feat: auth service + security audit fixes + cleanup legacy services
Major changes:
- Add auth-svc: JWT auth, register/login/refresh, password reset
- Add auth UI: modals, pages (/login, /register, /forgot-password)
- Add usage tracking (usage_metrics table, daily limits)
- Add tiered rate limiting (free/pro/business)
- Add LLM usage limits per tier
Security fixes:
- All repos now require userID for Update/Delete operations
- JWT middleware in chat-svc, llm-svc, agent-svc, discover-svc
- ErrNotFound/ErrForbidden errors for proper access control
Cleanup:
- Remove legacy TypeScript services/ directory
- Remove computer-svc (to be reimplemented)
- Remove old deploy/docker configs
New files:
- backend/cmd/auth-svc/main.go
- backend/internal/auth/{types,repository}.go
- backend/internal/usage/{types,repository}.go
- backend/pkg/middleware/{llm_limits,ratelimit_tiered}.go
- backend/webui/src/components/auth/*
- backend/webui/src/app/(auth)/*
Made-with: Cursor
This commit is contained in:
home
@@ -20,6 +20,7 @@ type Config struct {
|
||||
SearchSvcPort int
|
||||
LLMSvcPort int
|
||||
ScraperSvcPort int
|
||||
AdminSvcPort int
|
||||
|
||||
// Service URLs
|
||||
ChatSvcURL string
|
||||
@@ -29,6 +30,7 @@ type Config struct {
|
||||
ScraperSvcURL string
|
||||
MemorySvcURL string
|
||||
LibrarySvcURL string
|
||||
AdminSvcURL string
|
||||
|
||||
// External services
|
||||
SearXNGURL string
|
||||
@@ -44,6 +46,13 @@ type Config struct {
|
||||
FinanceHeatmapURL string
|
||||
LearningSvcURL string
|
||||
|
||||
// MinIO / S3 storage
|
||||
MinioEndpoint string
|
||||
MinioAccessKey string
|
||||
MinioSecretKey string
|
||||
MinioBucket string
|
||||
MinioUseSSL bool
|
||||
|
||||
// Auth
|
||||
JWTSecret string
|
||||
AuthSvcURL string
|
||||
@@ -88,6 +97,7 @@ func Load() (*Config, error) {
|
||||
SearchSvcPort: getEnvInt("SEARCH_SVC_PORT", 3001),
|
||||
LLMSvcPort: getEnvInt("LLM_SVC_PORT", 3020),
|
||||
ScraperSvcPort: getEnvInt("SCRAPER_SVC_PORT", 3021),
|
||||
AdminSvcPort: getEnvInt("ADMIN_SVC_PORT", 3040),
|
||||
|
||||
ChatSvcURL: getEnv("CHAT_SVC_URL", "http://localhost:3005"),
|
||||
AgentSvcURL: getEnv("MASTER_AGENTS_SVC_URL", "http://localhost:3018"),
|
||||
@@ -96,6 +106,7 @@ func Load() (*Config, error) {
|
||||
ScraperSvcURL: getEnv("SCRAPER_SVC_URL", "http://localhost:3021"),
|
||||
MemorySvcURL: getEnv("MEMORY_SVC_URL", ""),
|
||||
LibrarySvcURL: getEnv("LIBRARY_SVC_URL", "http://localhost:3009"),
|
||||
AdminSvcURL: getEnv("ADMIN_SVC_URL", "http://localhost:3040"),
|
||||
|
||||
SearXNGURL: getEnv("SEARXNG_URL", "http://searxng:8080"),
|
||||
SearXNGFallbackURL: strings.Split(getEnv("SEARXNG_FALLBACK_URL", ""), ","),
|
||||
@@ -110,6 +121,12 @@ func Load() (*Config, error) {
|
||||
FinanceHeatmapURL: getEnv("FINANCE_HEATMAP_SVC_URL", "http://localhost:3033"),
|
||||
LearningSvcURL: getEnv("LEARNING_SVC_URL", "http://localhost:3034"),
|
||||
|
||||
MinioEndpoint: getEnv("MINIO_ENDPOINT", "minio:9000"),
|
||||
MinioAccessKey: getEnv("MINIO_ACCESS_KEY", "minioadmin"),
|
||||
MinioSecretKey: getEnv("MINIO_SECRET_KEY", "minioadmin"),
|
||||
MinioBucket: getEnv("MINIO_BUCKET", "gooseek"),
|
||||
MinioUseSSL: getEnv("MINIO_USE_SSL", "false") == "true",
|
||||
|
||||
JWTSecret: getEnv("JWT_SECRET", ""),
|
||||
AuthSvcURL: getEnv("AUTH_SVC_URL", ""),
|
||||
|
||||
@@ -158,6 +175,10 @@ func getEnvInt(key string, defaultValue int) int {
|
||||
return defaultValue
|
||||
}
|
||||
|
||||
func GetEnvInt(key string, defaultValue int) int {
