server: add rate limits

Author: bloom

pkg/ratelimit/ratelimit.go

@@ -0,0 +1,135 @@
+// Package ratelimit provides a simple fixed-window rate limiter.
+package ratelimit
+
+import (
+	"encoding/binary"
+	"sync"
+	"time"
+
+	"github.com/skerkour/stdx-go/crypto/blake3"
+)
+
+// Limiter tracks request counts within time buckets.
+type Limiter struct {
+	mutex   sync.Mutex
+	buckets map[[32]byte]*bucket
+	stop    chan struct{}
+}
+
+type bucket struct {
+	count   uint64
+	expires time.Time
+}
+
+// New creates a new rate limiter with automatic cleanup of expired buckets.
+func New() *Limiter {
+	l := &Limiter{
+		mutex:   sync.Mutex{},
+		buckets: make(map[[32]byte]*bucket),
+		stop:    make(chan struct{}),
+	}
+	go l.cleanupLoop()
+	return l
+}
+
+// RateLimit checks if an action by an actor is allowed within the rate limit.
+// It returns true if the action is allowed, false if rate limited.
+//
+// Parameters:
+//   - action: identifies the type of action being rate limited (e.g., "login", "api-call")
+//   - actor: identifies who is performing the action (e.g., user ID, IP address)
+//   - timeBucket: the duration of each rate limit window
+//   - allowed: maximum number of actions allowed per time bucket
+func (l *Limiter) RateLimit(action string, actor []byte, timeBucket time.Duration, allowed uint64) bool {
+	now := time.Now()
+	bucketStart := now.Truncate(timeBucket)
+	key := makeKey(action, actor, bucketStart)
+
+	l.mutex.Lock()
+	defer l.mutex.Unlock()
+
+	b, exists := l.buckets[key]
+	if !exists {
+		l.buckets[key] = &bucket{
+			count:   1,
+			expires: bucketStart.Add(timeBucket * 2), // Keep for one extra period for safety
+		}
+		return true
+	}
+
+	if b.count >= allowed {
+		return false
+	}
+
+	b.count++
+	return true
+}
+
+// Count returns the current count for an action/actor in the current time bucket.
+// Useful for showing users how many requests they have remaining.
+func (l *Limiter) Count(action string, actor []byte, timeBucket time.Duration) uint64 {
+	now := time.Now()
+	bucketStart := now.Truncate(timeBucket)
+	key := makeKey(action, actor, bucketStart)
+
+	l.mutex.Lock()
+	defer l.mutex.Unlock()
+
+	if b, exists := l.buckets[key]; exists {
+		return b.count
+	}
+	return 0
+}
+
+// Remaining returns how many requests are remaining for an action/actor.
+func (l *Limiter) Remaining(action string, actor []byte, timeBucket time.Duration, allowed uint64) uint64 {
+	count := l.Count(action, actor, timeBucket)
+	if count >= allowed {
+		return 0
+	}
+	return allowed - count
+}
+
+// Stop stops the background cleanup goroutine.
+// Call this when the limiter is no longer needed.
+func (l *Limiter) Stop() {
+	close(l.stop)
+}
+
+func (l *Limiter) cleanupLoop() {
+	ticker := time.NewTicker(time.Minute)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ticker.C:
+			l.cleanup()
+		case <-l.stop:
+			return
+		}
+	}
+}
+
+func (l *Limiter) cleanup() {
+	now := time.Now()
+
+	l.mutex.Lock()
+	defer l.mutex.Unlock()
+
+	for key, b := range l.buckets {
+		if now.After(b.expires) {
+			delete(l.buckets, key)
+		}
+	}
+}
+
+func makeKey(action string, actor []byte, bucketStart time.Time) [32]byte {
+	var hash [32]byte
+	hasher := blake3.New(32, nil)
+	hasher.Write([]byte(action))
+	hasher.Write(actor)
+	binary.Write(hasher, binary.LittleEndian, bucketStart.UnixNano())
+
+	hasher.Sum(hash[:0])
+	return hash
+}

