added discord api limiting

2026-01-24 00:58:31 +11:00
parent b810b75011
commit df977ef50f
15 changed files with 1363 additions and 141 deletions
--- a/internal/handlers/callback.go
+++ b/internal/handlers/callback.go
@@ -6,18 +6,49 @@ import (
 	"time"

 	"git.haelnorr.com/h/golib/hws"
+	"github.com/pkg/errors"
+	"github.com/uptrace/bun"
+
 	"git.haelnorr.com/h/oslstats/internal/config"
 	"git.haelnorr.com/h/oslstats/internal/db"
 	"git.haelnorr.com/h/oslstats/internal/discord"
-	"git.haelnorr.com/h/oslstats/internal/session"
+	"git.haelnorr.com/h/oslstats/internal/store"
 	"git.haelnorr.com/h/oslstats/pkg/oauth"
-	"github.com/pkg/errors"
-	"github.com/uptrace/bun"
 )

-func Callback(server *hws.Server, conn *bun.DB, cfg *config.Config, store *session.Store) http.Handler {
+func Callback(server *hws.Server, conn *bun.DB, cfg *config.Config, store *store.Store, discordAPI *discord.APIClient) http.Handler {
 	return http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
+			// Track callback redirect attempts
+			attempts, exceeded, track := store.TrackRedirect(r, "/callback", 5)
+
+			if exceeded {
+				// Build detailed error for logging
+				err := errors.Errorf(
+					"callback redirect loop detected after %d attempts | ip=%s ua=%s path=%s first_seen=%s",
+					attempts,
+					track.IP,
+					track.UserAgent,
+					track.Path,
+					track.FirstSeen.Format("2006-01-02T15:04:05Z07:00"),
+				)
+
+				// Clear the tracking entry
+				store.ClearRedirectTrack(r, "/callback")
+
+				// Show error page
+				throwError(
+					server,
+					w,
+					r,
+					http.StatusBadRequest,
+					"OAuth callback failed: Too many redirect attempts. Please try logging in again.",
+					err,
+					"warn",
+				)
+				return
+			}
+
 			state := r.URL.Query().Get("state")
 			code := r.URL.Query().Get("code")
 			if state == "" && code == "" {
@@ -41,6 +72,10 @@ func Callback(server *hws.Server, conn *bun.DB, cfg *config.Config, store *sessi
 				}
 				return
 			}
+			// SUCCESS POINT: State verified successfully
+			// Clear redirect tracking - OAuth callback completed successfully
+			store.ClearRedirectTrack(r, "/callback")
+
 			switch data {
 			case "login":
 				ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
@@ -51,7 +86,7 @@ func Callback(server *hws.Server, conn *bun.DB, cfg *config.Config, store *sessi
 					return
 				}
 				defer tx.Rollback()
-				redirect, err := login(ctx, tx, cfg, w, r, code, store)
+				redirect, err := login(ctx, tx, cfg, w, r, code, store, discordAPI)
 				if err != nil {
 					throwInternalServiceError(server, w, r, "OAuth login failed", err)
 					return
@@ -122,9 +157,10 @@ func login(
 	w http.ResponseWriter,
 	r *http.Request,
 	code string,
-	store *session.Store,
+	store *store.Store,
+	discordAPI *discord.APIClient,
 ) (func(), error) {
-	token, err := discord.AuthorizeWithCode(cfg.Discord, code, cfg.HWSAuth.TrustedHost)
+	token, err := discord.AuthorizeWithCode(cfg.Discord, code, cfg.HWSAuth.TrustedHost, discordAPI)
 	if err != nil {
 		return nil, errors.Wrap(err, "discord.AuthorizeWithCode")
 	}