|
||||
return getEnvInt(key, defaultValue)
|
||||
}
|
||||
|
||||
func parseOrigins(s string) []string {
|
||||
if s == "*" {
|
||||
return []string{"*"}
|
||||
|
||||
106
backend/pkg/middleware/llm_limits.go
Normal file
106
backend/pkg/middleware/llm_limits.go
Normal file
@@ -0,0 +1,106 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
|
||||
"github.com/gofiber/fiber/v2"
|
||||
"github.com/gooseek/backend/internal/usage"
|
||||
)
|
||||
|
||||
type LLMLimitsConfig struct {
|
||||
UsageRepo *usage.Repository
|
||||
}
|
||||
|
||||
func LLMLimits(config LLMLimitsConfig) fiber.Handler {
|
||||
return func(c *fiber.Ctx) error {
|
||||
userID := GetUserID(c)
|
||||
if userID == "" {
|
||||
return c.Status(401).JSON(fiber.Map{
|
||||
"error": "Authentication required",
|
||||
})
|
||||
}
|
||||
|
||||
tier := GetUserTier(c)
|
||||
if tier == "" {
|
||||
tier = "free"
|
||||
}
|
||||
|
||||
if config.UsageRepo != nil {
|
||||
allowed, reason := config.UsageRepo.CheckLLMLimits(c.Context(), userID, tier)
|
||||
if !allowed {
|
||||
limits := usage.GetLimits(tier)
|
||||
return c.Status(429).JSON(fiber.Map{
|
||||
"error": reason,
|
||||
"tier": tier,
|
||||
"dailyLimit": limits.LLMRequestsPerDay,
|
||||
"tokenLimit": limits.LLMTokensPerDay,
|
||||
"upgradeUrl": "/settings/billing",
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
return c.Next()
|
||||
}
|
||||
}
|
||||
|
||||
type UsageTracker struct {
|
||||
repo *usage.Repository
|
||||
}
|
||||
|
||||
func NewUsageTracker(db *sql.DB) *UsageTracker {
|
||||
return &UsageTracker{
|
||||
repo: usage.NewRepository(db),
|
||||
}
|
||||
}
|
||||
|
||||
func (t *UsageTracker) RunMigrations(ctx context.Context) error {
|
||||
return t.repo.RunMigrations(ctx)
|
||||
}
|
||||
|
||||
func (t *UsageTracker) TrackAPIRequest(c *fiber.Ctx) {
|
||||
userID := GetUserID(c)
|
||||
if userID == "" {
|
||||
return
|
||||
}
|
||||
tier := GetUserTier(c)
|
||||
if tier == "" {
|
||||
tier = "free"
|
||||
}
|
||||
go t.repo.IncrementAPIRequests(context.Background(), userID, tier)
|
||||
}
|
||||
|
||||
func (t *UsageTracker) TrackLLMRequest(ctx context.Context, userID, tier string, tokens int) {
|
||||
if userID == "" {
|
||||
return
|
||||
}
|
||||
if tier == "" {
|
||||
tier = "free"
|
||||
}
|
||||
go t.repo.IncrementLLMUsage(ctx, userID, tier, tokens)
|
||||
}
|
||||
|
||||
func (t *UsageTracker) TrackSearchRequest(c *fiber.Ctx) {
|
||||
userID := GetUserID(c)
|
||||
if userID == "" {
|
||||
return
|
||||
}
|
||||
tier := GetUserTier(c)
|
||||
if tier == "" {
|
||||
tier = "free"
|
||||
}
|
||||
go t.repo.IncrementSearchRequests(context.Background(), userID, tier)
|
||||
}
|
||||
|
||||
func (t *UsageTracker) GetRepository() *usage.Repository {
|
||||
return t.repo
|
||||
}
|
||||
|
||||
func UsageTracking(tracker *UsageTracker) fiber.Handler {
|
||||
return func(c *fiber.Ctx) error {
|
||||
if tracker != nil {
|
||||
tracker.TrackAPIRequest(c)
|
||||
}
|
||||
return c.Next()
|
||||
}
|
||||
}
|
||||
158
backend/pkg/middleware/ratelimit_tiered.go
Normal file
158
backend/pkg/middleware/ratelimit_tiered.go
Normal file
@@ -0,0 +1,158 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/gofiber/fiber/v2"
|
||||
)
|
||||
|
||||
type TierConfig struct {
|
||||
Max int
|
||||
Window time.Duration
|
||||
}
|
||||
|
||||
type TieredRateLimitConfig struct {
|
||||
Tiers map[string]TierConfig
|
||||
DefaultTier string
|
||||
KeyFunc func(*fiber.Ctx) string
|
||||
GetTierFunc func(*fiber.Ctx) string
|
||||
