add core lib

2026-03-01 03:04:10 +01:00
parent 9a6818ea3c
commit baa764befd
22 changed files with 2353 additions and 0 deletions
--- a/middleware/cors.go
+++ b/middleware/cors.go
@@ -0,0 +1,67 @@
+package middleware
+
+import (
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+type CORSMiddleware struct {
+	allowedOrigins map[string]struct{}
+	allowAll       bool
+}
+
+func NewCORSMiddleware(origins []string) *CORSMiddleware {
+	m := &CORSMiddleware{allowedOrigins: map[string]struct{}{}}
+	for _, origin := range origins {
+		if origin == "*" {
+			m.allowAll = true
+			continue
+		}
+		m.allowedOrigins[origin] = struct{}{}
+	}
+	return m
+}
+
+func (m *CORSMiddleware) Handler(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		origin := r.Header.Get("Origin")
+		if origin != "" && (m.allowAll || m.isAllowed(origin) || isSameHost(origin, r.Host)) {
+			w.Header().Set("Access-Control-Allow-Origin", origin)
+			w.Header().Set("Vary", "Origin")
+			w.Header().Set("Access-Control-Allow-Credentials", "true")
+			w.Header().Set("Access-Control-Allow-Methods", "GET,POST,PUT,PATCH,DELETE,OPTIONS")
+			w.Header().Set("Access-Control-Allow-Headers", "Content-Type,Authorization")
+		}
+
+		if r.Method == http.MethodOptions {
+			w.WriteHeader(http.StatusNoContent)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
+
+func (m *CORSMiddleware) isAllowed(origin string) bool {
+	_, ok := m.allowedOrigins[origin]
+	return ok
+}
+
+func isSameHost(origin string, requestHost string) bool {
+	parsed, err := url.Parse(origin)
+	if err != nil || parsed.Host == "" {
+		return false
+	}
+
+	originHost := parsed.Hostname()
+	reqHost := requestHost
+	if strings.Contains(requestHost, ":") {
+		if host, _, splitErr := net.SplitHostPort(requestHost); splitErr == nil {
+			reqHost = host
+		}
+	}
+
+	return strings.EqualFold(originHost, reqHost)
+}
--- a/middleware/cors_test.go
+++ b/middleware/cors_test.go
@@ -0,0 +1,137 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestCORSHandlerAllowsConfiguredOrigin(t *testing.T) {
+	mw := NewCORSMiddleware([]string{"https://allowed.example"})
+	nextCalled := false
+	h := mw.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		nextCalled = true
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.Header.Set("Origin", "https://allowed.example")
+	rr := httptest.NewRecorder()
+	h.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", rr.Code)
+	}
+	if rr.Header().Get("Access-Control-Allow-Origin") != "https://allowed.example" {
+		t.Fatalf("unexpected allow-origin header: %q", rr.Header().Get("Access-Control-Allow-Origin"))
+	}
+	if rr.Header().Get("Access-Control-Allow-Credentials") != "true" {
+		t.Fatalf("expected allow-credentials true, got %q", rr.Header().Get("Access-Control-Allow-Credentials"))
+	}
+	if !nextCalled {
+		t.Fatal("expected next handler to be called")
+	}
+}
+
+func TestCORSHandlerAllowsAnyOriginWhenWildcardConfigured(t *testing.T) {
+	mw := NewCORSMiddleware([]string{"*"})
+	h := mw.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.Header.Set("Origin", "https://random.example")
+	rr := httptest.NewRecorder()
+	h.ServeHTTP(rr, req)
+
+	if rr.Header().Get("Access-Control-Allow-Origin") != "https://random.example" {
+		t.Fatalf("expected wildcard middleware to echo origin, got %q", rr.Header().Get("Access-Control-Allow-Origin"))
+	}
+	if rr.Header().Get("Access-Control-Allow-Credentials") != "true" {
+		t.Fatalf("expected allow-credentials true, got %q", rr.Header().Get("Access-Control-Allow-Credentials"))
+	}
+}
+
+func TestCORSHandlerAllowsSameHostOrigin(t *testing.T) {
+	mw := NewCORSMiddleware(nil)
+	h := mw.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "http://api.example:8080/path", nil)
