- Middleware now returns 403 to avoid to many call's

- Validation for name and id params on endpoints
- new struct sheared by signup and login
- small code reading improvement
- delete commented code
- correct a panic on the code, returning proper error
- rename a few functions

Author: DanielFillol

controllers/controller.go

@@ -21,10 +21,7 @@ const levenshtein = 0.8
 //Signup a new user to the database
 func Signup(c *gin.Context) {
 	//get email/pass off req body
-	var body struct {
-		Email    string
-		Password string
-	}
+	var body models.InputBody
 
 	if c.Bind(&body) != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"Message": "Failed to read body"})
@@ -54,10 +51,7 @@ func Signup(c *gin.Context) {
 //Login verifies cookie session for login
 func Login(c *gin.Context) {
 	// Get the email and password from request body
-	var body struct {
-		Email    string
-		Password string
-	}
+	var body models.InputBody
 
 	if c.Bind(&body) != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"Message": "Failed to read body"})
@@ -92,7 +86,7 @@ func Login(c *gin.Context) {
 	c.SetCookie("token", token, 60*60, "/", "", false, true)
 
 	// Return success response
-	c.JSON(http.StatusOK, gin.H{})
+	c.JSON(http.StatusOK, gin.H{"Message": "Login successful"})
 }
 
 //generateJWTToken generates a JWT token with a specified expiration time and user ID. It first sets the token expiration time based on the amountDays parameter passed into the function.
@@ -212,8 +206,10 @@ func SearchSimilarNames(c *gin.Context) {
 	similarNames := findNames(metaphoneNames, name, levenshtein)
 
 	//for recall purposes we can't only search for metaphone exact match's if no similar word is found
+	preloadTable := c.MustGet("nameTypes").([]models.NameType)
+
 	if len(metaphoneNames) == 0 || len(similarNames) == 0 {
-		metaphoneNames = searchForAllSimilarMetaphone(nameMetaphone, c.MustGet("nameTypes").([]models.NameType))
+		metaphoneNames = searchForAllSimilarMetaphone(nameMetaphone, preloadTable)
 		similarNames = findNames(metaphoneNames, name, levenshtein)
 
 		if len(metaphoneNames) == 0 {
@@ -264,9 +260,6 @@ func SearchSimilarNames(c *gin.Context) {
 
 //searchForAllSimilarMetaphone used in case of not finding exact metaphone match
 func searchForAllSimilarMetaphone(mtf string, names []models.NameType) []models.NameType {
-	//var names []models.NameType
-	//database.Db.Raw("SELECT * FROM name_types").Find(&names)
-
 	var rNames []models.NameType
 	for _, n := range names {
 		if Metaphone.IsMetaphoneSimilar(mtf, n.Metaphone) {

go.mod

@@ -3,15 +3,18 @@ module github.com/Darklabel91/API_Names
 go 1.18
 
 require (
+	github.com/Darklabel91/metaphone-br v0.0.0-20230327175255-f661f3ae637b
 	github.com/gin-gonic/gin v1.9.0
+	github.com/golang-jwt/jwt/v5 v5.0.0-rc.1
 	github.com/joho/godotenv v1.5.1
+	golang.org/x/crypto v0.7.0
+	golang.org/x/time v0.3.0
 	gorm.io/driver/mysql v1.4.7
 	gorm.io/gorm v1.24.6
 )
 
 require (
 	github.com/Darklabel91/Levenshtein v0.0.0-20230327182846-18e2b540c668 // indirect
-	github.com/Darklabel91/metaphone-br v0.0.0-20230327175255-f661f3ae637b // indirect
 	github.com/bytedance/sonic v1.8.5 // indirect
 	github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
@@ -20,7 +23,6 @@ require (
 	github.com/go-playground/validator/v10 v10.11.2 // indirect
 	github.com/go-sql-driver/mysql v1.7.0 // indirect
 	github.com/goccy/go-json v0.10.1 // indirect
-	github.com/golang-jwt/jwt/v5 v5.0.0-rc.1 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -33,7 +35,6 @@ require (
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.11 // indirect
 	golang.org/x/arch v0.3.0 // indirect
-	golang.org/x/crypto v0.7.0 // indirect
 	golang.org/x/net v0.8.0 // indirect
 	golang.org/x/sys v0.6.0 // indirect
 	golang.org/x/text v0.8.0 // indirect

