gotosocial/internal/middleware/ratelimit.go

// GoToSocial
// Copyright (C) GoToSocial Authors admin@gotosocial.org
// SPDX-License-Identifier: AGPL-3.0-or-later
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package middleware

import (
	"net"
	"net/http"
	"net/netip"
	"strconv"
	"time"

	"github.com/gin-gonic/gin"
	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
	"github.com/superseriousbusiness/gotosocial/internal/util"
	"github.com/ulule/limiter/v3"
	"github.com/ulule/limiter/v3/drivers/store/memory"
)

const rateLimitPeriod = 5 * time.Minute

// RateLimit returns a gin middleware that will automatically rate
// limit caller (by IP address), and enrich the response header with
// the following headers:
//
//   - `X-Ratelimit-Limit`     - max requests allowed per time period (fixed).
//   - `X-Ratelimit-Remaining` - requests remaining for this IP before reset.
//   - `X-Ratelimit-Reset`     - ISO8601 timestamp when the rate limit will reset.
//
// If `X-Ratelimit-Limit` is exceeded, the request is aborted and an
// HTTP 429 TooManyRequests status is returned.
//
// If the config AdvancedRateLimitRequests value is <= 0, then a noop
// handler will be returned, which performs no rate limiting.
func RateLimit(limit int, exceptions []string) gin.HandlerFunc {
	if limit <= 0 {
		// Rate limiting is disabled.
		// Return noop middleware.
		return func(ctx *gin.Context) {}
	}

	limiter := limiter.New(
		memory.NewStore(),
		limiter.Rate{
			Period: rateLimitPeriod,
			Limit:  int64(limit),
		},
	)

	// Convert exceptions IP ranges into prefixes.
	exceptPrefs := make([]netip.Prefix, len(exceptions))
	for i, str := range exceptions {
		exceptPrefs[i] = netip.MustParsePrefix(str)
	}

	// It's prettymuch impossible to effectively
	// rate limit the immense IPv6 address space
	// unless we mask some of the bytes.
	//
	// This mask is pretty coarse, and puts IPv6
	// blocking on more or less the same footing
	// as IPv4 blocking in terms of how likely it
	// is to prevent abuse while still allowing
	// legit users access to the service.
	ipv6Mask := net.CIDRMask(64, 128)

	return func(c *gin.Context) {
		// Use Gin's heuristic for determining
		// clientIP, which accounts for reverse
		// proxies and trusted proxies setting.
		clientIP := netip.MustParseAddr(c.ClientIP())

		// Check if this IP is exempt from rate
		// limits and skip further checks if so.
		for _, prefix := range exceptPrefs {
			if prefix.Contains(clientIP) {
				c.Next()
				return
			}
		}

		if clientIP.Is6() {
			// Convert to "net" package IP for mask.
			asIP := net.IP(clientIP.AsSlice())

			// Apply coarse IPv6 mask.
			asIP = asIP.Mask(ipv6Mask)

			// Convert back to netip.Addr from net.IP.
			clientIP, _ = netip.AddrFromSlice(asIP)
		}

		// Fetch rate limit info for this (masked) clientIP.
		context, err := limiter.Get(c, clientIP.String())
		if err != nil {
			// Since we use an in-memory cache now,
			// it's actually impossible for this to
			// error, but handle it nicely anyway in
			// case we switch implementation in future.
			errWithCode := gtserror.NewErrorInternalError(err)

			// Set error on gin context so it'll
			// be picked up by logging middleware.
			c.Error(errWithCode) //nolint:errcheck

			// Bail with 500.
			c.AbortWithStatusJSON(
				errWithCode.Code(),
				gin.H{"error": errWithCode.Safe()},
			)
			return
		}

		// Provide reset in same format used by
		// Mastodon. There's no real standard as
		// to what format X-RateLimit-Reset SHOULD
		// use, but since most clients interacting
		// with us will expect the Mastodon version,
		// it makes sense to take this.
		resetT := time.Unix(context.Reset, 0)
		reset := util.FormatISO8601(resetT)

		c.Header("X-RateLimit-Limit", strconv.FormatInt(context.Limit, 10))
		c.Header("X-RateLimit-Remaining", strconv.FormatInt(context.Remaining, 10))
		c.Header("X-RateLimit-Reset", reset)

		if context.Reached {
			// Return JSON error message for
			// consistency with other endpoints.
			c.AbortWithStatusJSON(
				http.StatusTooManyRequests,
				gin.H{"error": "rate limit reached"},
			)
			return
		}

