Package ratelimit provides a simple token-bucket rate limiting middleware which only allows n POST requests every minute. This is meant to be used on login handlers or other sensitive transactions which should be throttled to prevent abuse.
Tracked clients are stored in a locked map, with a goroutine that runs at a configurable interval to clean up stale entries.
Note that there is no enforcement for GET requests. This is an effort to be opinionated in order to hit the most common use-cases. For more advanced use-cases, you may consider the `github.com/didip/tollbooth` package.
The enforcement mechanism is based on the blog post here: https://www.alexedwards.net/blog/how-to-rate-limit-http-requests
DefaultCleanupInterval determines how frequently the cleanup routine executes.
DefaultExpiry is the amount of time to track a bucket for a particular visitor.
const DefaultRequestsPerMinute = 5
DefaultRequestsPerMinute is the number of requests to allow per minute. Any requests over this interval will return a HTTP 429 error.
PostLimiter is a simple rate limiting middleware which only allows n POST requests per minute.
NewPostLimiter returns a new instance of a PostLimiter
Cleanup removes any buckets that were last seen past the configured expiry.
Limit enforces the configured rate limit for POST requests.
TODO: Change the return value to an http.Handler when we clean up the way Gophish routing is done.
PostLimiterOption is a functional option that allows callers to configure the rate limiter.
WithCleanupInterval sets the interval between cleaning up stale entries in the rate limit client list
WithExpiry sets the amount of time to store client entries before they are considered stale.
WithRequestsPerMinute sets the number of requests to allow per minute.