go.sum

@@ -1,5 +1,3 @@
-github.com/Darklabel91/Levenshtein v0.0.0-20230327180915-520182aba65a h1:/nTBmKXehgl606NX4oqbKXMC5fVWPyjNBiSfnX9S2jM=
-github.com/Darklabel91/Levenshtein v0.0.0-20230327180915-520182aba65a/go.mod h1:8sU0Aii5Eog/JhC/LtRaSR4jSvgQyDN84rG2ihtm1iU=
 github.com/Darklabel91/Levenshtein v0.0.0-20230327182846-18e2b540c668 h1:F1VOn4ZXc8hBqtmNsSarRI/EwReb/TNDGGQt9tNWWDY=
 github.com/Darklabel91/Levenshtein v0.0.0-20230327182846-18e2b540c668/go.mod h1:8sU0Aii5Eog/JhC/LtRaSR4jSvgQyDN84rG2ihtm1iU=
 github.com/Darklabel91/metaphone-br v0.0.0-20230327175255-f661f3ae637b h1:ltrsS0rhJTqJqLHgULHSNSLBkht5tJ1tx7IJ12YRmXU=
@@ -90,6 +88,8 @@ golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=

middleware/requireAuth.go

@@ -4,50 +4,108 @@ import (
 	"fmt"
 	"github.com/gin-gonic/gin"
 	"github.com/golang-jwt/jwt/v5"
+	"golang.org/x/time/rate"
 	"net/http"
 	"os"
+	"strconv"
+	"strings"
 	"time"
 )
 
-func RequireAuth(c *gin.Context) {
-	//get the cookie off req
-	tokenString := c.GetHeader("Token")
+const MaxThreadsByToken = 5
+
+// RequireAuth returns a Gin middleware function that checks for a valid JWT token in the request header or cookie, and limits the rate of requests to prevent DDoS attacks.
+//	- The rate limit is enforced using a token bucket algorithm.
+//	- The rate limit and queue capacity can be adjusted by modifying the constants in the function.
+//	- If the token is invalid or has expired, or if the request cannot be processed due to an error, the middleware function aborts the request with a 401 Unauthorized HTTP status code.
+func RequireAuth() gin.HandlerFunc {
+	// Create a new rate limiter to limit the number of requests per second
+	limiter := rate.NewLimiter(1000, MaxThreadsByToken)
+
+	return func(c *gin.Context) {
+		// Check if the request has exceeded the rate limit
+		if !limiter.Allow() {
+			c.AbortWithStatus(http.StatusTooManyRequests)
+			return
+		}
+
+		// Get the token from the header or cookie
+		tokenString := c.GetHeader("Token")
+		var err error
+		if tokenString == "" {
+			tokenString, err = c.Cookie("token")
+			if err != nil {
+				c.AbortWithStatus(http.StatusUnauthorized)
+				return
+			}
+		}
+
+		// Decode/validate the token
+		token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+			}
+
+			return []byte(os.Getenv("SECRET")), nil
+		})
 
-	var err error
-	if tokenString == "" {
-		tokenString, err = c.Cookie("token")
 		if err != nil {
 			c.AbortWithStatus(http.StatusUnauthorized)
 			return
 		}
+
+		if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
+			// Check the expiration date
+			if float64(time.Now().Unix()) > claims["exp"].(float64) {
+				c.AbortWithStatus(http.StatusUnauthorized)
+				return
+			}
+
+			// Continue
+			c.Next()
+		} else {
+			c.AbortWithStatus(http.StatusUnauthorized)
+			return
+		}
 	}
+}
 
-	//decode/validate
-	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
-			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+// ValidateIDParam validates id param. It must contain only numbers
+func ValidateIDParam() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// Try to parse the ":id" parameter as an integer
+		if _, err := strconv.Atoi(c.Param("id")); err != nil {
+			c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{
+				"error": fmt.Sprintf("Invalid ':id' parameter: '%s' is not a valid integer", c.Param("id")),
+			})
+			return
 		}
+		c.Next()
+	}
+}
 
-		return []byte(os.Getenv("SECRET")), nil
-	})
+//ValidateNameParam validates :name param. It must not contain numbers or spaces
+func ValidateNameParam() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// Try to retrieve the ":name" parameter from the request context
+		name := c.Param("name")
 
