m/KanzlAI-mGMT
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
19bea8d058da1cb1b4c05ce26e86743dbddabc70
KanzlAI-mGMT/backend/internal/middleware/ratelimit.go
m c5c3f41e08 feat: production hardening — slog, rate limiting, integration tests, seed data (Phase 4) 
- Structured logging: replace log.* with log/slog JSON output across backend
- Request logger middleware: logs method, path, status, duration for all non-health requests
- Rate limiting: token bucket (5 req/min, burst 10) on AI endpoints (/api/ai/*)
- Integration tests: full critical path test (auth -> create case -> add deadline -> dashboard)
- Seed demo data: 1 tenant, 5 cases with deadlines/appointments/parties/events
- docker-compose.yml: add all required env vars (DATABASE_URL, SUPABASE_*, ANTHROPIC_API_KEY)
- .env.example: document all env vars including DATABASE_URL and CalDAV note
2026-03-25 14:32:27 +01:00

99 lines
2.2 KiB
Go
Raw Blame History

package middleware
import (
"log/slog"
"net/http"
"sync"
"time"
)
// TokenBucket implements a simple per-IP token bucket rate limiter.
type TokenBucket struct {
mu sync.Mutex
buckets map[string]*bucket
rate float64 // tokens per second
burst int // max tokens
}
type bucket struct {
tokens float64
lastTime time.Time
}
// NewTokenBucket creates a rate limiter allowing rate requests per second with burst capacity.
func NewTokenBucket(rate float64, burst int) *TokenBucket {
tb := &TokenBucket{
buckets: make(map[string]*bucket),
rate: rate,
burst: burst,
}
// Periodically clean up stale buckets
go tb.cleanup()
return tb
}
func (tb *TokenBucket) allow(key string) bool {
tb.mu.Lock()
defer tb.mu.Unlock()
b, ok := tb.buckets[key]
if !ok {
b = &bucket{tokens: float64(tb.burst), lastTime: time.Now()}
tb.buckets[key] = b
}
now := time.Now()
elapsed := now.Sub(b.lastTime).Seconds()
b.tokens += elapsed * tb.rate
if b.tokens > float64(tb.burst) {
b.tokens = float64(tb.burst)
}
b.lastTime = now
if b.tokens < 1 {
return false
}
b.tokens--
return true
}
func (tb *TokenBucket) cleanup() {
ticker := time.NewTicker(5 * time.Minute)
defer ticker.Stop()
for range ticker.C {
tb.mu.Lock()
cutoff := time.Now().Add(-10 * time.Minute)
for key, b := range tb.buckets {
if b.lastTime.Before(cutoff) {
delete(tb.buckets, key)
}
}
tb.mu.Unlock()
}
}
// Limit wraps an http.Handler with rate limiting.
func (tb *TokenBucket) Limit(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ip := r.Header.Get("X-Forwarded-For")
if ip == "" {
ip = r.RemoteAddr
}
if !tb.allow(ip) {
slog.Warn("rate limit exceeded", "ip", ip, "path", r.URL.Path)
w.Header().Set("Content-Type", "application/json")
w.Header().Set("Retry-After", "10")
w.WriteHeader(http.StatusTooManyRequests)
w.Write([]byte(`{"error":"rate limit exceeded, try again later"}`))
return
}
next.ServeHTTP(w, r)
})
}
// LimitFunc wraps an http.HandlerFunc with rate limiting.
func (tb *TokenBucket) LimitFunc(next http.HandlerFunc) http.HandlerFunc {
limited := tb.Limit(http.HandlerFunc(next))
return limited.ServeHTTP
}
Reference in New Issue View Git Blame Copy Permalink