apunkt/gomcp
1
0
Fork 0
mirror of https://github.com/syntrex-lab/gomcp.git synced 2026-04-25 04:16:22 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: exclude auth/SSE/events from global rate limiter

Browse source
This commit is contained in:
DmitrL-dev 2026-03-26 09:16:53 +10:00
parent ab55fe2b58
commit 11c0e42af7
1 changed files with 14 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
internal/transport/http/ratelimit.go
View file

@ -62,6 +62,8 @@ func (rl *RateLimiter) Allow(ip string) bool {
}
// Middleware wraps an HTTP handler with rate limiting.
// Certain paths are excluded to prevent battle/scan traffic from blocking
// dashboard access (auth, SSE stream, event ingestion).
func (rl *RateLimiter) Middleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if !rl.enabled {
@ -69,6 +71,18 @@ func (rl *RateLimiter) Middleware(next http.Handler) http.Handler {
return
}
// Exclude critical dashboard paths from global rate limiter
p := r.URL.Path
switch {
case p == "/api/auth/login",
p == "/api/auth/refresh",
p == "/api/soc/stream",
p == "/api/v1/soc/events",
p == "/api/soc/events":
next.ServeHTTP(w, r)
return
}
// T4-3 FIX: Use RemoteAddr directly to prevent X-Forwarded-For spoofing.
// When behind a trusted reverse proxy, configure the proxy to set
// X-Real-IP and strip external X-Forwarded-For headers.