[feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151)

* start updating rate limiting, add exceptions

* tests, comments, tidying up

* add rate limiting exceptions to example config

* envparsing

* nolint

* apply kimbediff

* add examples

3 files changed, 302 insertions, 21 deletions

diff --git a/internal/middleware/middleware_test.go b/internal/middleware/contentsecuritypolicy_test.go
index fad05931b..fad05931b 100644
--- a/internal/middleware/middleware_test.go
+++ b/internal/middleware/contentsecuritypolicy_test.go
diff --git a/internal/middleware/ratelimit.go b/internal/middleware/ratelimit.go
index ae31fca56..a59a3e608 100644
--- a/internal/middleware/ratelimit.go
+++ b/internal/middleware/ratelimit.go
@@ -20,47 +20,136 @@ package middleware
 import (
 	"net"
 	"net/http"
+	"net/netip"
+	"strconv"
 	"time"
 
 	"github.com/gin-gonic/gin"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
 	"github.com/ulule/limiter/v3"
-	limitergin "github.com/ulule/limiter/v3/drivers/middleware/gin"
 	"github.com/ulule/limiter/v3/drivers/store/memory"
 )
 
 const rateLimitPeriod = 5 * time.Minute
 
-// RateLimit returns a gin middleware that will automatically rate limit caller (by IP address),
-// and enrich the response header with the following headers:
+// RateLimit returns a gin middleware that will automatically rate
+// limit caller (by IP address), and enrich the response header with
+// the following headers:
 //
-//   - `x-ratelimit-limit`     - maximum number of requests allowed per time period (fixed).
-//   - `x-ratelimit-remaining` - number of remaining requests that can still be performed.
-//   - `x-ratelimit-reset`     - unix timestamp when the rate limit will reset.
+//   - `X-Ratelimit-Limit`     - max requests allowed per time period (fixed).
+//   - `X-Ratelimit-Remaining` - requests remaining for this IP before reset.
+//   - `X-Ratelimit-Reset`     - ISO8601 timestamp when the rate limit will reset.
 //
-// If `x-ratelimit-limit` is exceeded, the request is aborted and an HTTP 429 TooManyRequests
-// status is returned.
+// If `X-Ratelimit-Limit` is exceeded, the request is aborted and an
+// HTTP 429 TooManyRequests status is returned.
 //
-// If the config AdvancedRateLimitRequests value is <= 0, then a noop handler will be returned,
-// which performs no rate limiting.
-func RateLimit(limit int) gin.HandlerFunc {
+// If the config AdvancedRateLimitRequests value is <= 0, then a noop
+// handler will be returned, which performs no rate limiting.
+func RateLimit(limit int, exceptions []string) gin.HandlerFunc {
 	if limit <= 0 {
-		// use noop middleware if ratelimiting is disabled
+		// Rate limiting is disabled.
+		// Return noop middleware.
 		return func(ctx *gin.Context) {}
 	}
 
 	limiter := limiter.New(
 		memory.NewStore(),
-		limiter.Rate{Period: rateLimitPeriod, Limit: int64(limit)},
-		limiter.WithIPv6Mask(net.CIDRMask(64, 128)), // apply /64 mask to IPv6 addresses
+		limiter.Rate{
+			Period: rateLimitPeriod,
+			Limit:  int64(limit),
+		},
 	)
 
-	// use custom rate limit reached error
-	handler := func(c *gin.Context) {
-		c.AbortWithStatusJSON(http.StatusTooManyRequests, gin.H{"error": "rate limit reached"})
+	// Convert exceptions IP ranges into prefixes.
+	exceptPrefs := make([]netip.Prefix, len(exceptions))
+	for i, str := range exceptions {
+		exceptPrefs[i] = netip.MustParsePrefix(str)
 	}
 
