Stage 6: gateway edge (Connect/FlatBuffers over h2c, platform/email/guest auth, sessions, rate-limit, admin passthrough, live push bridge)
New public ingress and the first network edge. Framework + a vertical slice of operations end-to-end; remaining ops reuse the same transcode pattern in Stage 7. Contracts (new module scrabble/pkg): - push.proto (backend->gateway gRPC server-stream) + scrabble.fbs (FlatBuffers edge payloads), committed generated Go; buf/flatc Makefiles (dev-time codegen). Backend: - REST handlers on the /api/v1 groups: internal session endpoints (telegram/guest/email login -> mint, resolve, revoke) and the user slice (profile, submit_play, state, lobby enqueue/poll, chat). - internal/notify in-process Publisher hub + internal/pushgrpc gRPC server (BACKEND_GRPC_ADDR) streaming your_turn/opponent_moved/chat/nudge/match_found; emission in game.commit, social, matchmaker. - migration 00005 accounts.is_guest; guests are durable rows excluded from stats; ProvisionGuest; email-as-login (RequestLoginCode/LoginWithCode). Gateway (new module scrabble/gateway): - Connect Gateway service over h2c (Execute + Subscribe), FlatBuffers<->JSON transcode registry, Telegram initData HMAC validator (seam), session cache, token-bucket rate limiter (3 classes), push fan-out hub, backend REST + push gRPC client, admin Basic-Auth reverse proxy. go.work: use ./pkg, ./gateway + replace scrabble/pkg. CI: gateway/**, pkg/** path filters; unit build/vet/test span all three modules. Docs (PLAN, ARCHITECTURE, FUNCTIONAL+ru, TESTING, READMEs) updated; gateway/pkg unit tests + guest/email-login integration tests.
This commit is contained in:
Ilia Denisov
@@ -0,0 +1,87 @@
|
||||
// Package ratelimit is the gateway's in-memory anti-abuse limiter: a token
|
||||
// bucket per key (golang.org/x/time/rate). The connect edge keys the public
|
||||
// class per client IP, the authenticated class per user id, and a stricter
|
||||
// sub-limit guards the email-code path; the admin proxy keys per IP. Buckets are
|
||||
// swept lazily so an idle key does not leak memory.
|
||||
package ratelimit
|
||||
|
||||
import (
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"golang.org/x/time/rate"
|
||||
)
|
||||
|
||||
// Policy is a token-bucket rate and burst.
|
||||
type Policy struct {
|
||||
Limit rate.Limit
|
||||
Burst int
|
||||
}
|
||||
|
||||
// PerMinute builds a Policy allowing perMinute events per minute with the given
|
||||
// burst.
|
||||
func PerMinute(perMinute, burst int) Policy {
|
||||
return Policy{Limit: rate.Limit(float64(perMinute) / 60.0), Burst: burst}
|
||||
}
|
||||
|
||||
// Per builds a Policy allowing events per window with the given burst.
|
||||
func Per(events int, window time.Duration, burst int) Policy {
|
||||
return Policy{Limit: rate.Limit(float64(events) / window.Seconds()), Burst: burst}
|
||||
}
|
||||
|
||||
// staleAfter is how long an unused bucket is retained before the lazy sweep
|
||||
// discards it; sweepInterval bounds how often the sweep runs.
|
||||
const (
|
||||
staleAfter = 10 * time.Minute
|
||||
sweepInterval = time.Minute
|
||||
)
|
||||
|
||||
// Limiter holds the per-key token buckets.
|
||||
type Limiter struct {
|
||||
now func() time.Time
|
||||
|
||||
mu sync.Mutex
|
||||
buckets map[string]*bucket
|
||||
lastSweep time.Time
|
||||
}
|
||||
|
||||
type bucket struct {
|
||||
lim *rate.Limiter
|
||||
seen time.Time
|
||||
}
|
||||
|
||||
// New constructs an empty Limiter.
|
||||
func New() *Limiter {
|
||||
now := func() time.Time { return time.Now() }
|
||||
return &Limiter{now: now, buckets: make(map[string]*bucket), lastSweep: now()}
|
||||
}
|
||||
|
||||
// Allow reports whether one event under key is permitted by policy, consuming a
|
||||
// token when it is.
|
||||
func (l *Limiter) Allow(key string, p Policy) bool {
|
||||
l.mu.Lock()
|
||||
defer l.mu.Unlock()
|
||||
now := l.now()
|
||||
l.sweepLocked(now)
|
||||
b, ok := l.buckets[key]
|
||||
if !ok {
|
||||
b = &bucket{lim: rate.NewLimiter(p.Limit, p.Burst)}
|
||||
l.buckets[key] = b
|
||||
}
|
||||
b.seen = now
|
||||
return b.lim.Allow()
|
||||
}
|
||||
|
||||
// sweepLocked discards buckets unused for staleAfter, at most once per
|
||||
// sweepInterval. The caller holds l.mu.
|
||||
func (l *Limiter) sweepLocked(now time.Time) {
|
||||
if now.Sub(l.lastSweep) < sweepInterval {
|
||||
return
|
||||
}
|
||||
l.lastSweep = now
|
||||
for k, b := range l.buckets {
|
||||
if now.Sub(b.seen) > staleAfter {
|
||||
delete(l.buckets, k)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,46 @@
|
||||
package ratelimit_test
|
||||
|
||||
import (
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"scrabble/gateway/internal/ratelimit"
|
||||
)
|
||||
|
||||
func TestAllowEnforcesBurst(t *testing.T) {
|
||||
l := ratelimit.New()
|
||||
p := ratelimit.PerMinute(60, 3) // 1/s, burst 3
|
||||
allowed := 0
|
||||
for i := 0; i < 5; i++ {
|
||||
if l.Allow("ip:1.2.3.4", p) {
|
||||
allowed++
|
||||
}
|
||||
}
|
||||
if allowed != 3 {
|
||||
t.Fatalf("allowed %d of 5, want 3 (burst)", allowed)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAllowIsolatesKeys(t *testing.T) {
|
||||
l := ratelimit.New()
|
||||
p := ratelimit.PerMinute(60, 1)
|
||||
if !l.Allow("user:a", p) {
|
||||
t.Fatal("first key should be allowed")
|
||||
}
|
||||
if !l.Allow("user:b", p) {
|
||||
t.Fatal("a different key must have its own bucket")
|
||||
}
|
||||
if l.Allow("user:a", p) {
|
||||
t.Fatal("the first key's bucket should now be empty")
|
||||
}
|
||||
}
|
||||
|
||||
func TestPerWindow(t *testing.T) {
|
||||
// 5 events per 10 minutes, burst 2: the third immediate call is denied.
|
||||
p := ratelimit.Per(5, 10*time.Minute, 2)
|
||||
l := ratelimit.New()
|
||||
got := []bool{l.Allow("email:x", p), l.Allow("email:x", p), l.Allow("email:x", p)}
|
||||
if !got[0] || !got[1] || got[2] {
|
||||
t.Fatalf("per-window burst = %v, want [true true false]", got)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user