fix adopt auth bypass, add rate limiting

api/server.go

@@ -3,22 +3,26 @@ package api
 import (
 	"io/fs"
 	"net/http"
+	"time"
 
 	"github.com/parkan/go-hauk/auth"
 	"github.com/parkan/go-hauk/config"
 	"github.com/parkan/go-hauk/frontend"
 	"github.com/parkan/go-hauk/linkgen"
+	"github.com/parkan/go-hauk/ratelimit"
 	"github.com/parkan/go-hauk/store"
 )
 
 const backendVersion = "1.6.2-go"
 
 type Server struct {
-	mux     *http.ServeMux
-	cfg     *config.Config
-	store   store.Store
-	auth    auth.Authenticator
-	linkgen *linkgen.Generator
+	mux         *http.ServeMux
+	cfg         *config.Config
+	store       store.Store
+	auth        auth.Authenticator
+	linkgen     *linkgen.Generator
+	rlAuth      *ratelimit.Limiter
+	rlAdopt     *ratelimit.Limiter
 }
 
 func NewServer(cfg *config.Config, s store.Store) *Server {
@@ -27,6 +31,8 @@ func NewServer(cfg *config.Config, s store.Store) *Server {
 		cfg:     cfg,
 		store:   s,
 		linkgen: linkgen.New(s, cfg.LinkStyle),
+		rlAuth:  ratelimit.New(cfg.RateLimitAuth, time.Minute, cfg.TrustProxy),
+		rlAdopt: ratelimit.New(cfg.RateLimitAdopt, time.Minute, cfg.TrustProxy),
 	}
 
 	switch cfg.AuthMethod {
@@ -41,11 +47,11 @@ func NewServer(cfg *config.Config, s store.Store) *Server {
 		srv.auth = auth.NewPasswordAuth(cfg.PasswordHash)
 	}
 
-	srv.mux.HandleFunc("POST /api/create.php", srv.handleCreate)
+	srv.mux.HandleFunc("POST /api/create.php", srv.rlAuth.WrapFunc(srv.handleCreate))
 	srv.mux.HandleFunc("POST /api/post.php", srv.handlePost)
 	srv.mux.HandleFunc("GET /api/fetch.php", srv.handleFetch)
 	srv.mux.HandleFunc("POST /api/stop.php", srv.handleStop)
-	srv.mux.HandleFunc("POST /api/adopt.php", srv.handleAdopt)
+	srv.mux.HandleFunc("POST /api/adopt.php", srv.rlAdopt.WrapFunc(srv.handleAdopt))
 	srv.mux.HandleFunc("POST /api/new-link.php", srv.handleNewLink)
 	srv.mux.HandleFunc("GET /dynamic.js.php", srv.handleDynamic)