+	req.Host = "api.example:8080"
+	req.Header.Set("Origin", "https://api.example")
+	rr := httptest.NewRecorder()
+	h.ServeHTTP(rr, req)
+
+	if rr.Header().Get("Access-Control-Allow-Origin") != "https://api.example" {
+		t.Fatalf("expected same-host origin to be allowed, got %q", rr.Header().Get("Access-Control-Allow-Origin"))
+	}
+	if rr.Header().Get("Access-Control-Allow-Credentials") != "true" {
+		t.Fatalf("expected allow-credentials true, got %q", rr.Header().Get("Access-Control-Allow-Credentials"))
+	}
+}
+
+func TestCORSHandlerDoesNotSetHeadersForDisallowedOrigin(t *testing.T) {
+	mw := NewCORSMiddleware([]string{"https://allowed.example"})
+	h := mw.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.Header.Set("Origin", "https://blocked.example")
+	rr := httptest.NewRecorder()
+	h.ServeHTTP(rr, req)
+
+	if rr.Header().Get("Access-Control-Allow-Origin") != "" {
+		t.Fatalf("expected no allow-origin header, got %q", rr.Header().Get("Access-Control-Allow-Origin"))
+	}
+}
+
+func TestCORSHandlerOptionsShortCircuits(t *testing.T) {
+	mw := NewCORSMiddleware([]string{"https://allowed.example"})
+	nextCalled := false
+	h := mw.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		nextCalled = true
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodOptions, "/", nil)
+	req.Header.Set("Origin", "https://allowed.example")
+	rr := httptest.NewRecorder()
+	h.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusNoContent {
+		t.Fatalf("expected 204, got %d", rr.Code)
+	}
+	if rr.Header().Get("Access-Control-Allow-Credentials") != "true" {
+		t.Fatalf("expected allow-credentials true, got %q", rr.Header().Get("Access-Control-Allow-Credentials"))
+	}
+	if nextCalled {
+		t.Fatal("expected next handler not to be called for OPTIONS")
+	}
+}
+
+func TestIsSameHost(t *testing.T) {
+	tests := []struct {
+		name        string
+		origin      string
+		requestHost string
+		want        bool
+	}{
+		{name: "same host exact", origin: "https://api.example", requestHost: "api.example", want: true},
+		{name: "same host with port", origin: "https://api.example", requestHost: "api.example:8080", want: true},
+		{name: "case insensitive", origin: "https://API.EXAMPLE", requestHost: "api.example", want: true},
+		{name: "different host", origin: "https://api.example", requestHost: "other.example", want: false},
+		{name: "invalid origin", origin: "://bad", requestHost: "api.example", want: false},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := isSameHost(tc.origin, tc.requestHost)
+			if got != tc.want {
+				t.Fatalf("isSameHost(%q, %q) = %v, want %v", tc.origin, tc.requestHost, got, tc.want)
+			}
+		})
+	}
+}
--- a/middleware/rate_limit.go
+++ b/middleware/rate_limit.go
@@ -0,0 +1,133 @@
+package middleware
+
+import (
+	"net"
+	"net/http"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+)
+
+type ipWindowCounter struct {
+	windowStart time.Time
+	lastSeen    time.Time
+	count       int
+}
+
+type IPRateLimiter struct {
+	mu          sync.Mutex
+	limit       int
+	window      time.Duration
+	ttl         time.Duration
+	maxEntries  int
+	lastCleanup time.Time
+	entries     map[string]*ipWindowCounter
+}
+
+const defaultRateLimiterMaxEntries = 10000
+
+func NewIPRateLimiter(limit int, window time.Duration, ttl time.Duration) *IPRateLimiter {
+	if limit <= 0 {
+		limit = 60
+	}
+	if window <= 0 {
+		window = time.Minute
+	}
+	if ttl <= 0 {
+		ttl = 10 * time.Minute
+	}
+	return &IPRateLimiter{
+		limit:      limit,
+		window:     window,
+		ttl:        ttl,
+		maxEntries: defaultRateLimiterMaxEntries,
+		entries:    map[string]*ipWindowCounter{},
+	}
+}
+
