added discord api limiting

2026-01-24 00:58:31 +11:00
parent af6bec983b
commit ff0f61f534
15 changed files with 1363 additions and 141 deletions
--- a/internal/handlers/callback.go
+++ b/internal/handlers/callback.go
@@ -6,18 +6,49 @@ import (
 	"time"

 	"git.haelnorr.com/h/golib/hws"
+	"github.com/pkg/errors"
+	"github.com/uptrace/bun"
+
 	"git.haelnorr.com/h/oslstats/internal/config"
 	"git.haelnorr.com/h/oslstats/internal/db"
 	"git.haelnorr.com/h/oslstats/internal/discord"
-	"git.haelnorr.com/h/oslstats/internal/session"
+	"git.haelnorr.com/h/oslstats/internal/store"
 	"git.haelnorr.com/h/oslstats/pkg/oauth"
-	"github.com/pkg/errors"
-	"github.com/uptrace/bun"
 )

-func Callback(server *hws.Server, conn *bun.DB, cfg *config.Config, store *session.Store) http.Handler {
+func Callback(server *hws.Server, conn *bun.DB, cfg *config.Config, store *store.Store, discordAPI *discord.APIClient) http.Handler {
 	return http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
+			// Track callback redirect attempts
+			attempts, exceeded, track := store.TrackRedirect(r, "/callback", 5)
+
+			if exceeded {
+				// Build detailed error for logging
+				err := errors.Errorf(
+					"callback redirect loop detected after %d attempts | ip=%s ua=%s path=%s first_seen=%s",
+					attempts,
+					track.IP,
+					track.UserAgent,
+					track.Path,
+					track.FirstSeen.Format("2006-01-02T15:04:05Z07:00"),
+				)
+
+				// Clear the tracking entry
+				store.ClearRedirectTrack(r, "/callback")
+
+				// Show error page
+				throwError(
+					server,
+					w,
+					r,
+					http.StatusBadRequest,
+					"OAuth callback failed: Too many redirect attempts. Please try logging in again.",
+					err,
+					"warn",
+				)
+				return
+			}
+
 			state := r.URL.Query().Get("state")
 			code := r.URL.Query().Get("code")
 			if state == "" && code == "" {
@@ -41,6 +72,10 @@ func Callback(server *hws.Server, conn *bun.DB, cfg *config.Config, store *sessi
 				}
 				return
 			}
+			// SUCCESS POINT: State verified successfully
+			// Clear redirect tracking - OAuth callback completed successfully
+			store.ClearRedirectTrack(r, "/callback")
+
 			switch data {
 			case "login":
 				ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
@@ -51,7 +86,7 @@ func Callback(server *hws.Server, conn *bun.DB, cfg *config.Config, store *sessi
 					return
 				}
 				defer tx.Rollback()
-				redirect, err := login(ctx, tx, cfg, w, r, code, store)
+				redirect, err := login(ctx, tx, cfg, w, r, code, store, discordAPI)
 				if err != nil {
 					throwInternalServiceError(server, w, r, "OAuth login failed", err)
 					return
@@ -122,9 +157,10 @@ func login(
 	w http.ResponseWriter,
 	r *http.Request,
 	code string,
-	store *session.Store,
+	store *store.Store,
+	discordAPI *discord.APIClient,
 ) (func(), error) {
-	token, err := discord.AuthorizeWithCode(cfg.Discord, code, cfg.HWSAuth.TrustedHost)
+	token, err := discord.AuthorizeWithCode(cfg.Discord, code, cfg.HWSAuth.TrustedHost, discordAPI)
 	if err != nil {
 		return nil, errors.Wrap(err, "discord.AuthorizeWithCode")
 	}
--- a/internal/handlers/login.go
+++ b/internal/handlers/login.go
@@ -4,14 +4,47 @@ import (
 	"net/http"

 	"git.haelnorr.com/h/golib/hws"
+	"github.com/pkg/errors"
+
 	"git.haelnorr.com/h/oslstats/internal/config"
 	"git.haelnorr.com/h/oslstats/internal/discord"
+	"git.haelnorr.com/h/oslstats/internal/store"
 	"git.haelnorr.com/h/oslstats/pkg/oauth"
 )