		// Allow the request
		// to continue.
		c.Next()
	}
}
[chore] Improve copyright header handling (#1608) * [chore] Remove years from all license headers Years or year ranges aren't required in license headers. Many projects have removed them in recent years and it avoids a bit of yearly toil. In many cases our copyright claim was also a bit dodgy since we added the 2021-2023 header to files created after 2021 but you can't claim copyright into the past that way. * [chore] Add license header check This ensures a license header is always added to any new file. This avoids maintainers/reviewers needing to remember to check for and ask for it in case a contribution doesn't include it. * [chore] Add missing license headers * [chore] Further updates to license header * Use the more common // indentend comment format * Remove the hack we had for the linter now that we use the // format * Add SPDX license identifier 2023-03-12 16:00:57 +01:00			`// GoToSocial`
			`// Copyright (C) GoToSocial Authors admin@gotosocial.org`
			`// SPDX-License-Identifier: AGPL-3.0-or-later`
			`//`
			`// This program is free software: you can redistribute it and/or modify`
			`// it under the terms of the GNU Affero General Public License as published by`
			`// the Free Software Foundation, either version 3 of the License, or`
			`// (at your option) any later version.`
			`//`
			`// This program is distributed in the hope that it will be useful,`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`// GNU Affero General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Affero General Public License`
			`// along with this program. If not, see <http://www.gnu.org/licenses/>.`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00
			`package middleware`

			`import (`
			`"net"`
			`"net/http"`
[feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151) * start updating rate limiting, add exceptions * tests, comments, tidying up * add rate limiting exceptions to example config * envparsing * nolint * apply kimbediff * add examples 2023-08-23 14:32:27 +02:00			`"net/netip"`
			`"strconv"`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`"time"`

			`"github.com/gin-gonic/gin"`
[feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151) * start updating rate limiting, add exceptions * tests, comments, tidying up * add rate limiting exceptions to example config * envparsing * nolint * apply kimbediff * add examples 2023-08-23 14:32:27 +02:00			`"github.com/superseriousbusiness/gotosocial/internal/gtserror"`
			`"github.com/superseriousbusiness/gotosocial/internal/util"`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`"github.com/ulule/limiter/v3"`
			`"github.com/ulule/limiter/v3/drivers/store/memory"`
			`)`

			`const rateLimitPeriod = 5 * time.Minute`

[feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151) * start updating rate limiting, add exceptions * tests, comments, tidying up * add rate limiting exceptions to example config * envparsing * nolint * apply kimbediff * add examples 2023-08-23 14:32:27 +02:00			`// RateLimit returns a gin middleware that will automatically rate`
			`// limit caller (by IP address), and enrich the response header with`
			`// the following headers:`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`//`
[feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151) * start updating rate limiting, add exceptions * tests, comments, tidying up * add rate limiting exceptions to example config * envparsing * nolint * apply kimbediff * add examples 2023-08-23 14:32:27 +02:00			// - `X-Ratelimit-Limit` - max requests allowed per time period (fixed).
			// - `X-Ratelimit-Remaining` - requests remaining for this IP before reset.
			// - `X-Ratelimit-Reset` - ISO8601 timestamp when the rate limit will reset.
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`//`
[feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151) * start updating rate limiting, add exceptions * tests, comments, tidying up * add rate limiting exceptions to example config * envparsing * nolint * apply kimbediff * add examples 2023-08-23 14:32:27 +02:00			// If `X-Ratelimit-Limit` is exceeded, the request is aborted and an
			`// HTTP 429 TooManyRequests status is returned.`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`//`
[feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151) * start updating rate limiting, add exceptions * tests, comments, tidying up * add rate limiting exceptions to example config * envparsing * nolint * apply kimbediff * add examples 2023-08-23 14:32:27 +02:00			`// If the config AdvancedRateLimitRequests value is <= 0, then a noop`
			`// handler will be returned, which performs no rate limiting.`
			`func RateLimit(limit int, exceptions []string) gin.HandlerFunc {`
[chore] shuffle middleware to split rate limitting into client/s2s/fileserver, share gzip middleware globally (#1290) Signed-off-by: kim <grufwub@gmail.com> Signed-off-by: kim <grufwub@gmail.com> 2023-01-03 10:50:59 +00:00			`if limit <= 0 {`
[feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151) * start updating rate limiting, add exceptions * tests, comments, tidying up * add rate limiting exceptions to example config * envparsing * nolint * apply kimbediff * add examples 2023-08-23 14:32:27 +02:00			`// Rate limiting is disabled.`
			`// Return noop middleware.`
[chore] shuffle middleware to split rate limitting into client/s2s/fileserver, share gzip middleware globally (#1290) Signed-off-by: kim <grufwub@gmail.com> Signed-off-by: kim <grufwub@gmail.com> 2023-01-03 10:50:59 +00:00			`return func(ctx *gin.Context) {}`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`}`

