[feature] Make rate limit requests amount configurable (#966)

* update rate limit documentation

* regenerate landingpage config helpers

* make rate limit rate configurable

5 files changed, 51 insertions, 20 deletions

diff --git a/internal/api/security/security.go b/internal/api/security/security.go
index f06862dd9..1dce111d3 100644
--- a/internal/api/security/security.go
+++ b/internal/api/security/security.go
@@ -23,6 +23,7 @@ import (
 	"time"
 
 	"github.com/superseriousbusiness/gotosocial/internal/api"
+	"github.com/superseriousbusiness/gotosocial/internal/config"
 	"github.com/superseriousbusiness/gotosocial/internal/db"
 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 	"github.com/superseriousbusiness/gotosocial/internal/router"
@@ -46,11 +47,14 @@ func New(db db.DB, server oauth.Server) api.ClientModule {
 
 // Route attaches security middleware to the given router
 func (m *Module) Route(s router.Router) error {
-	s.AttachMiddleware(m.RateLimit(RateLimitOptions{
-		// accept a maximum of 1000 requests in 5 minutes window
-		Period: 5 * time.Minute,
-		Limit:  1000,
-	}))
+	// only enable rate limit middleware if configured
+	// advanced-rate-limit-requests is greater than 0
+	if rateLimitRequests := config.GetAdvancedRateLimitRequests(); rateLimitRequests > 0 {
+		s.AttachMiddleware(m.RateLimit(RateLimitOptions{
+			Period: 5 * time.Minute,
+			Limit:  int64(rateLimitRequests),
+		}))
+	}
 	s.AttachMiddleware(m.SignatureCheck)
 	s.AttachMiddleware(m.FlocBlock)
 	s.AttachMiddleware(m.ExtraHeaders)
diff --git a/internal/config/config.go b/internal/config/config.go
index 98114dea3..313e6ab05 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -129,7 +129,8 @@ type Configuration struct {
 	AdminAccountPassword string `name:"password" usage:"the password to set for this account"`
 	AdminTransPath       string `name:"path" usage:"the path of the file to import from/export to"`
 
-	AdvancedCookiesSamesite string `name:"advanced-cookies-samesite" usage:"'strict' or 'lax', see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite"`
+	AdvancedCookiesSamesite   string `name:"advanced-cookies-samesite" usage:"'strict' or 'lax', see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite"`
+	AdvancedRateLimitRequests int    `name:"advanced-rate-limit-requests" usage:"Amount of HTTP requests to permit within a 5 minute window. 0 or less turns rate limiting off."`
 }
 
 // MarshalMap will marshal current Configuration into a map structure (useful for JSON).
diff --git a/internal/config/defaults.go b/internal/config/defaults.go
index 37ca5e31d..058b3efb1 100644
--- a/internal/config/defaults.go
+++ b/internal/config/defaults.go
@@ -97,5 +97,6 @@ var Defaults = Configuration{
 	SyslogProtocol: "udp",
 	SyslogAddress:  "localhost:514",
 
-	AdvancedCookiesSamesite: "lax",
+	AdvancedCookiesSamesite:   "lax",
+	AdvancedRateLimitRequests: 1000, // per 5 minutes
 }
diff --git a/internal/config/flags.go b/internal/config/flags.go
index 38d4cd51a..bb3f67732 100644
--- a/internal/config/flags.go
+++ b/internal/config/flags.go
@@ -121,6 +121,7 @@ func AddServerFlags(cmd *cobra.Command) {
 
 		// Advanced flags
 		cmd.Flags().String(AdvancedCookiesSamesiteFlag(), cfg.AdvancedCookiesSamesite, fieldtag("AdvancedCookiesSamesite", "usage"))
+		cmd.Flags().Int(AdvancedRateLimitRequestsFlag(), cfg.AdvancedRateLimitRequests, fieldtag("AdvancedRateLimitRequests", "usage"))
 	})
 }
 
diff --git a/internal/config/helpers.gen.go b/internal/config/helpers.gen.go
index f42593a54..45a56e796 100644
--- a/internal/config/helpers.gen.go
+++ b/internal/config/helpers.gen.go
@@ -95,6 +95,31 @@ func GetApplicationName() string { return global.GetApplicationName() }
 // SetApplicationName safely sets the value for global configuration 'ApplicationName' field
 func SetApplicationName(v string) { global.SetApplicationName(v) }
 
