ntfy/server/visitor.go

package server

import (
	"errors"
	"heckel.io/ntfy/auth"
	"net/netip"
	"sync"
	"time"

	"golang.org/x/time/rate"
	"heckel.io/ntfy/util"
)

const (
	// visitorExpungeAfter defines how long a visitor is active before it is removed from memory. This number
	// has to be very high to prevent e-mail abuse, but it doesn't really affect the other limits anyway, since
	// they are replenished faster (typically).
	visitorExpungeAfter = 24 * time.Hour
)

var (
	errVisitorLimitReached = errors.New("limit reached")
)

// visitor represents an API user, and its associated rate.Limiter used for rate limiting
type visitor struct {
	config         *Config
	messageCache   *messageCache
	ip             netip.Addr
	user           *auth.User
	requests       *util.AtomicCounter[int64]
	requestLimiter *rate.Limiter
	emails         *rate.Limiter
	subscriptions  util.Limiter
	bandwidth      util.Limiter
	firebase       time.Time // Next allowed Firebase message
	seen           time.Time
	mu             sync.Mutex
}

type visitorStats struct {
	AttachmentFileSizeLimit         int64 `json:"attachmentFileSizeLimit"`
	VisitorAttachmentBytesTotal     int64 `json:"visitorAttachmentBytesTotal"`
	VisitorAttachmentBytesUsed      int64 `json:"visitorAttachmentBytesUsed"`
	VisitorAttachmentBytesRemaining int64 `json:"visitorAttachmentBytesRemaining"`
}

func newVisitor(conf *Config, messageCache *messageCache, ip netip.Addr, user *auth.User) *visitor {
	var requestLimiter *rate.Limiter
	if user != nil && user.Plan != nil {
		requestLimiter = rate.NewLimiter(rate.Limit(user.Plan.RequestLimit)*rate.Every(24*time.Hour), conf.VisitorRequestLimitBurst)
	} else {
		requestLimiter = rate.NewLimiter(rate.Every(conf.VisitorRequestLimitReplenish), conf.VisitorRequestLimitBurst)
	}
	return &visitor{
		config:         conf,
		messageCache:   messageCache,
		ip:             ip,
		user:           user,
		requests:       util.NewAtomicCounter[int64](0),
		requestLimiter: requestLimiter,
		emails:         rate.NewLimiter(rate.Every(conf.VisitorEmailLimitReplenish), conf.VisitorEmailLimitBurst),
		subscriptions:  util.NewFixedLimiter(int64(conf.VisitorSubscriptionLimit)),
		bandwidth:      util.NewBytesLimiter(conf.VisitorAttachmentDailyBandwidthLimit, 24*time.Hour),
		firebase:       time.Unix(0, 0),
		seen:           time.Now(),
	}
}

func (v *visitor) RequestAllowed() error {
	if !v.requestLimiter.Allow() {
		return errVisitorLimitReached
	}
	return nil
}

func (v *visitor) FirebaseAllowed() error {
	v.mu.Lock()
	defer v.mu.Unlock()
	if time.Now().Before(v.firebase) {
		return errVisitorLimitReached
	}
	return nil
}

func (v *visitor) FirebaseTemporarilyDeny() {
	v.mu.Lock()
	defer v.mu.Unlock()
	v.firebase = time.Now().Add(v.config.FirebaseQuotaExceededPenaltyDuration)
}

func (v *visitor) EmailAllowed() error {
	if !v.emails.Allow() {
		return errVisitorLimitReached
	}
	return nil
}

func (v *visitor) SubscriptionAllowed() error {
	v.mu.Lock()
	defer v.mu.Unlock()
	if err := v.subscriptions.Allow(1); err != nil {
		return errVisitorLimitReached
	}
	return nil
}

func (v *visitor) RemoveSubscription() {
	v.mu.Lock()
	defer v.mu.Unlock()
	v.subscriptions.Allow(-1)
}

func (v *visitor) Keepalive() {
	v.mu.Lock()
	defer v.mu.Unlock()
	v.seen = time.Now()
}

func (v *visitor) BandwidthLimiter() util.Limiter {
	return v.bandwidth
}

func (v *visitor) Stale() bool {
	v.mu.Lock()
	defer v.mu.Unlock()
	return time.Since(v.seen) > visitorExpungeAfter
}

func (v *visitor) Stats() (*visitorStats, error) {
	attachmentsBytesUsed, err := v.messageCache.AttachmentBytesUsed(v.ip.String())
	if err != nil {
		return nil, err
	}
	attachmentsBytesRemaining := v.config.VisitorAttachmentTotalSizeLimit - attachmentsBytesUsed
	if attachmentsBytesRemaining < 0 {
		attachmentsBytesRemaining = 0
	}
	return &visitorStats{
		AttachmentFileSizeLimit:         v.config.AttachmentFileSizeLimit,
		VisitorAttachmentBytesTotal:     v.config.VisitorAttachmentTotalSizeLimit,
		VisitorAttachmentBytesUsed:      attachmentsBytesUsed,
		VisitorAttachmentBytesRemaining: attachmentsBytesRemaining,
	}, nil
}
Subscription limit 2021-11-02 08:21:38 +13:00			`package server`

