feat: auth service + security audit fixes + cleanup legacy services
Major changes:
- Add auth-svc: JWT auth, register/login/refresh, password reset
- Add auth UI: modals, pages (/login, /register, /forgot-password)
- Add usage tracking (usage_metrics table, daily limits)
- Add tiered rate limiting (free/pro/business)
- Add LLM usage limits per tier
Security fixes:
- All repos now require userID for Update/Delete operations
- JWT middleware in chat-svc, llm-svc, agent-svc, discover-svc
- ErrNotFound/ErrForbidden errors for proper access control
Cleanup:
- Remove legacy TypeScript services/ directory
- Remove computer-svc (to be reimplemented)
- Remove old deploy/docker configs
New files:
- backend/cmd/auth-svc/main.go
- backend/internal/auth/{types,repository}.go
- backend/internal/usage/{types,repository}.go
- backend/pkg/middleware/{llm_limits,ratelimit_tiered}.go
- backend/webui/src/components/auth/*
- backend/webui/src/app/(auth)/*
Made-with: Cursor
This commit is contained in:
home
106
backend/pkg/middleware/llm_limits.go
Normal file
106
backend/pkg/middleware/llm_limits.go
Normal file
@@ -0,0 +1,106 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
|
||||
"github.com/gofiber/fiber/v2"
|
||||
"github.com/gooseek/backend/internal/usage"
|
||||
)
|
||||
|
||||
type LLMLimitsConfig struct {
|
||||
UsageRepo *usage.Repository
|
||||
}
|
||||
|
||||
func LLMLimits(config LLMLimitsConfig) fiber.Handler {
|
||||
return func(c *fiber.Ctx) error {
|
||||
userID := GetUserID(c)
|
||||
if userID == "" {
|
||||
return c.Status(401).JSON(fiber.Map{
|
||||
"error": "Authentication required",
|
||||
})
|
||||
}
|
||||
|
||||
tier := GetUserTier(c)
|
||||
if tier == "" {
|
||||
tier = "free"
|
||||
}
|
||||
|
||||
if config.UsageRepo != nil {
|
||||
allowed, reason := config.UsageRepo.CheckLLMLimits(c.Context(), userID, tier)
|
||||
if !allowed {
|
||||
limits := usage.GetLimits(tier)
|
||||
return c.Status(429).JSON(fiber.Map{
|
||||
"error": reason,
|
||||
"tier": tier,
|
||||
"dailyLimit": limits.LLMRequestsPerDay,
|
||||
"tokenLimit": limits.LLMTokensPerDay,
|
||||
"upgradeUrl": "/settings/billing",
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
return c.Next()
|
||||
}
|
||||
}
|
||||
|
||||
type UsageTracker struct {
|
||||
repo *usage.Repository
|
||||
}
|
||||
|
||||
func NewUsageTracker(db *sql.DB) *UsageTracker {
|
||||
return &UsageTracker{
|
||||
repo: usage.NewRepository(db),
|
||||
}
|
||||
}
|
||||
|
||||
func (t *UsageTracker) RunMigrations(ctx context.Context) error {
|
||||
return t.repo.RunMigrations(ctx)
|
||||
}
|
||||
|
||||
func (t *UsageTracker) TrackAPIRequest(c *fiber.Ctx) {
|
||||
userID := GetUserID(c)
|
||||
if userID == "" {
|
||||
return
|
||||
}
|
||||
tier := GetUserTier(c)
|
||||
if tier == "" {
|
||||
tier = "free"
|
||||
}
|
||||
go t.repo.IncrementAPIRequests(context.Background(), userID, tier)
|
||||
}
|
||||
|
||||
func (t *UsageTracker) TrackLLMRequest(ctx context.Context, userID, tier string, tokens int) {
|
||||
if userID == "" {
|
||||
return
|
||||
}
|
||||
if tier == "" {
|
||||
tier = "free"
|
||||
}
|
||||
go t.repo.IncrementLLMUsage(ctx, userID, tier, tokens)
|
||||
}
|
||||
|
||||
func (t *UsageTracker) TrackSearchRequest(c *fiber.Ctx) {
|
||||
userID := GetUserID(c)
|
||||
if userID == "" {
|
||||
return
|
||||
}
|
||||
tier := GetUserTier(c)
|
||||
if tier == "" {
|
||||
tier = "free"
|
||||
}
|
||||
go t.repo.IncrementSearchRequests(context.Background(), userID, tier)
|
||||
}
|
||||
|
||||
func (t *UsageTracker) GetRepository() *usage.Repository {
|
||||
return t.repo
|
||||
}
|
||||
|
||||
func UsageTracking(tracker *UsageTracker) fiber.Handler {
|
||||
return func(c *fiber.Ctx) error {
|
||||
if tracker != nil {
|
||||
tracker.TrackAPIRequest(c)
|
||||
}
|
||||
return c.Next()
|
||||
}
|
||||
}
|
||||
158
backend/pkg/middleware/ratelimit_tiered.go
Normal file
158
backend/pkg/middleware/ratelimit_tiered.go
