[chore] skip trusted-proxies warning if ip excepted from rate limiting (#3699)

* [chore] skip `trusted-proxies` warning if ip excepted from rate limiting * weep * typo * fix env parsing test
2025-10-29 02:12:25 -05:00 · 2025-01-27 19:21:13 +01:00 · 2025-01-27 19:21:13 +01:00 · 9048290948
commit 9048290948
parent 726d2ba483
10 changed files with 195 additions and 67 deletions
--- a/internal/middleware/ratelimit.go
+++ b/internal/middleware/ratelimit.go
@ -48,7 +48,7 @@ const rateLimitPeriod = 5 * time.Minute
 //
 // If the config AdvancedRateLimitRequests value is <= 0, then a noop
 // handler will be returned, which performs no rate limiting.
-func RateLimit(limit int, exceptions []string) gin.HandlerFunc {
+func RateLimit(limit int, except []netip.Prefix) gin.HandlerFunc {
 	if limit <= 0 {
 		// Rate limiting is disabled.
 		// Return noop middleware.
@ -63,12 +63,6 @@ func RateLimit(limit int, exceptions []string) gin.HandlerFunc {
 		},
 	)

-	// Convert exceptions IP ranges into prefixes.
-	exceptPrefs := make([]netip.Prefix, len(exceptions))
-	for i, str := range exceptions {
-		exceptPrefs[i] = netip.MustParsePrefix(str)
-	}
-
 	// It's prettymuch impossible to effectively
 	// rate limit the immense IPv6 address space
 	// unless we mask some of the bytes.
@ -88,7 +82,7 @@ func RateLimit(limit int, exceptions []string) gin.HandlerFunc {

 		// Check if this IP is exempt from rate
 		// limits and skip further checks if so.
-		for _, prefix := range exceptPrefs {
+		for _, prefix := range except {
 			if prefix.Contains(clientIP) {
 				c.Next()
 				return
--- a/internal/middleware/ratelimit_test.go
+++ b/internal/middleware/ratelimit_test.go
@ -20,6 +20,7 @@ package middleware_test
 import (
 	"net/http"
 	"net/http/httptest"
+	"net/netip"
 	"strconv"
 	"testing"
 	"time"
@ -47,60 +48,37 @@ func (suite *RateLimitTestSuite) TestRateLimit() {

 	type rlTest struct {
 		limit        int
-		exceptions   []string
+		exceptions   []netip.Prefix
 		clientIP     string
-		shouldPanic  bool
 		shouldExcept bool
 	}

 	for _, test := range []rlTest{
 		{
 			limit:        10,
-			exceptions:   []string{},
+			exceptions:   nil,
 			clientIP:     "192.0.2.0",
-			shouldPanic:  false,
 			shouldExcept: false,
 		},
 		{
 			limit:        10,
-			exceptions:   []string{},
+			exceptions:   nil,
 			clientIP:     "192.0.2.0",
-			shouldPanic:  false,
 			shouldExcept: false,
 		},
 		{
 			limit:        10,
-			exceptions:   []string{"192.0.2.0/24"},
+			exceptions:   []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24")},
 			clientIP:     "192.0.2.0",
-			shouldPanic:  false,
 			shouldExcept: true,
 		},
 		{
 			limit:        10,
-			exceptions:   []string{"192.0.2.0/32"},
+			exceptions:   []netip.Prefix{netip.MustParsePrefix("192.0.2.0/32")},
 			clientIP:     "192.0.2.1",
-			shouldPanic:  false,
-			shouldExcept: false,
-		},
-		{
-			limit:        10,
-			exceptions:   []string{"Ceci n'est pas une CIDR"},
-			clientIP:     "192.0.2.0",
-			shouldPanic:  true,
 			shouldExcept: false,
 		},
 	} {
-		if test.shouldPanic {
-			// Try to trigger panic.
-			suite.Panics(func() {
-				_ = middleware.RateLimit(
-					test.limit,
-					test.exceptions,
-				)
-			})
-			continue
-		}
-
 		rlMiddleware := middleware.RateLimit(
 			test.limit,
 			test.exceptions,