[chore] shuffle middleware to split rate limitting into client/s2s/fileserver, share gzip middleware globally (#1290) Signed-off-by: kim <grufwub@gmail.com> Signed-off-by: kim <grufwub@gmail.com> 2023-01-03 10:50:59 +00:00			`limiter := limiter.New(`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`memory.NewStore(),`
[feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151) * start updating rate limiting, add exceptions * tests, comments, tidying up * add rate limiting exceptions to example config * envparsing * nolint * apply kimbediff * add examples 2023-08-23 14:32:27 +02:00			`limiter.Rate{`
			`Period: rateLimitPeriod,`
			`Limit: int64(limit),`
			`},`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`)`

[feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151) * start updating rate limiting, add exceptions * tests, comments, tidying up * add rate limiting exceptions to example config * envparsing * nolint * apply kimbediff * add examples 2023-08-23 14:32:27 +02:00			`// Convert exceptions IP ranges into prefixes.`
			`exceptPrefs := make([]netip.Prefix, len(exceptions))`
			`for i, str := range exceptions {`
			`exceptPrefs[i] = netip.MustParsePrefix(str)`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`}`

[feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151) * start updating rate limiting, add exceptions * tests, comments, tidying up * add rate limiting exceptions to example config * envparsing * nolint * apply kimbediff * add examples 2023-08-23 14:32:27 +02:00			`// It's prettymuch impossible to effectively`
			`// rate limit the immense IPv6 address space`
			`// unless we mask some of the bytes.`
			`//`
			`// This mask is pretty coarse, and puts IPv6`
			`// blocking on more or less the same footing`
			`// as IPv4 blocking in terms of how likely it`
			`// is to prevent abuse while still allowing`
			`// legit users access to the service.`
			`ipv6Mask := net.CIDRMask(64, 128)`

			`return func(c *gin.Context) {`
			`// Use Gin's heuristic for determining`
			`// clientIP, which accounts for reverse`
			`// proxies and trusted proxies setting.`
			`clientIP := netip.MustParseAddr(c.ClientIP())`

			`// Check if this IP is exempt from rate`
			`// limits and skip further checks if so.`
			`for _, prefix := range exceptPrefs {`
			`if prefix.Contains(clientIP) {`
			`c.Next()`
			`return`
			`}`
			`}`

			`if clientIP.Is6() {`
			`// Convert to "net" package IP for mask.`
			`asIP := net.IP(clientIP.AsSlice())`

			`// Apply coarse IPv6 mask.`
			`asIP = asIP.Mask(ipv6Mask)`

			`// Convert back to netip.Addr from net.IP.`
			`clientIP, _ = netip.AddrFromSlice(asIP)`
			`}`

			`// Fetch rate limit info for this (masked) clientIP.`
			`context, err := limiter.Get(c, clientIP.String())`
			`if err != nil {`
			`// Since we use an in-memory cache now,`
			`// it's actually impossible for this to`
			`// error, but handle it nicely anyway in`
			`// case we switch implementation in future.`
			`errWithCode := gtserror.NewErrorInternalError(err)`

			`// Set error on gin context so it'll`
			`// be picked up by logging middleware.`
			`c.Error(errWithCode) //nolint:errcheck`

			`// Bail with 500.`
			`c.AbortWithStatusJSON(`
			`errWithCode.Code(),`
			`gin.H{"error": errWithCode.Safe()},`
			`)`
			`return`
			`}`

			`// Provide reset in same format used by`
			`// Mastodon. There's no real standard as`
			`// to what format X-RateLimit-Reset SHOULD`
			`// use, but since most clients interacting`
			`// with us will expect the Mastodon version,`
			`// it makes sense to take this.`
			`resetT := time.Unix(context.Reset, 0)`
			`reset := util.FormatISO8601(resetT)`

			`c.Header("X-RateLimit-Limit", strconv.FormatInt(context.Limit, 10))`
			`c.Header("X-RateLimit-Remaining", strconv.FormatInt(context.Remaining, 10))`
			`c.Header("X-RateLimit-Reset", reset)`

			`if context.Reached {`
			`// Return JSON error message for`
			`// consistency with other endpoints.`
			`c.AbortWithStatusJSON(`
			`http.StatusTooManyRequests,`
			`gin.H{"error": "rate limit reached"},`
			`)`
			`return`
			`}`

			`// Allow the request`
			`// to continue.`
			`c.Next()`
			`}`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`}`