Normal file
@@ -0,0 +1,158 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/gofiber/fiber/v2"
|
||||
)
|
||||
|
||||
type TierConfig struct {
|
||||
Max int
|
||||
Window time.Duration
|
||||
}
|
||||
|
||||
type TieredRateLimitConfig struct {
|
||||
Tiers map[string]TierConfig
|
||||
DefaultTier string
|
||||
KeyFunc func(*fiber.Ctx) string
|
||||
GetTierFunc func(*fiber.Ctx) string
|
||||
}
|
||||
|
||||
type tieredRateLimiter struct {
|
||||
requests map[string][]time.Time
|
||||
mu sync.RWMutex
|
||||
tiers map[string]TierConfig
|
||||
}
|
||||
|
||||
func newTieredRateLimiter(tiers map[string]TierConfig) *tieredRateLimiter {
|
||||
rl := &tieredRateLimiter{
|
||||
requests: make(map[string][]time.Time),
|
||||
tiers: tiers,
|
||||
}
|
||||
go rl.cleanup()
|
||||
return rl
|
||||
}
|
||||
|
||||
func (rl *tieredRateLimiter) cleanup() {
|
||||
ticker := time.NewTicker(time.Minute)
|
||||
for range ticker.C {
|
||||
rl.mu.Lock()
|
||||
now := time.Now()
|
||||
for key, times := range rl.requests {
|
||||
var valid []time.Time
|
||||
for _, t := range times {
|
||||
if now.Sub(t) < 5*time.Minute {
|
||||
valid = append(valid, t)
|
||||
}
|
||||
}
|
||||
if len(valid) == 0 {
|
||||
delete(rl.requests, key)
|
||||
} else {
|
||||
rl.requests[key] = valid
|
||||
}
|
||||
}
|
||||
rl.mu.Unlock()
|
||||
}
|
||||
}
|
||||
|
||||
func (rl *tieredRateLimiter) allow(key string, tier string) (bool, int, int) {
|
||||
rl.mu.Lock()
|
||||
defer rl.mu.Unlock()
|
||||
|
||||
cfg, ok := rl.tiers[tier]
|
||||
if !ok {
|
||||
cfg = rl.tiers["free"]
|
||||
}
|
||||
|
||||
now := time.Now()
|
||||
windowStart := now.Add(-cfg.Window)
|
||||
|
||||
times := rl.requests[key]
|
||||
var valid []time.Time
|
||||
for _, t := range times {
|
||||
if t.After(windowStart) {
|
||||
valid = append(valid, t)
|
||||
}
|
||||
}
|
||||
|
||||
remaining := cfg.Max - len(valid)
|
||||
if remaining <= 0 {
|
||||
rl.requests[key] = valid
|
||||
return false, 0, cfg.Max
|
||||
}
|
||||
|
||||
rl.requests[key] = append(valid, now)
|
||||
return true, remaining - 1, cfg.Max
|
||||
}
|
||||
|
||||
func TieredRateLimit(config TieredRateLimitConfig) fiber.Handler {
|
||||
if config.Tiers == nil {
|
||||
config.Tiers = map[string]TierConfig{
|
||||
"free": {Max: 60, Window: time.Minute},
|
||||
"pro": {Max: 300, Window: time.Minute},
|
||||
"business": {Max: 1000, Window: time.Minute},
|
||||
}
|
||||
}
|
||||
if config.DefaultTier == "" {
|
||||
config.DefaultTier = "free"
|
||||
}
|
||||
if config.KeyFunc == nil {
|
||||
config.KeyFunc = func(c *fiber.Ctx) string {
|
||||
userID := GetUserID(c)
|
||||
if userID != "" {
|
||||
return "user:" + userID
|
||||
}
|
||||
return "ip:" + c.IP()
|
||||
}
|
||||
}
|
||||
if config.GetTierFunc == nil {
|
||||
config.GetTierFunc = func(c *fiber.Ctx) string {
|
||||
tier := GetUserTier(c)
|
||||
if tier == "" {
|
||||
return config.DefaultTier
|
||||
}
|
||||
return tier
|
||||
}
|
||||
}
|
||||
|
||||
limiter := newTieredRateLimiter(config.Tiers)
|
||||
|
||||
return func(c *fiber.Ctx) error {
|
||||
key := config.KeyFunc(c)
|
||||
tier := config.GetTierFunc(c)
|
||||
|
||||
allowed, remaining, limit := limiter.allow(key, tier)
|
||||
|
||||
c.Set("X-RateLimit-Limit", formatInt(limit))
|
||||
c.Set("X-RateLimit-Remaining", formatInt(remaining))
|
||||
c.Set("X-RateLimit-Tier", tier)
|
||||
|
||||
if !allowed {
|
||||
c.Set("Retry-After", "60")
|
||||
return c.Status(429).JSON(fiber.Map{
|
||||
"error": "Rate limit exceeded",
|
||||
"tier": tier,
|
||||
"limit": limit,
|
||||
"retryAfter": 60,
|
||||
})
|
||||
}
|
||||
|
||||
return c.Next()
|
||||
}
|
||||
}
|
||||
|
||||
func formatInt(n int) string {
|
||||
if n < 0 {
|
||||
n = 0
|
||||
}
|
||||
s := ""
|
||||
if n == 0 {
|
||||
return "0"
|
||||
}
|
||||
for n > 0 {
|
||||
s = string(rune('0'+n%10)) + s
|
||||
n /= 10
|
||||
}
|
||||
return s
|
||||
}
|
||||
Reference in New Issue
Block a user