backend-service/internal/middleware/rate_limit.go

package middleware

import (
	"net/http"
	"time"

	"github.com/didip/tollbooth/v7"
	"github.com/didip/tollbooth/v7/limiter"
	"github.com/gin-gonic/gin"
)

// RateLimitMiddleware creates a rate limiting middleware for API protection
func RateLimitMiddleware() gin.HandlerFunc {
	// Create a rate limiter: 100 requests per minute per IP
	lmt := tollbooth.NewLimiter(100, &limiter.ExpirableOptions{
		DefaultExpirationTTL: time.Hour,
	})

	// Configure the limiter
	lmt.SetIPLookups([]string{"RemoteAddr", "X-Forwarded-For", "X-Real-IP"})
	lmt.SetMethods([]string{"GET", "POST", "PUT", "DELETE", "PATCH"})

	// Configure message for rate limit exceeded
	lmt.SetMessage("Rate limit exceeded. Please try again later.")

	return func(c *gin.Context) {
		// Add rate limit headers
		c.Header("X-Rate-Limit-Limit", "100")
		c.Header("X-Rate-Limit-Window", "60s")

		// Check rate limit
		httpError := tollbooth.LimitByRequest(lmt, c.Writer, c.Request)
		if httpError != nil {
			c.Header("Retry-After", "60")
			c.JSON(http.StatusTooManyRequests, gin.H{
				"error":       "Rate limit exceeded",
				"message":     "Too many requests. Please try again later.",
				"retry_after": "60s",
			})
			c.Abort()
			return
		}

		c.Next()
	}
}

// StrictRateLimitMiddleware creates a stricter rate limiting middleware for sensitive endpoints
func StrictRateLimitMiddleware() gin.HandlerFunc {
	// Create a stricter rate limiter: 10 requests per minute per IP
	lmt := tollbooth.NewLimiter(10, &limiter.ExpirableOptions{
		DefaultExpirationTTL: time.Hour,
	})

	// Configure the limiter
	lmt.SetIPLookups([]string{"RemoteAddr", "X-Forwarded-For", "X-Real-IP"})
	lmt.SetMethods([]string{"POST", "PUT", "DELETE"})

	// Configure message for rate limit exceeded
	lmt.SetMessage("Rate limit exceeded for sensitive endpoint. Please try again later.")

	return func(c *gin.Context) {
		// Add rate limit headers
		c.Header("X-Rate-Limit-Limit", "10")
		c.Header("X-Rate-Limit-Window", "60s")

		// Check rate limit
		httpError := tollbooth.LimitByRequest(lmt, c.Writer, c.Request)
		if httpError != nil {
			c.Header("Retry-After", "60")
			c.JSON(http.StatusTooManyRequests, gin.H{
				"error":       "Rate limit exceeded",
				"message":     "Too many requests for this sensitive endpoint. Please try again later.",
				"retry_after": "60s",
			})
			c.Abort()
			return
		}

		c.Next()
	}
}
chore(dependencies): Update project dependencies and middleware packages - Upgrade Go module dependencies to latest versions - Add new middleware packages for CORS, logging, rate limiting, and security - Update go.mod and go.sum with latest package versions - Integrate new middleware components into server configuration - Improve project dependency management and middleware infrastructure 2025-11-06 09:31:51 +00:00			`package middleware`

			`import (`
			`"net/http"`
			`"time"`

			`"github.com/didip/tollbooth/v7"`
			`"github.com/didip/tollbooth/v7/limiter"`
			`"github.com/gin-gonic/gin"`
			`)`

			`// RateLimitMiddleware creates a rate limiting middleware for API protection`
			`func RateLimitMiddleware() gin.HandlerFunc {`
			`// Create a rate limiter: 100 requests per minute per IP`
			`lmt := tollbooth.NewLimiter(100, &limiter.ExpirableOptions{`
			`DefaultExpirationTTL: time.Hour,`
			`})`

			`// Configure the limiter`
			`lmt.SetIPLookups([]string{"RemoteAddr", "X-Forwarded-For", "X-Real-IP"})`
			`lmt.SetMethods([]string{"GET", "POST", "PUT", "DELETE", "PATCH"})`

			`// Configure message for rate limit exceeded`
			`lmt.SetMessage("Rate limit exceeded. Please try again later.")`

			`return func(c *gin.Context) {`
			`// Add rate limit headers`
			`c.Header("X-Rate-Limit-Limit", "100")`
			`c.Header("X-Rate-Limit-Window", "60s")`

			`// Check rate limit`
			`httpError := tollbooth.LimitByRequest(lmt, c.Writer, c.Request)`
			`if httpError != nil {`
			`c.Header("Retry-After", "60")`
			`c.JSON(http.StatusTooManyRequests, gin.H{`
			`"error": "Rate limit exceeded",`
			`"message": "Too many requests. Please try again later.",`
			`"retry_after": "60s",`
			`})`
			`c.Abort()`
			`return`
			`}`

			`c.Next()`
			`}`
			`}`

			`// StrictRateLimitMiddleware creates a stricter rate limiting middleware for sensitive endpoints`
			`func StrictRateLimitMiddleware() gin.HandlerFunc {`
			`// Create a stricter rate limiter: 10 requests per minute per IP`
			`lmt := tollbooth.NewLimiter(10, &limiter.ExpirableOptions{`
			`DefaultExpirationTTL: time.Hour,`
			`})`

			`// Configure the limiter`
			`lmt.SetIPLookups([]string{"RemoteAddr", "X-Forwarded-For", "X-Real-IP"})`
			`lmt.SetMethods([]string{"POST", "PUT", "DELETE"})`

			`// Configure message for rate limit exceeded`
			`lmt.SetMessage("Rate limit exceeded for sensitive endpoint. Please try again later.")`

			`return func(c *gin.Context) {`
			`// Add rate limit headers`
			`c.Header("X-Rate-Limit-Limit", "10")`
			`c.Header("X-Rate-Limit-Window", "60s")`

			`// Check rate limit`
			`httpError := tollbooth.LimitByRequest(lmt, c.Writer, c.Request)`
			`if httpError != nil {`
			`c.Header("Retry-After", "60")`
			`c.JSON(http.StatusTooManyRequests, gin.H{`
			`"error": "Rate limit exceeded",`
			`"message": "Too many requests for this sensitive endpoint. Please try again later.",`
			`"retry_after": "60s",`
			`})`
			`c.Abort()`
			`return`
			`}`

			`c.Next()`
			`}`
			`}`