			`import (`
JSON API errors 2021-12-26 03:15:05 +13:00			`"errors"`
WIPWIPWIP 2022-12-03 09:37:48 +13:00			`"heckel.io/ntfy/auth"`
refactor visitor IPs and allow exempting IP Ranges Use netip.Addr instead of storing addresses as strings. This requires conversions at the database level and in tests, but is more memory efficient otherwise, and facilitates the following. Parse rate limit exemptions as netip.Prefix. This allows storing IP ranges in the exemption list. Regular IP addresses (entered explicitly or resolved from hostnames) are IPV4/32, denoting a range of one address. 2022-10-06 09:42:07 +13:00			`"net/netip"`
Subscription limit 2021-11-02 08:21:38 +13:00			`"sync"`
			`"time"`
refactor visitor IPs and allow exempting IP Ranges Use netip.Addr instead of storing addresses as strings. This requires conversions at the database level and in tests, but is more memory efficient otherwise, and facilitates the following. Parse rate limit exemptions as netip.Prefix. This allows storing IP ranges in the exemption list. Regular IP addresses (entered explicitly or resolved from hostnames) are IPV4/32, denoting a range of one address. 2022-10-06 09:42:07 +13:00
			`"golang.org/x/time/rate"`
			`"heckel.io/ntfy/util"`
Subscription limit 2021-11-02 08:21:38 +13:00			`)`

			`const (`
Email rate limiting + tests 2021-12-24 12:03:04 +13:00			`// visitorExpungeAfter defines how long a visitor is active before it is removed from memory. This number`
			`// has to be very high to prevent e-mail abuse, but it doesn't really affect the other limits anyway, since`
			`// they are replenished faster (typically).`
			`visitorExpungeAfter = 24 * time.Hour`
Subscription limit 2021-11-02 08:21:38 +13:00			`)`

JSON API errors 2021-12-26 03:15:05 +13:00			`var (`
			`errVisitorLimitReached = errors.New("limit reached")`
			`)`

Subscription limit 2021-11-02 08:21:38 +13:00			`// visitor represents an API user, and its associated rate.Limiter used for rate limiting`
			`type visitor struct {`
Limit work 2022-12-19 08:35:05 +13:00			`config *Config`
			`messageCache *messageCache`
			`ip netip.Addr`
			`user *auth.User`
			`requests *util.AtomicCounter[int64]`
			`requestLimiter *rate.Limiter`
			`emails *rate.Limiter`
			`subscriptions util.Limiter`
			`bandwidth util.Limiter`
			`firebase time.Time // Next allowed Firebase message`
			`seen time.Time`
			`mu sync.Mutex`
Subscription limit 2021-11-02 08:21:38 +13:00			`}`

Attachment behavior fix for Firefox 2022-04-04 04:39:52 +12:00			`type visitorStats struct {`
			AttachmentFileSizeLimit int64 `json:"attachmentFileSizeLimit"`
			VisitorAttachmentBytesTotal int64 `json:"visitorAttachmentBytesTotal"`
			VisitorAttachmentBytesUsed int64 `json:"visitorAttachmentBytesUsed"`
			VisitorAttachmentBytesRemaining int64 `json:"visitorAttachmentBytesRemaining"`
			`}`

WIPWIPWIP 2022-12-03 09:37:48 +13:00			`func newVisitor(conf Config, messageCache messageCache, ip netip.Addr, user auth.User) visitor {`
Limit work 2022-12-19 08:35:05 +13:00			`var requestLimiter *rate.Limiter`
v1/account API response, rate limiting bla 2022-12-18 17:54:19 +13:00			`if user != nil && user.Plan != nil {`
Limit work 2022-12-19 08:35:05 +13:00			`requestLimiter = rate.NewLimiter(rate.Limit(user.Plan.RequestLimit)rate.Every(24time.Hour), conf.VisitorRequestLimitBurst)`
v1/account API response, rate limiting bla 2022-12-18 17:54:19 +13:00			`} else {`
Limit work 2022-12-19 08:35:05 +13:00			`requestLimiter = rate.NewLimiter(rate.Every(conf.VisitorRequestLimitReplenish), conf.VisitorRequestLimitBurst)`
v1/account API response, rate limiting bla 2022-12-18 17:54:19 +13:00			`}`
Subscription limit 2021-11-02 08:21:38 +13:00			`return &visitor{`
Limit work 2022-12-19 08:35:05 +13:00			`config: conf,`
			`messageCache: messageCache,`
			`ip: ip,`
			`user: user,`
			`requests: util.NewAtomicCounter[int64](0),`
			`requestLimiter: requestLimiter,`
			`emails: rate.NewLimiter(rate.Every(conf.VisitorEmailLimitReplenish), conf.VisitorEmailLimitBurst),`
			`subscriptions: util.NewFixedLimiter(int64(conf.VisitorSubscriptionLimit)),`
			`bandwidth: util.NewBytesLimiter(conf.VisitorAttachmentDailyBandwidthLimit, 24*time.Hour),`
			`firebase: time.Unix(0, 0),`
			`seen: time.Now(),`
Subscription limit 2021-11-02 08:21:38 +13:00			`}`
			`}`