-func Login(server *hws.Server, cfg *config.Config) http.Handler {
+func Login(server *hws.Server, cfg *config.Config, st *store.Store, discordAPI *discord.APIClient) http.Handler {
 	return http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
+			// Track login redirect attempts
+			attempts, exceeded, track := st.TrackRedirect(r, "/login", 5)
+
+			if exceeded {
+				// Build detailed error for logging
+				err := errors.Errorf(
+					"login redirect loop detected after %d attempts | ip=%s ua=%s path=%s first_seen=%s",
+					attempts,
+					track.IP,
+					track.UserAgent,
+					track.Path,
+					track.FirstSeen.Format("2006-01-02T15:04:05Z07:00"),
+				)
+
+				// Clear the tracking entry
+				st.ClearRedirectTrack(r, "/login")
+
+				// Show error page
+				throwError(
+					server,
+					w,
+					r,
+					http.StatusBadRequest,
+					"Login failed: Too many redirect attempts. Please clear your browser cookies and try again.",
+					err,
+					"warn",
+				)
+				return
+			}
+
 			state, uak, err := oauth.GenerateState(cfg.OAuth, "login")
 			if err != nil {
 				throwInternalServiceError(server, w, r, "Failed to generate state token", err)
@@ -24,6 +57,11 @@ func Login(server *hws.Server, cfg *config.Config) http.Handler {
 				throwInternalServiceError(server, w, r, "An error occurred trying to generate the login link", err)
 				return
 			}
+
+			// SUCCESS POINT: OAuth link generated, redirecting to Discord
+			// Clear redirect tracking - user successfully initiated OAuth
+			st.ClearRedirectTrack(r, "/login")
+
 			http.Redirect(w, r, link, http.StatusSeeOther)
 		},
 	)
--- a/internal/handlers/register.go
+++ b/internal/handlers/register.go
@@ -6,31 +6,63 @@ import (
 	"time"

 	"git.haelnorr.com/h/golib/hws"
+	"github.com/pkg/errors"
+	"github.com/uptrace/bun"
+
 	"git.haelnorr.com/h/oslstats/internal/config"
 	"git.haelnorr.com/h/oslstats/internal/db"
-	"git.haelnorr.com/h/oslstats/internal/session"
+	"git.haelnorr.com/h/oslstats/internal/store"
 	"git.haelnorr.com/h/oslstats/internal/view/page"
-	"github.com/uptrace/bun"
 )

 func Register(
 	server *hws.Server,
 	conn *bun.DB,
 	cfg *config.Config,
-	store *session.Store,
+	store *store.Store,
 ) http.Handler {
 	return http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
+			attempts, exceeded, track := store.TrackRedirect(r, "/register", 3)
+
+			if exceeded {
+				err := errors.Errorf(
+					"registration redirect loop detected after %d attempts | ip=%s ua=%s path=%s first_seen=%s ssl=%t",
+					attempts,
+					track.IP,
+					track.UserAgent,
+					track.Path,
+					track.FirstSeen.Format("2006-01-02T15:04:05Z07:00"),
+					cfg.HWSAuth.SSL,
+				)
+
+				store.ClearRedirectTrack(r, "/register")
+
+				throwError(
+					server,
+					w,
+					r,
+					http.StatusBadRequest,
+					"Registration failed: Cookies appear to be blocked or disabled. Please enable cookies in your browser and try again. If this problem persists, try a different browser or contact support.",
+					err,
+					"warn",
+				)
+				return
+			}
+
 			sessionCookie, err := r.Cookie("registration_session")
 			if err != nil {
 				http.Redirect(w, r, "/login", http.StatusSeeOther)
 				return
 			}
 			details, ok := store.GetRegistrationSession(sessionCookie.Value)
+			ok = false
 			if !ok {
 				http.Redirect(w, r, "/login", http.StatusSeeOther)
 				return
 			}
+
+			store.ClearRedirectTrack(r, "/register")
 			ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 			defer cancel()
 			tx, err := conn.BeginTx(ctx, nil)
@@ -65,12 +97,11 @@ func IsUsernameUnique(
 	server *hws.Server,
 	conn *bun.DB,
 	cfg *config.Config,
-	store *session.Store,
+	store *store.Store,
 ) http.Handler {
 	return http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
 			username := r.FormValue("username")
-			// check if its unique
 			ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 			defer cancel()
 			tx, err := conn.BeginTx(ctx, nil)