pkg/ratelimit/ratelimit_test.go

@@ -0,0 +1,202 @@
+package ratelimit
+
+import (
+	"sync"
+	"testing"
+	"time"
+)
+
+func TestRateLimit_Basic(t *testing.T) {
+	l := New()
+	defer l.Stop()
+
+	actor := []byte("user123")
+	action := "test-action"
+	bucket := time.Minute
+	allowed := uint64(3)
+
+	// First 3 should be allowed
+	for i := 0; i < 3; i++ {
+		if !l.RateLimit(action, actor, bucket, allowed) {
+			t.Errorf("Request %d should have been allowed", i+1)
+		}
+	}
+
+	// 4th should be rate limited
+	if l.RateLimit(action, actor, bucket, allowed) {
+		t.Error("Request 4 should have been rate limited")
+	}
+
+	// 5th should also be rate limited
+	if l.RateLimit(action, actor, bucket, allowed) {
+		t.Error("Request 5 should have been rate limited")
+	}
+}
+
+func TestRateLimit_DifferentActors(t *testing.T) {
+	l := New()
+	defer l.Stop()
+
+	actor1 := []byte("user1")
+	actor2 := []byte("user2")
+	action := "test-action"
+	bucket := time.Minute
+	allowed := uint64(2)
+
+	// Actor 1 uses both requests
+	l.RateLimit(action, actor1, bucket, allowed)
+	l.RateLimit(action, actor1, bucket, allowed)
+
+	// Actor 1 should be limited
+	if l.RateLimit(action, actor1, bucket, allowed) {
+		t.Error("Actor1 should be rate limited")
+	}
+
+	// Actor 2 should still be allowed
+	if !l.RateLimit(action, actor2, bucket, allowed) {
+		t.Error("Actor2 should be allowed")
+	}
+}
+
+func TestRateLimit_DifferentActions(t *testing.T) {
+	l := New()
+	defer l.Stop()
+
+	actor := []byte("user123")
+	action1 := "action1"
+	action2 := "action2"
+	bucket := time.Minute
+	allowed := uint64(1)
+
+	// Use up action1 limit
+	l.RateLimit(action1, actor, bucket, allowed)
+
+	// Action1 should be limited
+	if l.RateLimit(action1, actor, bucket, allowed) {
+		t.Error("Action1 should be rate limited")
+	}
+
+	// Action2 should still be allowed
+	if !l.RateLimit(action2, actor, bucket, allowed) {
+		t.Error("Action2 should be allowed")
+	}
+}
+
+func TestRateLimit_BucketReset(t *testing.T) {
+	l := New()
+	defer l.Stop()
+
+	actor := []byte("user123")
+	action := "test-action"
+	bucket := 100 * time.Millisecond
+	allowed := uint64(2)
+
+	// Use up the limit
+	l.RateLimit(action, actor, bucket, allowed)
+	l.RateLimit(action, actor, bucket, allowed)
+
+	if l.RateLimit(action, actor, bucket, allowed) {
+		t.Error("Should be rate limited")
+	}
+
+	// Wait for next bucket
+	time.Sleep(150 * time.Millisecond)
+
+	// Should be allowed again
+	if !l.RateLimit(action, actor, bucket, allowed) {
+		t.Error("Should be allowed after bucket reset")
+	}
+}
+
+func TestCount(t *testing.T) {
+	l := New()
+	defer l.Stop()
+
+	actor := []byte("user123")
+	action := "test-action"
+	bucket := time.Minute
+
+	if c := l.Count(action, actor, bucket); c != 0 {
+		t.Errorf("Expected count 0, got %d", c)
+	}
+
+	l.RateLimit(action, actor, bucket, 10)
+	l.RateLimit(action, actor, bucket, 10)
+
+	if c := l.Count(action, actor, bucket); c != 2 {
+		t.Errorf("Expected count 2, got %d", c)
+	}
+}
+
+func TestRemaining(t *testing.T) {
+	l := New()
+	defer l.Stop()
+
+	actor := []byte("user123")
+	action := "test-action"
+	bucket := time.Minute
+	allowed := uint64(5)
+
+	if r := l.Remaining(action, actor, bucket, allowed); r != 5 {
+		t.Errorf("Expected 5 remaining, got %d", r)
+	}
+
+	l.RateLimit(action, actor, bucket, allowed)
+	l.RateLimit(action, actor, bucket, allowed)
+
+	if r := l.Remaining(action, actor, bucket, allowed); r != 3 {
+		t.Errorf("Expected 3 remaining, got %d", r)
+	}
+}
+
+func TestRateLimit_Concurrent(t *testing.T) {
+	l := New()
+	defer l.Stop()
+
+	actor := []byte("user123")
+	action := "test-action"
+	bucket := time.Minute
+	allowed := uint64(100)
+
+	var wg sync.WaitGroup
+	allowedCount := 0
+	var mu sync.Mutex
+
+	// Run 200 concurrent requests
+	for i := 0; i < 200; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			if l.RateLimit(action, actor, bucket, allowed) {
+				mu.Lock()
+				allowedCount++
+				mu.Unlock()
+			}
+		}()
+	}
+
+	wg.Wait()
+
+	// Exactly 100 should have been allowed
+	if allowedCount != 100 {
+		t.Errorf("Expected 100 allowed, got %d", allowedCount)
+	}
+}
+
+func TestRateLimit_BinaryActor(t *testing.T) {
+	l := New()
+	defer l.Stop()
+
+	// Test with binary data containing special characters
+	actor := []byte{0x00, 0x01, 0xFF, ':', '\n'}
+	action := "test-action"
+	bucket := time.Minute
+	allowed := uint64(1)
+
+	if !l.RateLimit(action, actor, bucket, allowed) {
+		t.Error("First request should be allowed")
+	}
+	if l.RateLimit(action, actor, bucket, allowed) {
+		t.Error("Second request should be rate limited")
+	}
+}