}
|
||||
|
||||
type tieredRateLimiter struct {
|
||||
requests map[string][]time.Time
|
||||
mu sync.RWMutex
|
||||
tiers map[string]TierConfig
|
||||
}
|
||||
|
||||
func newTieredRateLimiter(tiers map[string]TierConfig) *tieredRateLimiter {
|
||||
rl := &tieredRateLimiter{
|
||||
requests: make(map[string][]time.Time),
|
||||
tiers: tiers,
|
||||
}
|
||||
go rl.cleanup()
|
||||
return rl
|
||||
}
|
||||
|
||||
func (rl *tieredRateLimiter) cleanup() {
|
||||
ticker := time.NewTicker(time.Minute)
|
||||
for range ticker.C {
|
||||
rl.mu.Lock()
|
||||
now := time.Now()
|
||||
for key, times := range rl.requests {
|
||||
var valid []time.Time
|
||||
for _, t := range times {
|
||||
if now.Sub(t) < 5*time.Minute {
|
||||
valid = append(valid, t)
|
||||
}
|
||||
}
|
||||
if len(valid) == 0 {
|
||||
delete(rl.requests, key)
|
||||
} else {
|
||||
rl.requests[key] = valid
|
||||
}
|
||||
}
|
||||
rl.mu.Unlock()
|
||||
}
|
||||
}
|
||||
|
||||
func (rl *tieredRateLimiter) allow(key string, tier string) (bool, int, int) {
|
||||
rl.mu.Lock()
|
||||
defer rl.mu.Unlock()
|
||||
|
||||
cfg, ok := rl.tiers[tier]
|
||||
if !ok {
|
||||
cfg = rl.tiers["free"]
|
||||
}
|
||||
|
||||
now := time.Now()
|
||||
windowStart := now.Add(-cfg.Window)
|
||||
|
||||
times := rl.requests[key]
|
||||
var valid []time.Time
|
||||
for _, t := range times {
|
||||
if t.After(windowStart) {
|
||||
valid = append(valid, t)
|
||||
}
|
||||
}
|
||||
|
||||
remaining := cfg.Max - len(valid)
|
||||
if remaining <= 0 {
|
||||
rl.requests[key] = valid
|
||||
return false, 0, cfg.Max
|
||||
}
|
||||
|
||||
rl.requests[key] = append(valid, now)
|
||||
return true, remaining - 1, cfg.Max
|
||||
}
|
||||
|
||||
func TieredRateLimit(config TieredRateLimitConfig) fiber.Handler {
|
||||
if config.Tiers == nil {
|
||||
config.Tiers = map[string]TierConfig{
|
||||
"free": {Max: 60, Window: time.Minute},
|
||||
"pro": {Max: 300, Window: time.Minute},
|
||||
"business": {Max: 1000, Window: time.Minute},
|
||||
}
|
||||
}
|
||||
if config.DefaultTier == "" {
|
||||
config.DefaultTier = "free"
|
||||
}
|
||||
if config.KeyFunc == nil {
|
||||
config.KeyFunc = func(c *fiber.Ctx) string {
|
||||
userID := GetUserID(c)
|
||||
if userID != "" {
|
||||
return "user:" + userID
|
||||
}
|
||||
return "ip:" + c.IP()
|
||||
}
|
||||
}
|
||||
if config.GetTierFunc == nil {
|
||||
config.GetTierFunc = func(c *fiber.Ctx) string {
|
||||
tier := GetUserTier(c)
|
||||
if tier == "" {
|
||||
return config.DefaultTier
|
||||
}
|
||||
return tier
|
||||
}
|
||||
}
|
||||
|
||||
limiter := newTieredRateLimiter(config.Tiers)
|
||||
|
||||
return func(c *fiber.Ctx) error {
|
||||
key := config.KeyFunc(c)
|
||||
tier := config.GetTierFunc(c)
|
||||
|
||||
allowed, remaining, limit := limiter.allow(key, tier)
|
||||
|
||||
c.Set("X-RateLimit-Limit", formatInt(limit))
|
||||
c.Set("X-RateLimit-Remaining", formatInt(remaining))
|
||||
c.Set("X-RateLimit-Tier", tier)
|
||||
|
||||
if !allowed {
|
||||
c.Set("Retry-After", "60")
|
||||
return c.Status(429).JSON(fiber.Map{
|
||||
"error": "Rate limit exceeded",
|
||||
"tier": tier,
|
||||
"limit": limit,
|
||||
"retryAfter": 60,
|
||||
})
|
||||
}
|
||||
|
||||
return c.Next()
|
||||
}
|
||||
}
|
||||
|
||||
func formatInt(n int) string {
|
||||
if n < 0 {
|
||||
n = 0
|
||||
}
|
||||
s := ""
|
||||
if n == 0 {
|
||||
return "0"
|
||||
}
|
||||
for n > 0 {
|
||||
s = string(rune('0'+n%10)) + s
|
||||
n /= 10
|
||||
}
|
||||
return s
|
||||
}
|
||||
228
