umputun
diff --git a/‎.github/workflows/ci-build.yml‎
Lines changed: 7 additions & 0 deletions b/‎.github/workflows/ci-build.yml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎backend/app/notify/email.go‎
Lines changed: 3 additions & 3 deletions b/‎backend/app/notify/email.go‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎backend/app/rest/api/rest.go‎
Lines changed: 26 additions & 13 deletions b/‎backend/app/rest/api/rest.go‎
Lines changed: 26 additions & 13 deletions
diff --git a/‎backend/app/rest/proxy/image.go‎
Lines changed: 2 additions & 2 deletions b/‎backend/app/rest/proxy/image.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎backend/go.mod‎
Lines changed: 15 additions & 15 deletions b/‎backend/go.mod‎
Lines changed: 15 additions & 15 deletions
@@ -41,6 +41,13 @@ jobs:
       - name: available platforms
         run: echo ${{ steps.buildx.outputs.platforms }}
 
+      - name: free disk space
+        run: |
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /usr/local/share/boost
+          docker system prune -af
+
       - name: build docker image without pushing (only outside master)
         if: ${{ github.ref != 'refs/heads/master' }}
         run: |
 
@@ -10,7 +10,7 @@ import (
 
 	log "github.com/go-pkgz/lgr"
 	ntf "github.com/go-pkgz/notify"
-	"github.com/go-pkgz/repeater"
+	"github.com/go-pkgz/repeater/v2"
 	"github.com/hashicorp/go-multierror"
 
 	"github.com/umputun/remark42/backend/app/templates"
@@ -161,7 +161,7 @@ func (e *Email) buildAndSendMessage(ctx context.Context, req Request, email stri
 		return err
 	}
 
-	return repeater.NewDefault(5, time.Millisecond*250).Do(
+	return repeater.NewFixed(5, time.Millisecond*250).Do(
 		ctx,
 		func() error {
 			return e.Email.Send(
@@ -196,7 +196,7 @@ func (e *Email) SendVerification(ctx context.Context, req VerificationRequest) e
 		return err
 	}
 
-	return repeater.NewDefault(5, time.Millisecond*250).Do(
+	return repeater.NewFixed(5, time.Millisecond*250).Do(
 		ctx,
 		func() error {
 			return e.Email.Send(
 
@@ -15,8 +15,8 @@ import (
 	"sync"
 	"time"
 
-	"github.com/didip/tollbooth/v7"
-	"github.com/didip/tollbooth_chi"
+	"github.com/didip/tollbooth/v8"
+	"github.com/didip/tollbooth/v8/limiter"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/go-chi/cors"
@@ -234,14 +234,14 @@ func (s *Rest) routes() chi.Router {
 
 	router.Group(func(r chi.Router) {
 		r.Use(middleware.Timeout(5 * time.Second))
-		r.Use(logInfoWithBody, tollbooth_chi.LimitHandler(tollbooth.NewLimiter(2, nil)), middleware.NoCache)
+		r.Use(logInfoWithBody, rateLimiter(2), middleware.NoCache)
 		r.Use(validEmailAuth()) // reject suspicious email logins
 		r.Mount("/auth", authHandler)
 	})
 
 	router.Group(func(r chi.Router) {
 		r.Use(middleware.Timeout(5 * time.Second))
-		r.Use(tollbooth_chi.LimitHandler(tollbooth.NewLimiter(100, nil)))
+		r.Use(rateLimiter(100))
 		r.Mount("/avatar", avatarHandler)
 	})
 
@@ -251,14 +251,14 @@ func (s *Rest) routes() chi.Router {
 	router.Route("/api/v1", func(rapi chi.Router) {
 		rapi.Group(func(rava chi.Router) {
 			rava.Use(middleware.Timeout(5 * time.Second))
-			rava.Use(tollbooth_chi.LimitHandler(tollbooth.NewLimiter(100, nil)))
+			rava.Use(rateLimiter(100))
 			rava.Mount("/avatar", avatarHandler)
 		})
 