pkg/services/site/service/service.go

@@ -16,6 +16,7 @@ import (
 	"github.com/skerkour/stdx-go/queue"
 	"markdown.ninja/cmd/mdninja-server/config"
 	"markdown.ninja/pkg/mailer"
+	"markdown.ninja/pkg/ratelimit"
 	"markdown.ninja/pkg/services/contacts"
 	"markdown.ninja/pkg/services/content"
 	"markdown.ninja/pkg/services/emails"
@@ -61,6 +62,8 @@ type SiteService struct {
 	cacheZstdCompressor   *zstd.Encoder
 	cacheZstdDecompressor *zstd.Decoder
 
+	rateLimiter *ratelimit.Limiter
+
 	themes map[string]parsedTheme
 }
 
@@ -177,6 +180,8 @@ func NewSiteService(conf config.Config, db db.DB, queue queue.Queue, mailer mail
 		feedsCache:     feedsCache,
 		sitemapsCache:  sitemapsCache,
 
+		rateLimiter: ratelimit.New(),
+
 		themes: themes,
 	}
 	return

pkg/services/site/service/subscribe.go

@@ -3,6 +3,7 @@ package service
 import (
 	"context"
 	"strings"
+	"time"
 
 	"github.com/skerkour/stdx-go/countries"
 	"github.com/skerkour/stdx-go/crypto"
@@ -29,6 +30,11 @@ func (service *SiteService) Subscribe(ctx context.Context, input site.SubscribeI
 	unverifiedContactAlreadyExists := false
 	logger := slogx.FromCtx(ctx)
 
+	if !service.rateLimiter.RateLimit("SiteService.Subscribe", httpCtx.Client.IP.AsSlice(), time.Hour, 10) {
+		err = errs.InvalidArgument("Too many requests. Please try again later.")
+		return
+	}
+
 	err = service.kernel.ValidateEmail(ctx, email, true)
 	if err != nil {
 		return

pkg/services/store/service/place_order.go

@@ -32,6 +32,11 @@ func (service *StoreService) PlaceOrder(ctx context.Context, input store.PlaceOr
 		return
 	}
 
+	if !service.rateLimiter.RateLimit("StoreService.PlaceOrder", httpCtx.Client.IP.AsSlice(), time.Hour, 10) {
+		err = errs.InvalidArgument("Too many requests. Please try again later.")
+		return
+	}
+
 	customer := service.contactsService.CurrentContact(ctx)
 	if customer == nil && input.Email == nil {
 		err = errs.InvalidArgument("email is required")