senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/veza-backend-api/internal/middleware
History
senke ebf3276daa feat(middleware): wire UserRateLimiter into AuthMiddleware (BE-SVC-002) 
UserRateLimiter had been created in initMiddlewares() + stored on
config.UserRateLimiter but never mounted — dead wiring. Per-user rate
limiting was silently not running anywhere.

Applying it as a separate `v1.Use(...)` would fire *before* the JWT
auth middleware sets `user_id`, so the limiter would always skip. The
alternative (add it after every `RequireAuth()` in ~15 route files)
bloats every routes_*.go and invites forgetting.

Solution: centralise it on AuthMiddleware. After a successful
`authenticate()` in `RequireAuth`, invoke the limiter's handler. When
the limiter is nil (tests, early boot), it's a no-op.

Changes:
  - internal/middleware/auth.go
    * new field  AuthMiddleware.userRateLimiter *UserRateLimiter
    * new method AuthMiddleware.SetUserRateLimiter(url)
    * RequireAuth() flow: authenticate → presence → user rate limit
      → c.Next(). Abort surfaces as early-return without c.Next().
  - internal/config/middlewares_init.go
    * call c.AuthMiddleware.SetUserRateLimiter(c.UserRateLimiter)
      right after AuthMiddleware construction.

Behavior:
  - Authenticated requests: per-user limit enforced via Redis, with
    X-RateLimit-Limit / Remaining / Reset headers, 429 + retry-after
    on overflow. Defaults: 1000 req/min, burst 100 (env-tunable via
    USER_RATE_LIMIT_PER_MINUTE / USER_RATE_LIMIT_BURST).
  - Unauthenticated requests: RequireAuth already rejected them → the
    limiter never runs, no behavior change there.

Tests: `go test ./internal/middleware/ -short` green (33s).
`go build ./...` + `go vet ./internal/middleware/` clean.