backend/pkg/storage/minio.go
Normal file
228
backend/pkg/storage/minio.go
Normal file
@@ -0,0 +1,228 @@
|
||||
package storage
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/url"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/google/uuid"
|
||||
"github.com/minio/minio-go/v7"
|
||||
"github.com/minio/minio-go/v7/pkg/credentials"
|
||||
)
|
||||
|
||||
type MinioConfig struct {
|
||||
Endpoint string
|
||||
AccessKey string
|
||||
SecretKey string
|
||||
Bucket string
|
||||
UseSSL bool
|
||||
}
|
||||
|
||||
type MinioStorage struct {
|
||||
client *minio.Client
|
||||
bucket string
|
||||
}
|
||||
|
||||
type UploadResult struct {
|
||||
Key string `json:"key"`
|
||||
Bucket string `json:"bucket"`
|
||||
Size int64 `json:"size"`
|
||||
ETag string `json:"etag"`
|
||||
PublicURL string `json:"publicUrl,omitempty"`
|
||||
}
|
||||
|
||||
func NewMinioStorage(cfg MinioConfig) (*MinioStorage, error) {
|
||||
client, err := minio.New(cfg.Endpoint, &minio.Options{
|
||||
Creds: credentials.NewStaticV4(cfg.AccessKey, cfg.SecretKey, ""),
|
||||
Secure: cfg.UseSSL,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to create minio client: %w", err)
|
||||
}
|
||||
|
||||
ctx := context.Background()
|
||||
exists, err := client.BucketExists(ctx, cfg.Bucket)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to check bucket: %w", err)
|
||||
}
|
||||
|
||||
if !exists {
|
||||
if err := client.MakeBucket(ctx, cfg.Bucket, minio.MakeBucketOptions{}); err != nil {
|
||||
return nil, fmt.Errorf("failed to create bucket: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
return &MinioStorage{
|
||||
client: client,
|
||||
bucket: cfg.Bucket,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (s *MinioStorage) Upload(ctx context.Context, reader io.Reader, size int64, filename, contentType string) (*UploadResult, error) {
|
||||
ext := filepath.Ext(filename)
|
||||
key := generateStorageKey(ext)
|
||||
|
||||
opts := minio.PutObjectOptions{
|
||||
ContentType: contentType,
|
||||
}
|
||||
|
||||
info, err := s.client.PutObject(ctx, s.bucket, key, reader, size, opts)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to upload file: %w", err)
|
||||
}
|
||||
|
||||
return &UploadResult{
|
||||
Key: key,
|
||||
Bucket: s.bucket,
|
||||
Size: info.Size,
|
||||
ETag: info.ETag,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (s *MinioStorage) UploadUserFile(ctx context.Context, userID string, reader io.Reader, size int64, filename, contentType string) (*UploadResult, error) {
|
||||
ext := filepath.Ext(filename)
|
||||
key := fmt.Sprintf("users/%s/%s%s", userID, uuid.New().String(), ext)
|
||||
|
||||
opts := minio.PutObjectOptions{
|
||||
ContentType: contentType,
|
||||
UserMetadata: map[string]string{
|
||||
"original-name": filename,
|
||||
"user-id": userID,
|
||||
},
|
||||
}
|
||||
|
||||
info, err := s.client.PutObject(ctx, s.bucket, key, reader, size, opts)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to upload file: %w", err)
|
||||
}
|
||||
|
||||
return &UploadResult{
|
||||
Key: key,
|
||||
Bucket: s.bucket,
|
||||
Size: info.Size,
|
||||
ETag: info.ETag,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (s *MinioStorage) Download(ctx context.Context, key string) (io.ReadCloser, *minio.ObjectInfo, error) {
|
||||
obj, err := s.client.GetObject(ctx, s.bucket, key, minio.GetObjectOptions{})
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("failed to get object: %w", err)
|
||||
}
|
||||
|
||||
info, err := obj.Stat()