+func (m *IPRateLimiter) Handler(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if !m.allow(r) {
+			w.Header().Set("Retry-After", strconv.Itoa(int(m.window.Seconds())))
+			http.Error(w, "rate limit exceeded", http.StatusTooManyRequests)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+func (m *IPRateLimiter) allow(r *http.Request) bool {
+	key := clientKey(r)
+	now := time.Now()
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if m.lastCleanup.IsZero() || now.Sub(m.lastCleanup) >= m.window {
+		m.cleanupLocked(now)
+		m.lastCleanup = now
+	}
+
+	entry, exists := m.entries[key]
+	if !exists {
+		if len(m.entries) >= m.maxEntries {
+			m.evictOldestLocked()
+		}
+		m.entries[key] = &ipWindowCounter{
+			windowStart: now,
+			lastSeen:    now,
+			count:       1,
+		}
+		return true
+	}
+
+	if now.Sub(entry.windowStart) >= m.window {
+		entry.windowStart = now
+		entry.lastSeen = now
+		entry.count = 1
+		return true
+	}
+
+	entry.lastSeen = now
+	if entry.count >= m.limit {
+		return false
+	}
+	entry.count++
+	return true
+}
+
+func (m *IPRateLimiter) cleanupLocked(now time.Time) {
+	for key, entry := range m.entries {
+		if now.Sub(entry.lastSeen) > m.ttl {
+			delete(m.entries, key)
+		}
+	}
+}
+
+func (m *IPRateLimiter) evictOldestLocked() {
+	var oldestKey string
+	var oldestTime time.Time
+	first := true
+	for key, entry := range m.entries {
+		if first || entry.lastSeen.Before(oldestTime) {
+			oldestKey = key
+			oldestTime = entry.lastSeen
+			first = false
+		}
+	}
+	if !first {
+		delete(m.entries, oldestKey)
+	}
+}
+
+func clientKey(r *http.Request) string {
+	host := strings.TrimSpace(r.RemoteAddr)
+	if parsedHost, _, err := net.SplitHostPort(host); err == nil {
+		host = parsedHost
+	}
+	if host == "" {
+		host = "unknown"
+	}
+	return host
+}
--- a/middleware/rate_limit_test.go
+++ b/middleware/rate_limit_test.go
@@ -0,0 +1,177 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+)
+
+func TestIPRateLimiterRejectsExcessRequestsAcrossAuthPaths(t *testing.T) {
+	limiter := NewIPRateLimiter(2, time.Minute, 5*time.Minute)
+	h := limiter.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNoContent)
+	}))
+
+	for i := 0; i < 2; i++ {
+		req := httptest.NewRequest(http.MethodPost, "/auth/login", nil)
+		req.RemoteAddr = "203.0.113.10:12345"
+		rr := httptest.NewRecorder()
+		h.ServeHTTP(rr, req)
+		if rr.Code != http.StatusNoContent {
+			t.Fatalf("request %d expected 204, got %d", i+1, rr.Code)
+		}
+	}
+
+	third := httptest.NewRequest(http.MethodPost, "/auth/login", nil)
+	third.RemoteAddr = "203.0.113.10:12345"
+	rr := httptest.NewRecorder()
+	h.ServeHTTP(rr, third)
+	if rr.Code != http.StatusTooManyRequests {
+		t.Fatalf("expected 429 for third request, got %d", rr.Code)
+	}
+	if rr.Header().Get("Retry-After") == "" {
+		t.Fatal("expected Retry-After header")
+	}
+
+	otherPath := httptest.NewRequest(http.MethodPost, "/auth/register", nil)
+	otherPath.RemoteAddr = "203.0.113.10:12345"
+	rr2 := httptest.NewRecorder()
+	h.ServeHTTP(rr2, otherPath)
+	if rr2.Code != http.StatusTooManyRequests {
+		t.Fatalf("expected shared limiter bucket per IP across paths, got %d", rr2.Code)
+	}
+}
+
+func TestIPRateLimiterCleanupRunsPeriodicallyWithoutEntryThreshold(t *testing.T) {
+	limiter := NewIPRateLimiter(5, 20*time.Millisecond, 20*time.Millisecond)
+
+	first := httptest.NewRequest(http.MethodPost, "/auth/login", nil)
+	first.RemoteAddr = "203.0.113.10:12345"
+	if !limiter.allow(first) {
+		t.Fatal("expected first request to be allowed")
+	}
+
+	time.Sleep(50 * time.Millisecond)
+
+	second := httptest.NewRequest(http.MethodPost, "/auth/login", nil)
+	second.RemoteAddr = "203.0.113.11:12345"