+// GetLandingPageUser safely fetches the Configuration value for state's 'LandingPageUser' field
+func (st *ConfigState) GetLandingPageUser() (v string) {
+	st.mutex.Lock()
+	v = st.config.LandingPageUser
+	st.mutex.Unlock()
+	return
+}
+
+// SetLandingPageUser safely sets the Configuration value for state's 'LandingPageUser' field
+func (st *ConfigState) SetLandingPageUser(v string) {
+	st.mutex.Lock()
+	defer st.mutex.Unlock()
+	st.config.LandingPageUser = v
+	st.reloadToViper()
+}
+
+// LandingPageUserFlag returns the flag name for the 'LandingPageUser' field
+func LandingPageUserFlag() string { return "landing-page-user" }
+
+// GetLandingPageUser safely fetches the value for global configuration 'LandingPageUser' field
+func GetLandingPageUser() string { return global.GetLandingPageUser() }
+
+// SetLandingPageUser safely sets the value for global configuration 'LandingPageUser' field
+func SetLandingPageUser(v string) { global.SetLandingPageUser(v) }
+
 // GetConfigPath safely fetches the Configuration value for state's 'ConfigPath' field
 func (st *ConfigState) GetConfigPath() (v string) {
 	st.mutex.Lock()
@@ -1795,28 +1820,27 @@ func GetAdvancedCookiesSamesite() string { return global.GetAdvancedCookiesSames
 // SetAdvancedCookiesSamesite safely sets the value for global configuration 'AdvancedCookiesSamesite' field
 func SetAdvancedCookiesSamesite(v string) { global.SetAdvancedCookiesSamesite(v) }
 
-// GetLandingPageUser safely fetches the Configuration value for state's 'LandingPageUser' field
-func (st *ConfigState) GetLandingPageUser() (v string) {
+// GetAdvancedRateLimitRequests safely fetches the Configuration value for state's 'AdvancedRateLimitRequests' field
+func (st *ConfigState) GetAdvancedRateLimitRequests() (v int) {
 	st.mutex.Lock()
-	v = st.config.LandingPageUser
+	v = st.config.AdvancedRateLimitRequests
 	st.mutex.Unlock()
 	return
 }
 
-// SetLandingPageUser safely sets the Configuration value for state's 'LandingPageUser' field
-func (st *ConfigState) SetLandingPageUser(v string) {
+// SetAdvancedRateLimitRequests safely sets the Configuration value for state's 'AdvancedRateLimitRequests' field
+func (st *ConfigState) SetAdvancedRateLimitRequests(v int) {
 	st.mutex.Lock()
 	defer st.mutex.Unlock()
-	st.config.LandingPageUser = v
+	st.config.AdvancedRateLimitRequests = v
 	st.reloadToViper()
 }
 
-// LandingPageUserFlag returns the flag name for the 'LandingPageUser' field
-func LandingPageUserFlag() string { return "landing-page-user" }
+// AdvancedRateLimitRequestsFlag returns the flag name for the 'AdvancedRateLimitRequests' field
+func AdvancedRateLimitRequestsFlag() string { return "advanced-rate-limit-requests" }
 
-// GetLandingPageUser safely fetches the value for global configuration 'LandingPageUser' field
-func GetLandingPageUser() string { return global.GetLandingPageUser() }
-
-// SetLandingPageUser safely sets the value for global configuration 'LandingPageUser' field
-func SetLandingPageUser(v string) { global.SetLandingPageUser(v) }
+// GetAdvancedRateLimitRequests safely fetches the value for global configuration 'AdvancedRateLimitRequests' field
+func GetAdvancedRateLimitRequests() int { return global.GetAdvancedRateLimitRequests() }
 
+// SetAdvancedRateLimitRequests safely sets the value for global configuration 'AdvancedRateLimitRequests' field
+func SetAdvancedRateLimitRequests(v int) { global.SetAdvancedRateLimitRequests(v) }