|
||||
if err != nil {
|
||||
obj.Close()
|
||||
return nil, nil, fmt.Errorf("failed to stat object: %w", err)
|
||||
}
|
||||
|
||||
return obj, &info, nil
|
||||
}
|
||||
|
||||
func (s *MinioStorage) Delete(ctx context.Context, key string) error {
|
||||
return s.client.RemoveObject(ctx, s.bucket, key, minio.RemoveObjectOptions{})
|
||||
}
|
||||
|
||||
func (s *MinioStorage) DeleteUserFiles(ctx context.Context, userID string) error {
|
||||
prefix := fmt.Sprintf("users/%s/", userID)
|
||||
|
||||
objectsCh := s.client.ListObjects(ctx, s.bucket, minio.ListObjectsOptions{
|
||||
Prefix: prefix,
|
||||
Recursive: true,
|
||||
})
|
||||
|
||||
for obj := range objectsCh {
|
||||
if obj.Err != nil {
|
||||
return obj.Err
|
||||
}
|
||||
if err := s.client.RemoveObject(ctx, s.bucket, obj.Key, minio.RemoveObjectOptions{}); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *MinioStorage) GetPresignedURL(ctx context.Context, key string, expiry time.Duration) (string, error) {
|
||||
presignedURL, err := s.client.PresignedGetObject(ctx, s.bucket, key, expiry, url.Values{})
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to generate presigned URL: %w", err)
|
||||
}
|
||||
return presignedURL.String(), nil
|
||||
}
|
||||
|
||||
func (s *MinioStorage) GetPresignedUploadURL(ctx context.Context, key string, expiry time.Duration) (string, error) {
|
||||
presignedURL, err := s.client.PresignedPutObject(ctx, s.bucket, key, expiry)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to generate presigned upload URL: %w", err)
|
||||
}
|
||||
return presignedURL.String(), nil
|
||||
}
|
||||
|
||||
func (s *MinioStorage) ListUserFiles(ctx context.Context, userID string) ([]minio.ObjectInfo, error) {
|
||||
prefix := fmt.Sprintf("users/%s/", userID)
|
||||
|
||||
var files []minio.ObjectInfo
|
||||
objectsCh := s.client.ListObjects(ctx, s.bucket, minio.ListObjectsOptions{
|
||||
Prefix: prefix,
|
||||
Recursive: true,
|
||||
})
|
||||
|
||||
for obj := range objectsCh {
|
||||
if obj.Err != nil {
|
||||
return nil, obj.Err
|
||||
}
|
||||
files = append(files, obj)
|
||||
}
|
||||
|
||||
return files, nil
|
||||
}
|
||||
|
||||
func (s *MinioStorage) GetUserStorageUsage(ctx context.Context, userID string) (int64, error) {
|
||||
files, err := s.ListUserFiles(ctx, userID)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
|
||||
var total int64
|
||||
for _, f := range files {
|
||||
total += f.Size
|
||||
}
|
||||
|
||||
return total, nil
|
||||
}
|
||||
|
||||
func (s *MinioStorage) CopyObject(ctx context.Context, srcKey, dstKey string) error {
|
||||
_, err := s.client.CopyObject(ctx,
|
||||
minio.CopyDestOptions{Bucket: s.bucket, Object: dstKey},
|
||||
minio.CopySrcOptions{Bucket: s.bucket, Object: srcKey},
|
||||
)
|
||||
return err
|
||||
}
|
||||
|
||||
func (s *MinioStorage) ObjectExists(ctx context.Context, key string) (bool, error) {
|
||||
_, err := s.client.StatObject(ctx, s.bucket, key, minio.StatObjectOptions{})
|
||||
if err != nil {
|
||||
errResp := minio.ToErrorResponse(err)
|
||||
if errResp.Code == "NoSuchKey" {
|
||||
return false, nil
|
||||
}
|
||||
return false, err
|
||||
}
|
||||
return true, nil
|
||||
}
|
||||
|
||||
func generateStorageKey(ext string) string {
|
||||
now := time.Now()
|
||||
return fmt.Sprintf("%d/%02d/%02d/%s%s",
|
||||
now.Year(),
|
||||
now.Month(),
|
||||
now.Day(),
|
||||
uuid.New().String(),
|
||||
strings.ToLower(ext),
|
||||
)
|
||||
}
|
||||
Reference in New Issue
Block a user