feat: add rate limiting to public API endpoints

2026-01-06 19:20:47 +03:00
parent 2dcb1e7735
commit 0e5d98cff7
3 changed files with 24 additions and 2 deletions
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -16,6 +16,7 @@ import (

 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
+	"github.com/go-chi/httprate"
 )

 func main() {
@@ -99,8 +100,16 @@ func main() {

 	// --- Публичные роуты ---
 	r.Route("/api", func(r chi.Router) {
-		r.Post("/register", userHandler.Register)
-		r.Post("/login", authHandler.Login)
+		// Rate limiting: 100 requests per minute for general API
+		r.Use(httprate.LimitByIP(100, time.Minute))
+
+		// Auth endpoints: stricter limit (10 requests per minute)
+		r.Group(func(r chi.Router) {
+			r.Use(httprate.LimitByIP(10, time.Minute))
+			r.Post("/register", userHandler.Register)
+			r.Post("/login", authHandler.Login)
+		})
+
 		r.Get("/servers", serverHandler.GetServers)

 		r.Route("/launcher", func(r chi.Router) {
@@ -109,9 +118,13 @@ func main() {
 		})
 	})
 	r.Route("/authserver", func(r chi.Router) {
+		// Stricter rate limit for auth server (10 req/min)
+		r.Use(httprate.LimitByIP(10, time.Minute))
 		r.Post("/authenticate", authHandler.Authenticate)
 	})
 	r.Route("/sessionserver/session/minecraft", func(r chi.Router) {
+		// Rate limit for session endpoints (60 req/min)
+		r.Use(httprate.LimitByIP(60, time.Minute))
 		r.Post("/join", authHandler.Join)
 		r.Get("/profile/{uuid}", profileHandler.GetProfile)
 	})