 		// open routes
 		rapi.Group(func(ropen chi.Router) {
 			ropen.Use(middleware.Timeout(30 * time.Second))
-			ropen.Use(tollbooth_chi.LimitHandler(tollbooth.NewLimiter(s.openRouteLimiter, nil)))
+			ropen.Use(rateLimiter(s.openRouteLimiter))
 			ropen.Use(authMiddleware.Trace, middleware.NoCache, logInfoWithBody)
 			ropen.Get("/config", s.configCtrl)
 			ropen.Get("/find", s.pubRest.findCommentsCtrl)
@@ -281,7 +281,7 @@ func (s *Rest) routes() chi.Router {
 		// open routes, cached
 		rapi.Group(func(ropen chi.Router) {
 			ropen.Use(middleware.Timeout(30 * time.Second))
-			ropen.Use(tollbooth_chi.LimitHandler(tollbooth.NewLimiter(10, nil)))
+			ropen.Use(rateLimiter(10))
 			ropen.Use(authMiddleware.Trace, logInfoWithBody)
 			ropen.Get("/picture/{user}/{id}", s.pubRest.loadPictureCtrl)
 			ropen.Get("/qr/telegram", s.pubRest.telegramQrCtrl)
@@ -290,7 +290,7 @@ func (s *Rest) routes() chi.Router {
 		// protected routes, require auth
 		rapi.Group(func(rauth chi.Router) {
 			rauth.Use(middleware.Timeout(30 * time.Second))
-			rauth.Use(tollbooth_chi.LimitHandler(tollbooth.NewLimiter(10, nil)))
+			rauth.Use(rateLimiter(10))
 			rauth.Use(authMiddleware.Auth, matchSiteID, middleware.NoCache, logInfoWithBody)
 			rauth.Get("/user", s.privRest.userInfoCtrl)
 			rauth.Get("/userdata", s.privRest.userAllDataCtrl)
@@ -299,7 +299,7 @@ func (s *Rest) routes() chi.Router {
 		// admin routes, require auth and admin users only
 		rapi.Route("/admin", func(radmin chi.Router) {
 			radmin.Use(middleware.Timeout(30 * time.Second))
-			radmin.Use(tollbooth_chi.LimitHandler(tollbooth.NewLimiter(10, nil)))
+			radmin.Use(rateLimiter(10))
 			radmin.Use(authMiddleware.Auth, authMiddleware.AdminOnly, matchSiteID)
 			radmin.Use(middleware.NoCache, logInfoWithBody)
 
@@ -325,7 +325,7 @@ func (s *Rest) routes() chi.Router {
 		// protected routes, throttled to 10/s by default, controlled by external UpdateLimiter param
 		rapi.Group(func(rauth chi.Router) {
 			rauth.Use(middleware.Timeout(10 * time.Second))
-			rauth.Use(tollbooth_chi.LimitHandler(tollbooth.NewLimiter(s.updateLimiter(), nil)))
+			rauth.Use(rateLimiter(s.updateLimiter()))
 			rauth.Use(authMiddleware.Auth, matchSiteID, subscribersOnly(s.SubscribersOnly))
 			rauth.Use(middleware.NoCache, logInfoWithBody)
 
@@ -345,7 +345,7 @@ func (s *Rest) routes() chi.Router {
 		// protected routes, anonymous rejected
 		rapi.Group(func(rauth chi.Router) {
 			rauth.Use(middleware.Timeout(10 * time.Second))
-			rauth.Use(tollbooth_chi.LimitHandler(tollbooth.NewLimiter(s.updateLimiter(), nil)))
+			rauth.Use(rateLimiter(s.updateLimiter()))
 			rauth.Use(authMiddleware.Auth, rejectAnonUser, matchSiteID)
 			rauth.Use(logger.New(logger.Log(log.Default()), logger.Prefix("[DEBUG]"), logger.IPfn(ipFn)).Handler)
 			rauth.Post("/picture", s.privRest.savePictureCtrl)
@@ -355,7 +355,7 @@ func (s *Rest) routes() chi.Router {
 	// open routes on root level
 	router.Group(func(rroot chi.Router) {
 		rroot.Use(middleware.Timeout(10 * time.Second))
-		rroot.Use(tollbooth_chi.LimitHandler(tollbooth.NewLimiter(50, nil)))
+		rroot.Use(rateLimiter(50))
 		rroot.Get("/robots.txt", s.pubRest.robotsCtrl)
 		rroot.Get("/email/unsubscribe.html", s.privRest.emailUnsubscribeCtrl)
 		rroot.Post("/email/unsubscribe.html", s.privRest.emailUnsubscribeCtrl)
@@ -491,7 +491,7 @@ func addFileServer(r chi.Router, embedFS embed.FS, webRoot, version string) {
 	webFS = http.StripPrefix("/web", webFS)
 	r.Get("/web", http.RedirectHandler("/web/", http.StatusMovedPermanently).ServeHTTP)
 
