit.NewRateLimiter(redisClient, ratelimit.Config{
|
|
MaxRequests: cfg.RateLimit.PluginAPIMaxRequests,
|
|
Window: cfg.RateLimit.PluginAPIWindow,
|
|
KeyPrefix: "ratelimit:plugin",
|
|
}, logger)
|
|
|
|
return &RateLimitMiddlewares{
|
|
Registration: NewRateLimitMiddleware(registrationRateLimiter, ipExtractor, logger),
|
|
Generic: NewRateLimitMiddleware(genericRateLimiter, ipExtractor, logger),
|
|
PluginAPI: NewRateLimitMiddleware(pluginAPIRateLimiter, ipExtractor, logger),
|
|
}
|
|
}
|