-	return limitergin.NewMiddleware(
-		limiter,
-		limitergin.WithLimitReachedHandler(handler),
-	)
+	// It's prettymuch impossible to effectively
+	// rate limit the immense IPv6 address space
+	// unless we mask some of the bytes.
+	//
+	// This mask is pretty coarse, and puts IPv6
+	// blocking on more or less the same footing
+	// as IPv4 blocking in terms of how likely it
+	// is to prevent abuse while still allowing
+	// legit users access to the service.
+	ipv6Mask := net.CIDRMask(64, 128)
+
+	return func(c *gin.Context) {
+		// Use Gin's heuristic for determining
+		// clientIP, which accounts for reverse
+		// proxies and trusted proxies setting.
+		clientIP := netip.MustParseAddr(c.ClientIP())
+
+		// Check if this IP is exempt from rate
+		// limits and skip further checks if so.
+		for _, prefix := range exceptPrefs {
+			if prefix.Contains(clientIP) {
+				c.Next()
+				return
+			}
+		}
+
+		if clientIP.Is6() {
+			// Convert to "net" package IP for mask.
+			asIP := net.IP(clientIP.AsSlice())
+
+			// Apply coarse IPv6 mask.
+			asIP = asIP.Mask(ipv6Mask)
+
+			// Convert back to netip.Addr from net.IP.
+			clientIP, _ = netip.AddrFromSlice(asIP)
+		}
+
+		// Fetch rate limit info for this (masked) clientIP.
+		context, err := limiter.Get(c, clientIP.String())
+		if err != nil {
+			// Since we use an in-memory cache now,
+			// it's actually impossible for this to
+			// error, but handle it nicely anyway in
+			// case we switch implementation in future.
+			errWithCode := gtserror.NewErrorInternalError(err)
+
+			// Set error on gin context so it'll
+			// be picked up by logging middleware.
+			c.Error(errWithCode) //nolint:errcheck
+
+			// Bail with 500.
+			c.AbortWithStatusJSON(
+				errWithCode.Code(),
+				gin.H{"error": errWithCode.Safe()},
+			)
+			return
+		}
+
+		// Provide reset in same format used by
+		// Mastodon. There's no real standard as
+		// to what format X-RateLimit-Reset SHOULD
+		// use, but since most clients interacting
+		// with us will expect the Mastodon version,
+		// it makes sense to take this.
+		resetT := time.Unix(context.Reset, 0)
+		reset := util.FormatISO8601(resetT)
+
+		c.Header("X-RateLimit-Limit", strconv.FormatInt(context.Limit, 10))
+		c.Header("X-RateLimit-Remaining", strconv.FormatInt(context.Remaining, 10))
+		c.Header("X-RateLimit-Reset", reset)
+
+		if context.Reached {
+			// Return JSON error message for
+			// consistency with other endpoints.
+			c.AbortWithStatusJSON(
+				http.StatusTooManyRequests,
+				gin.H{"error": "rate limit reached"},
+			)
+			return
+		}
+
+		// Allow the request
+		// to continue.
+		c.Next()
+	}
 }
diff --git a/internal/middleware/ratelimit_test.go b/internal/middleware/ratelimit_test.go
new file mode 100644
index 000000000..ad9891d79
--- /dev/null
+++ b/internal/middleware/ratelimit_test.go
@@ -0,0 +1,192 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package middleware_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/suite"
+	"github.com/superseriousbusiness/gotosocial/internal/middleware"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
+)
+
+type RateLimitTestSuite struct {
+	suite.Suite
+}
+
+func (suite *RateLimitTestSuite) TestRateLimit() {
+	// Suppress warnings about debug mode.
+	gin.SetMode(gin.ReleaseMode)
+
+	const (
+		trustedPlatform = "X-Test-IP"
+		rlLimit         = "X-RateLimit-Limit"
+		rlRemaining     = "X-RateLimit-Remaining"
+		rlReset         = "X-RateLimit-Reset"
+	)
+
+	type rlTest struct {
+		limit        int
+		exceptions   []string
+		clientIP     string
+		shouldPanic  bool
+		shouldExcept bool
+	}
+
+	for _, test := range []rlTest{