+	if !limiter.allow(second) {
+		t.Fatal("expected second request to be allowed")
+	}
+
+	limiter.mu.Lock()
+	defer limiter.mu.Unlock()
+	if len(limiter.entries) != 1 {
+		t.Fatalf("expected stale entries to be cleaned, got %d entries", len(limiter.entries))
+	}
+	if _, exists := limiter.entries["203.0.113.11"]; !exists {
+		t.Fatal("expected current client key to remain after cleanup")
+	}
+}
+
+func TestIPRateLimiterEvictsOldestEntryAtCapacity(t *testing.T) {
+	limiter := NewIPRateLimiter(5, time.Minute, time.Hour)
+	limiter.maxEntries = 2
+
+	req1 := httptest.NewRequest(http.MethodPost, "/auth/login", nil)
+	req1.RemoteAddr = "203.0.113.10:12345"
+	if !limiter.allow(req1) {
+		t.Fatal("expected first request to be allowed")
+	}
+
+	time.Sleep(2 * time.Millisecond)
+
+	req2 := httptest.NewRequest(http.MethodPost, "/auth/login", nil)
+	req2.RemoteAddr = "203.0.113.11:12345"
+	if !limiter.allow(req2) {
+		t.Fatal("expected second request to be allowed")
+	}
+
+	time.Sleep(2 * time.Millisecond)
+
+	req3 := httptest.NewRequest(http.MethodPost, "/auth/login", nil)
+	req3.RemoteAddr = "203.0.113.12:12345"
+	if !limiter.allow(req3) {
+		t.Fatal("expected third request to be allowed")
+	}
+
+	limiter.mu.Lock()
+	defer limiter.mu.Unlock()
+	if len(limiter.entries) != 2 {
+		t.Fatalf("expected limiter size to remain capped at 2, got %d", len(limiter.entries))
+	}
+	if _, exists := limiter.entries["203.0.113.10"]; exists {
+		t.Fatal("expected oldest entry to be evicted")
+	}
+	if _, exists := limiter.entries["203.0.113.11"]; !exists {
+		t.Fatal("expected second entry to remain")
+	}
+	if _, exists := limiter.entries["203.0.113.12"]; !exists {
+		t.Fatal("expected newest entry to remain")
+	}
+}
+
+func TestIPRateLimiterWindowResetAllowsRequestAgain(t *testing.T) {
+	limiter := NewIPRateLimiter(1, 20*time.Millisecond, time.Minute)
+
+	req := httptest.NewRequest(http.MethodPost, "/auth/login", nil)
+	req.RemoteAddr = "203.0.113.10:12345"
+	if !limiter.allow(req) {
+		t.Fatal("expected first request to be allowed")
+	}
+	if limiter.allow(req) {
+		t.Fatal("expected second request in same window to be blocked")
+	}
+
+	time.Sleep(25 * time.Millisecond)
+	if !limiter.allow(req) {
+		t.Fatal("expected request to be allowed after window reset")
+	}
+}
+
+func TestClientKeyVariants(t *testing.T) {
+	t.Run("host port", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		req.RemoteAddr = "203.0.113.10:4321"
+		if got := clientKey(req); got != "203.0.113.10" {
+			t.Fatalf("expected parsed host, got %q", got)
+		}
+	})
+
+	t.Run("raw host", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		req.RemoteAddr = "203.0.113.11"
+		if got := clientKey(req); got != "203.0.113.11" {
+			t.Fatalf("expected raw host, got %q", got)
+		}
+	})
+
+	t.Run("empty uses unknown", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		req.RemoteAddr = "   "
+		if got := clientKey(req); got != "unknown" {
+			t.Fatalf("expected unknown fallback, got %q", got)
+		}
+	})
+}
+
+func TestNewIPRateLimiterAppliesDefaults(t *testing.T) {
+	limiter := NewIPRateLimiter(0, 0, 0)
+
+	if limiter.limit != 60 {
+		t.Fatalf("expected default limit 60, got %d", limiter.limit)
+	}
+	if limiter.window != time.Minute {
+		t.Fatalf("expected default window %v, got %v", time.Minute, limiter.window)
+	}
+	if limiter.ttl != 10*time.Minute {
+		t.Fatalf("expected default ttl %v, got %v", 10*time.Minute, limiter.ttl)
+	}
+	if limiter.maxEntries != defaultRateLimiterMaxEntries {
+		t.Fatalf("expected maxEntries %d, got %d", defaultRateLimiterMaxEntries, limiter.maxEntries)
+	}
+	if limiter.entries == nil {
+		t.Fatal("expected entries map to be initialized")
+	}
+}