-	if err != nil {
-		c.AbortWithStatus(http.StatusUnauthorized)
-		return
-	}
+		// Check if the name contains whitespace
+		if strings.Contains(name, " ") {
+			c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{
+				"error": fmt.Sprintf("Invalid ':name' parameter: '%s' should contain a single word with no spaces", name),
+			})
+			return
+		}
 
-	if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
-		//check the expiration date
-		if float64(time.Now().Unix()) > claims["exp"].(float64) {
-			c.AbortWithStatus(http.StatusUnauthorized)
+		// Check if the name contains any numbers
+		if _, err := strconv.Atoi(name); err == nil {
+			c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{
+				"error": fmt.Sprintf("Invalid ':name' parameter: '%s' should not contain any numbers", name),
+			})
 			return
 		}
 
-		//continue
 		c.Next()
-	} else {
-		c.AbortWithStatus(http.StatusUnauthorized)
-		return
 	}
-
 }

models/models.go

@@ -38,3 +38,9 @@ type MetaphoneR struct {
 	Metaphone      string         `json:"Metaphone,omitempty"`
 	NameVariations []string       `json:"NameVariations,omitempty"`
 }
+
+//InputBody struct for validation middleware
+type InputBody struct {
+	Email    string `json:"Email,omitempty"`
+	Password string `json:"Password,omitempty"`
+}

routes/routes.go

@@ -23,28 +23,30 @@ func HandleRequests() {
 		return
 	}
 
-	//signup and login
+	//set up routes
 	r.POST("/signup", controllers.Signup)
 	r.POST("/login", controllers.Login)
 
-	//Other routes
-	r.Use(middleware.RequireAuth)
+	//define middleware that validate token
+	r.Use(middleware.RequireAuth())
 
+	//set up caching middleware for GET requests
+	r.GET("/:id", middleware.ValidateIDParam(), waitGroupID)
+	r.DELETE("/:id", middleware.ValidateIDParam(), controllers.DeleteName)
+	r.PATCH("/:id", middleware.ValidateIDParam(), controllers.UpdateName)
 	r.POST("/name", controllers.CreateName)
-	r.DELETE("/:id", controllers.DeleteName)
-	r.PATCH("/:id", controllers.UpdateName)
-	r.GET("/:id", WaitGroupID)
-	r.GET("/name/:name", WaitGroupName)
-	r.GET("/metaphone/:name", PreloadNameTypes(), WaitGroupMetaphone)
+	r.GET("/name/:name", middleware.ValidateNameParam(), waitGroupName)
+	r.GET("/metaphone/:name", middleware.ValidateNameParam(), preloadNameTypes(), middleware.ValidateNameParam(), waitGroupMetaphone)
 
+	// run
 	err = r.Run(door)
 	if err != nil {
-		panic(err)
+		return
 	}
 }
 
-//WaitGroupMetaphone crates a waiting group for handling requests using controllers.SearchSimilarNames
-func WaitGroupMetaphone(c *gin.Context) {
+//waitGroupMetaphone crates a waiting group for handling requests using controllers.SearchSimilarNames
+func waitGroupMetaphone(c *gin.Context) {
 	var wg sync.WaitGroup
 	wg.Add(1)
 
@@ -57,8 +59,8 @@ func WaitGroupMetaphone(c *gin.Context) {
 	wg.Wait()
 }
 
-//WaitGroupName crates a waiting group for handling requests using controllers.GetName
-func WaitGroupName(c *gin.Context) {
+//waitGroupName crates a waiting group for handling requests using controllers.GetName
+func waitGroupName(c *gin.Context) {
 	var wg sync.WaitGroup
 	wg.Add(1)
 
@@ -71,8 +73,8 @@ func WaitGroupName(c *gin.Context) {
 	wg.Wait()
 }
 
-// WaitGroupID  crates a waiting group for handling requests using controllers.GetID
-func WaitGroupID(c *gin.Context) {
+// waitGroupID  crates a waiting group for handling requests using controllers.GetID
+func waitGroupID(c *gin.Context) {
 	var wg sync.WaitGroup
 	wg.Add(1)
 
@@ -85,8 +87,8 @@ func WaitGroupID(c *gin.Context) {
 	wg.Wait()
 }
 
-//PreloadNameTypes for better response time we load all records of the table
-func PreloadNameTypes() gin.HandlerFunc {
+//preloadNameTypes for better response time we load all records of the table
+func preloadNameTypes() gin.HandlerFunc {
 	var nameTypes []models.NameType
 	if err := database.Db.Find(&nameTypes).Error; err != nil {
 		return nil