asd

nhost · Aug 16, 2024 · e7c113e · e7c113e
1 parent 253d7f5
commit e7c113e
Show file tree

Hide file tree

Showing 17 changed files with 1,622 additions and 284 deletions.
diff --git a/Makefile b/Makefile
@@ -73,7 +73,7 @@ dev-env-up-short:  ## Starts development environment without ai service
 		--project-name auth-dev \
 		up \
 		--wait --wait-timeout 120 \
-		postgres graphql mailhog
+		postgres graphql mailhog memcached
 
 
 .PHONY: dev-env-down

diff --git a/build/dev/docker/docker-compose.yaml b/build/dev/docker/docker-compose.yaml
@@ -131,6 +131,15 @@ services:
               target: /etc/pg_hba_local.conf
               read_only: true
 
+    memcached:
+        image: memcached:1.6
+        ports:
+            - mode: ingress
+              target: 11211
+              published: "11211"
+              protocol: tcp
+        restart: always
+
     mailhog:
         image: jcalonso/mailhog:v1.0.1
         ports:

diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.22.0
 toolchain go1.22.5
 
 require (
+	github.com/bradfitz/gomemcache v0.0.0-20230905024940-24af94b03874
 	github.com/getkin/kin-openapi v0.127.0
 	github.com/gin-gonic/gin v1.10.0
 	github.com/go-webauthn/webauthn v0.11.0

diff --git a/go.sum b/go.sum
@@ -1,3 +1,5 @@
+github.com/bradfitz/gomemcache v0.0.0-20230905024940-24af94b03874 h1:N7oVaKyGp8bttX0bfZGmcGkjz7DLQXhAn3DNd3T0ous=
+github.com/bradfitz/gomemcache v0.0.0-20230905024940-24af94b03874/go.mod h1:r5xuitiExdLAJ09PR7vBVENGvp4ZuTBeWTGtxuX3K+c=
 github.com/bytedance/sonic v1.12.0 h1:YGPgxF9xzaCNvd/ZKdQ28yRovhfMFZQjuk6fKBzZ3ls=
 github.com/bytedance/sonic v1.12.0/go.mod h1:B8Gt/XvtZ3Fqj+iSKMypzymZxw/FVwgIGKzMzT9r/rk=
 github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=

diff --git a/go/cmd/serve.go b/go/cmd/serve.go
@@ -11,13 +11,15 @@ import (
 	"strings"
 	"time"
 
+	"github.com/bradfitz/gomemcache/memcache"
 	"github.com/getkin/kin-openapi/openapi3"
 	"github.com/getkin/kin-openapi/openapi3filter"
 	"github.com/gin-gonic/gin"
 	"github.com/nhost/hasura-auth/go/api"
 	"github.com/nhost/hasura-auth/go/controller"
 	"github.com/nhost/hasura-auth/go/hibp"
 	"github.com/nhost/hasura-auth/go/middleware"
+	"github.com/nhost/hasura-auth/go/middleware/ratelimit"
 	"github.com/nhost/hasura-auth/go/sql"
 	ginmiddleware "github.com/oapi-codegen/gin-middleware"
 	"github.com/urfave/cli/v2"
@@ -87,6 +89,8 @@ const (
 	flagRateLimitBruteForceInterval      = "rate-limit-brute-force-interval"
 	flagRateLimit#sBurst            = "rate-limit-#s-burst"
 	flagRateLimit#sInterval         = "rate-limit-#s-interval"
+	flagRateLimitMemcacheServer          = "rate-limit-memcache-server"
+	flagRateLimitMemcachePrefix          = "rate-limit-memcache-prefix"
 )
 
 func CommandServe() *cli.Command { //nolint:funlen,maintidx
@@ -538,6 +542,18 @@ func CommandServe() *cli.Command { //nolint:funlen,maintidx
 				Category: "rate-limit",
 				EnvVars:  []string{"AUTH_RATE_LIMIT_#S_INTERVAL"},
 			},
+			&cli.StringFlag{ //nolint: exhaustruct
+				Name:     flagRateLimitMemcacheServer,
+				Usage:    "Store sliding window rate limit data in memcache",
+				Category: "rate-limit",
+				EnvVars:  []string{"AUTH_RATE_LIMIT_MEMCACHE_SERVER"},
+			},
+			&cli.StringFlag{ //nolint: exhaustruct
+				Name:     flagRateLimitMemcachePrefix,
+				Usage:    "Prefix for rate limit keys in memcache",
+				Category: "rate-limit",
+				EnvVars:  []string{"AUTH_RATE_LIMIT_MEMCACHE_PREFIX"},
+			},
 		},
 		Action: serve,
 	}
@@ -582,21 +598,33 @@ func getNodeServer(cCtx *cli.Context) *exec.Cmd {
 	return cmd
 }
 
-func getRateLimiter(cCtx *cli.Context) gin.HandlerFunc {
-	return middleware.RateLimit(
+func getRateLimiter(cCtx *cli.Context, logger *slog.Logger) gin.HandlerFunc {
+	var store ratelimit.Store
+	if cCtx.String(flagRateLimitMemcacheServer) != "" {
+		store = ratelimit.NewMemcacheStore(
+			memcache.New(cCtx.String(flagRateLimitMemcacheServer)),
+			cCtx.String(flagRateLimitMemcachePrefix),
+			logger.WithGroup("rate-limit-memcache"),
+		)
+	} else {
+		store = ratelimit.NewInMemoryStore()
+	}
+
+	return ratelimit.RateLimit(
 		cCtx.String(flagAPIPrefix),
-		int64(cCtx.Int(flagRateLimitGlobalBurst)),
+		cCtx.Int(flagRateLimitGlobalBurst),
 		cCtx.Duration(flagRateLimitGlobalInterval),
-		int64(cCtx.Int(flagRateLimitEmailBurst)),
+		cCtx.Int(flagRateLimitEmailBurst),
 		cCtx.Duration(flagRateLimitEmailInterval),
 		cCtx.Bool(flagRateLimitEmailIsGlobal),
 		cCtx.Bool(flagEmailSigninEmailVerifiedRequired),
-		int64(cCtx.Int(flagRateLimitSMSBurst)),
+		cCtx.Int(flagRateLimitSMSBurst),
 		cCtx.Duration(flagRateLimitSMSInterval),
-		int64(cCtx.Int(flagRateLimitBruteForceBurst)),
+		cCtx.Int(flagRateLimitBruteForceBurst),
 		cCtx.Duration(flagRateLimitBruteForceInterval),
-		int64(cCtx.Int(flagRateLimit#sBurst)),
+		cCtx.Int(flagRateLimit#sBurst),
 		cCtx.Duration(flagRateLimit#sInterval),
+		store,
 	)
 }
 
@@ -622,7 +650,7 @@ func getGoServer( //nolint:funlen
 	}
 
 	if cCtx.Bool(flagRateLimitEnable) {
-		handlers = append(handlers, getRateLimiter(cCtx))
+		handlers = append(handlers, getRateLimiter(cCtx, logger))
 	}
 
 	router.Use(handlers...)

diff --git a/go/middleware/rate_limit.go b/go/middleware/rate_limit.go