-	r.With(tollbooth_chi.LimitHandler(tollbooth.NewLimiter(20, nil)),
+	r.With(rateLimiter(20),
 		middleware.Timeout(10*time.Second),
 		cacheControl(time.Hour, version),
 	).Get("/web/*", func(w http.ResponseWriter, r *http.Request) {
@@ -728,3 +728,16 @@ func parseError(err error, defaultCode int) (code int) {
 
 	return code
 }
+
+// rateLimiter creates a rate limiting middleware with proper IP lookup configuration.
+// tollbooth v8 requires explicit IP lookup method to be set.
+// uses RemoteAddr which is set by chi's middleware.RealIP to the real client IP
+// from X-Forwarded-For, X-Real-IP, or True-Client-IP headers.
+func rateLimiter(maxReq float64) func(http.Handler) http.Handler {
+	lmt := tollbooth.NewLimiter(maxReq, nil)
+	lmt.SetIPLookup(limiter.IPLookup{
+		Name:           "RemoteAddr",
+		IndexFromRight: 0,
+	})
+	return tollbooth.HTTPMiddleware(lmt)
+}
@@ -12,7 +12,7 @@ import (
 
 	"github.com/PuerkitoBio/goquery"
 	log "github.com/go-pkgz/lgr"
-	"github.com/go-pkgz/repeater"
+	"github.com/go-pkgz/repeater/v2"
 
 	"github.com/umputun/remark42/backend/app/rest"
 	"github.com/umputun/remark42/backend/app/store/image"
@@ -151,7 +151,7 @@ func (p Image) downloadImage(ctx context.Context, imgURL string) ([]byte, error)
 	client := http.Client{Timeout: 30 * time.Second}
 	defer client.CloseIdleConnections()
 	var resp *http.Response
-	err := repeater.NewDefault(5, time.Second).Do(ctx, func() error {
+	err := repeater.NewFixed(5, time.Second).Do(ctx, func() error {
 		var e error
 		req, e := http.NewRequest("GET", imgURL, http.NoBody)
 		if e != nil {
 
@@ -6,16 +6,15 @@ require (
 	github.com/Depado/bfchroma/v2 v2.0.0
 	github.com/PuerkitoBio/goquery v1.11.0
 	github.com/alecthomas/chroma/v2 v2.20.0
-	github.com/didip/tollbooth/v7 v7.0.2
-	github.com/didip/tollbooth_chi v0.0.0-20220719025231-d662a7f6928f
+	github.com/didip/tollbooth/v8 v8.0.1
 	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-chi/cors v1.2.2
-	github.com/go-pkgz/auth/v2 v2.0.1-0.20250415030422-4f9f2c5e3b0d
+	github.com/go-pkgz/auth/v2 v2.1.0
 	github.com/go-pkgz/jrpc v0.4.0
 	github.com/go-pkgz/lcw/v2 v2.0.0
 	github.com/go-pkgz/lgr v0.12.1
-	github.com/go-pkgz/notify v1.2.0
-	github.com/go-pkgz/repeater v1.2.0
+	github.com/go-pkgz/notify v1.3.0
+	github.com/go-pkgz/repeater/v2 v2.2.0
 	github.com/go-pkgz/rest v1.20.4
 	github.com/go-pkgz/syncs v1.3.2
 	github.com/golang-jwt/jwt/v5 v5.3.0
@@ -37,35 +36,36 @@ require (
 )
 
 require (
-	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dghubble/oauth1 v0.7.3 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dlclark/regexp2 v1.11.5 // indirect
-	github.com/go-oauth2/oauth2/v4 v4.5.3 // indirect
-	github.com/go-pkgz/email v0.5.0 // indirect
-	github.com/go-pkgz/expirable-cache/v3 v3.0.0 // indirect
+	github.com/go-oauth2/oauth2/v4 v4.5.4 // indirect
+	github.com/go-pkgz/email v0.6.0 // indirect
+	github.com/go-pkgz/expirable-cache/v3 v3.1.0 // indirect
+	github.com/go-pkgz/repeater v1.2.0 // indirect
 	github.com/go-pkgz/routegroup v1.6.0 // indirect
 	github.com/golang/snappy v1.0.0 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/compress v1.18.2 // indirect
 	github.com/montanaflynn/stats v0.7.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/redis/go-redis/v9 v9.7.3 // indirect
+	github.com/redis/go-redis/v9 v9.17.2 // indirect
 	github.com/rrivera/identicon v0.0.0-20240116195454-d5ba35832c0d // indirect
-	github.com/slack-go/slack v0.15.0 // indirect
+	github.com/slack-go/slack v0.17.3 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
-	github.com/xdg-go/scram v1.1.2 // indirect
+	github.com/xdg-go/scram v1.2.0 // indirect
 	github.com/xdg-go/stringprep v1.0.4 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
-	go.mongodb.org/mongo-driver v1.17.3 // indirect
-	golang.org/x/oauth2 v0.29.0 // indirect
+	go.mongodb.org/mongo-driver v1.17.6 // indirect
+	golang.org/x/oauth2 v0.33.0 // indirect
 	golang.org/x/sync v0.18.0 // indirect
 	golang.org/x/sys v0.38.0 // indirect
 	golang.org/x/text v0.31.0 // indirect