+		{
+			limit:        10,
+			exceptions:   []string{},
+			clientIP:     "192.0.2.0",
+			shouldPanic:  false,
+			shouldExcept: false,
+		},
+		{
+			limit:        10,
+			exceptions:   []string{},
+			clientIP:     "192.0.2.0",
+			shouldPanic:  false,
+			shouldExcept: false,
+		},
+		{
+			limit:        10,
+			exceptions:   []string{"192.0.2.0/24"},
+			clientIP:     "192.0.2.0",
+			shouldPanic:  false,
+			shouldExcept: true,
+		},
+		{
+			limit:        10,
+			exceptions:   []string{"192.0.2.0/32"},
+			clientIP:     "192.0.2.1",
+			shouldPanic:  false,
+			shouldExcept: false,
+		},
+		{
+			limit:        10,
+			exceptions:   []string{"Ceci n'est pas une CIDR"},
+			clientIP:     "192.0.2.0",
+			shouldPanic:  true,
+			shouldExcept: false,
+		},
+	} {
+		if test.shouldPanic {
+			// Try to trigger panic.
+			suite.Panics(func() {
+				_ = middleware.RateLimit(
+					test.limit,
+					test.exceptions,
+				)
+			})
+			continue
+		}
+
+		rlMiddleware := middleware.RateLimit(
+			test.limit,
+			test.exceptions,
+		)
+
+		// Approximate time when this limiter will reset.
+		resetAt := time.Now().Add(5 * time.Minute)
+
+		// Make requests up to +
+		// just over the limit.
+		limitedAt := test.limit + 1
+		for requestsCount := 1; requestsCount < limitedAt; requestsCount++ {
+			var (
+				recorder = httptest.NewRecorder()
+				ctx, e   = gin.CreateTestContext(recorder)
+			)
+
+			// Instruct engine to derive
+			// clientIP from test header.
+			e.TrustedPlatform = trustedPlatform
+			ctx.Request = httptest.NewRequest(http.MethodGet, "/example", nil)
+			ctx.Request.Header.Add(trustedPlatform, test.clientIP)
+
+			// Call the rate limiter.
+			rlMiddleware(ctx)
+
+			// Fetch RL headers if present.
+			var (
+				limitStr     = recorder.Header().Get(rlLimit)
+				remainingStr = recorder.Header().Get(rlRemaining)
+				resetStr     = recorder.Header().Get(rlReset)
+			)
+
+			if test.shouldExcept {
+				// Request should be allowed through,
+				// no rate-limit headers should be written.
+				suite.Equal(http.StatusOK, recorder.Code)
+				suite.Empty(limitStr)
+				suite.Empty(remainingStr)
+				suite.Empty(resetStr)
+				continue
+			}
+
+			suite.Equal(strconv.Itoa(test.limit), limitStr)
+			suite.Equal(strconv.Itoa(test.limit-requestsCount), remainingStr)
+
+			// Ensure reset is ISO8601, and resets at
+			// approximate reset time (+/- 10 seconds).
+			reset, err := util.ParseISO8601(resetStr)
+			if err != nil {
+				suite.FailNow("", "couldn't parse %s as ISO8601: %q", resetStr, err.Error())
+			}
+			suite.WithinDuration(resetAt, reset, 10*time.Second)
+
+			if requestsCount < limitedAt {
+				// Request should be allowed through.
+				suite.Equal(http.StatusOK, recorder.Code)
+				continue
+			}
+
+			// Request should be denied.
+			suite.Equal(http.StatusTooManyRequests, recorder.Code)
+
+			// Make a final request with an unrelated IP to
+			// ensure it's only the one IP being limited.
+			var (
+				unrelatedRecorder        = httptest.NewRecorder()
+				unrelatedCtx, unrelatedE = gin.CreateTestContext(unrelatedRecorder)
+			)
+
+			// Instruct engine to derive
+			// clientIP from test header.
+			unrelatedE.TrustedPlatform = trustedPlatform
+			unrelatedCtx.Request = httptest.NewRequest(http.MethodGet, "/example", nil)
+			unrelatedCtx.Request.Header.Add(trustedPlatform, "192.0.2.255")
+
+			// Call the rate limiter.
+			rlMiddleware(unrelatedCtx)
+
+			// Request should be allowed through.
+			suite.Equal(http.StatusOK, unrelatedRecorder.Code)
+
+		}
+	}
+}
+
+func TestRateLimitTestSuite(t *testing.T) {
+	suite.Run(t, new(RateLimitTestSuite))
+}