Refs: AUDIT_REPORT.md §4.3 "UserRateLimiter configuré non wiré"
      + §9 priority #11.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-21 09:52:07 +02:00
..
api_key_rate_limiter.go style(backend): gofmt -w on 85 files (whitespace only) 2026-04-14 12:22:14 +02:00
api_key_rate_limiter_test.go feat(v0.12.8): documentation & API publique — rate limiting, scopes, OpenAPI 2026-03-12 18:44:09 +01:00
api_key_scope.go style(backend): gofmt -w on 85 files (whitespace only) 2026-04-14 12:22:14 +02:00
api_key_scope_test.go feat(v0.12.8): documentation & API publique — rate limiting, scopes, OpenAPI 2026-03-12 18:44:09 +01:00
audit.go feat(audit): HTTP audit middleware for auto-logging POST/PUT/DELETE 2026-02-25 19:48:03 +01:00
audit_test.go feat(audit): HTTP audit middleware for auto-logging POST/PUT/DELETE 2026-02-25 19:48:03 +01:00
auth.go feat(middleware): wire UserRateLimiter into AuthMiddleware (BE-SVC-002) 2026-04-21 09:52:07 +02:00
auth_middleware_test.go fix(v0.12.6.1): remediate 2 CRITICAL + 10 HIGH + 1 MEDIUM pentest findings 2026-03-12 05:40:53 +01:00
cache_headers.go style(backend): gofmt -w on 85 files (whitespace only) 2026-04-14 12:22:14 +02:00
cache_headers_test.go style(backend): gofmt -w on 85 files (whitespace only) 2026-04-14 12:22:14 +02:00
captcha.go feat(v0.13.0): conformité features partielles — CAPTCHA, password history, login history, SMS 2FA 2026-03-12 09:31:50 +01:00
captcha_test.go style(backend): gofmt -w on 85 files (whitespace only) 2026-04-14 12:22:14 +02:00
ccpa.go feat(compliance): CCPA Do Not Sell middleware and opt-out endpoint 2026-02-25 19:49:25 +01:00
ccpa_test.go test(v0.803): unit tests for CCPA, reports, announcements, feature flags 2026-02-25 20:02:24 +01:00
context_propagation.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
cors.go refactor(backend): replace 40 fmt.Printf calls with zap structured logging 2026-02-22 17:44:38 +01:00
cors_test.go chore(v0.102): consolidate remaining changes — docs, frontend, backend 2026-02-20 13:02:12 +01:00
csrf.go v0.9.8 2026-03-06 19:13:16 +01:00
csrf_integration_test.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
endpoint_limiter.go feat: backend, stream server & infra improvements 2026-03-18 11:36:06 +01:00
error_handler.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
error_handler_metrics_test.go refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
error_handler_structured_test.go refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
error_handler_test.go refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
general.go [INT-020] int: Add API endpoint deprecation strategy 2025-12-25 15:51:14 +01:00
maintenance.go fix(middleware): persist maintenance flag via platform_settings table 2026-04-16 14:57:06 +02:00
maintenance_test.go fix(middleware): persist maintenance flag via platform_settings table 2026-04-16 14:57:06 +02:00
metrics.go fix(backend-tests): enable room_handler_test and resolve metric collisions 2025-12-06 12:53:15 +01:00
metrics_protection.go fix(v0.12.6.1): remediate remaining 15 MEDIUM + LOW pentest findings 2026-03-12 06:13:38 +01:00
metrics_protection_test.go v0.9.2 2026-03-05 19:27:34 +01:00
metrics_test.go report generation and future tasks selection 2025-12-08 19:57:54 +01:00
mfa_enforcement_test.go feat(v0.12.6.2): enforce MFA for admin/moderator + align refresh token TTL to 7 days 2026-03-12 06:53:27 +01:00
monitoring.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
ownership_integration_test.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
playlist_permission.go stabilizing apps/web: THIRD BATCH - FIXED Playwright 2025-12-21 18:55:51 -05:00
playlist_permission_test.go stabilizing apps/web: THIRD BATCH - FIXED Playwright 2025-12-21 18:55:51 -05:00
rate_limit_login_test.go chore(v0.102): consolidate remaining changes — docs, frontend, backend 2026-02-20 13:02:12 +01:00
rate_limiter.go feat: backend, stream server & infra improvements 2026-03-18 11:36:06 +01:00
rate_limiting_integration_test.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
ratelimit.go feat: backend, stream server & infra improvements 2026-03-18 11:36:06 +01:00
ratelimit_redis.go v0.9.8 2026-03-06 19:13:16 +01:00
ratelimit_test.go adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
rbac_auth_middleware_test.go feat(security): v0.901 Ironclad - fix 5 critical/high vulnerabilities 2026-02-26 19:34:45 +01:00
rbac_middleware.go stabilizing apps/web: THIRD BATCH - FIXED Playwright 2025-12-21 18:55:51 -05:00
rbac_middleware_test.go [T0-002] fix(rust): Corriger erreurs compilation Rust 2026-01-04 01:44:20 +01:00
recovery.go stabilizing veza-backend-api: phase 1 2025-12-16 11:23:49 -05:00
recovery_env_test.go stabilizing veza-backend-api: phase 1 2025-12-16 11:23:49 -05:00
recovery_test.go stabilizing veza-backend-api: phase 1 2025-12-16 11:23:49 -05:00
request_id.go adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
request_id_test.go adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
request_logger.go v0.9.8 2026-03-06 19:13:16 +01:00
request_logger_test.go adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
response_cache.go fix(middleware): bypass response cache for range-aware media endpoints 2026-04-16 16:13:02 +02:00
response_cache_test.go feat(v0.12.4): Redis response cache and CDN cache headers middleware 2026-03-11 09:57:06 +01:00
security_headers.go style(backend): gofmt -w on 85 files (whitespace only) 2026-04-14 12:22:14 +02:00
security_headers_test.go [FE-PAGE-001] fe-page: Complete Dashboard page implementation 2025-12-24 12:35:38 +01:00
sentry_recover.go STABILISATION: phase 3–5 – API contract, tests & chat-server hardening 2025-12-06 17:21:59 +01:00
stream_callback_auth.go Phase 2 stabilisation: code mort, Modal→Dialog, feature flags, tests, router split, Rust legacy 2026-02-14 17:23:32 +01:00
timeout.go refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
timeout_goroutine_test.go refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
timeout_test.go refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
tracing.go [BE-SVC-018] be-svc: Implement request tracing 2025-12-24 17:05:32 +01:00
tracing_test.go [T0-002] fix(rust): Corriger erreurs compilation Rust 2026-01-04 01:44:20 +01:00
upload_rate_limit_test.go adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
user_rate_limiter.go v0.9.8 2026-03-06 19:13:16 +01:00
validation.go v0.9.4 2026-03-05 23:03:43 +01:00
validation_test.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
versioning.go v0.9.8 2026-03-06 19:13:16 +01:00
webhook_api_key.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00