			`func (v *visitor) RequestAllowed() error {`
Limit work 2022-12-19 08:35:05 +13:00			`if !v.requestLimiter.Allow() {`
JSON API errors 2021-12-26 03:15:05 +13:00			`return errVisitorLimitReached`
Email rate limiting + tests 2021-12-24 12:03:04 +13:00			`}`
			`return nil`
			`}`

Firebase quota limit 2022-06-01 12:38:56 +12:00			`func (v *visitor) FirebaseAllowed() error {`
			`v.mu.Lock()`
			`defer v.mu.Unlock()`
			`if time.Now().Before(v.firebase) {`
			`return errVisitorLimitReached`
			`}`
			`return nil`
			`}`

			`func (v *visitor) FirebaseTemporarilyDeny() {`
			`v.mu.Lock()`
			`defer v.mu.Unlock()`
Refining, changelog 2022-06-01 15:27:24 +12:00			`v.firebase = time.Now().Add(v.config.FirebaseQuotaExceededPenaltyDuration)`
Firebase quota limit 2022-06-01 12:38:56 +12:00			`}`

Email rate limiting + tests 2021-12-24 12:03:04 +13:00			`func (v *visitor) EmailAllowed() error {`
			`if !v.emails.Allow() {`
JSON API errors 2021-12-26 03:15:05 +13:00			`return errVisitorLimitReached`
Subscription limit 2021-11-02 08:21:38 +13:00			`}`
			`return nil`
			`}`

JSON API errors 2021-12-26 03:15:05 +13:00			`func (v *visitor) SubscriptionAllowed() error {`
Subscription limit 2021-11-02 08:21:38 +13:00			`v.mu.Lock()`
			`defer v.mu.Unlock()`
Making RateLimiter and FixedLimiter, so they can both work with LimitWriter 2022-01-13 11:03:28 +13:00			`if err := v.subscriptions.Allow(1); err != nil {`
JSON API errors 2021-12-26 03:15:05 +13:00			`return errVisitorLimitReached`
Subscription limit 2021-11-02 08:21:38 +13:00			`}`
			`return nil`
			`}`

			`func (v *visitor) RemoveSubscription() {`
			`v.mu.Lock()`
			`defer v.mu.Unlock()`
Making RateLimiter and FixedLimiter, so they can both work with LimitWriter 2022-01-13 11:03:28 +13:00			`v.subscriptions.Allow(-1)`
Subscription limit 2021-11-02 08:21:38 +13:00			`}`

			`func (v *visitor) Keepalive() {`
			`v.mu.Lock()`
			`defer v.mu.Unlock()`
			`v.seen = time.Now()`
			`}`

CLI; docs docs docs 2022-01-13 15:24:48 +13:00			`func (v *visitor) BandwidthLimiter() util.Limiter {`
			`return v.bandwidth`
Daily traffic limit 2022-01-13 12:52:07 +13:00			`}`

Subscription limit 2021-11-02 08:21:38 +13:00			`func (v *visitor) Stale() bool {`
			`v.mu.Lock()`
			`defer v.mu.Unlock()`
			`return time.Since(v.seen) > visitorExpungeAfter`
			`}`
Attachment behavior fix for Firefox 2022-04-04 04:39:52 +12:00
			`func (v visitor) Stats() (visitorStats, error) {`
refactor visitor IPs and allow exempting IP Ranges Use netip.Addr instead of storing addresses as strings. This requires conversions at the database level and in tests, but is more memory efficient otherwise, and facilitates the following. Parse rate limit exemptions as netip.Prefix. This allows storing IP ranges in the exemption list. Regular IP addresses (entered explicitly or resolved from hostnames) are IPV4/32, denoting a range of one address. 2022-10-06 09:42:07 +13:00			`attachmentsBytesUsed, err := v.messageCache.AttachmentBytesUsed(v.ip.String())`
Attachment behavior fix for Firefox 2022-04-04 04:39:52 +12:00			`if err != nil {`
			`return nil, err`
			`}`
			`attachmentsBytesRemaining := v.config.VisitorAttachmentTotalSizeLimit - attachmentsBytesUsed`
			`if attachmentsBytesRemaining < 0 {`
			`attachmentsBytesRemaining = 0`
			`}`
			`return &visitorStats{`
			`AttachmentFileSizeLimit: v.config.AttachmentFileSizeLimit,`
			`VisitorAttachmentBytesTotal: v.config.VisitorAttachmentTotalSizeLimit,`
			`VisitorAttachmentBytesUsed: attachmentsBytesUsed,`
			`VisitorAttachmentBytesRemaining: attachmentsBytesRemaining,`
			`}, nil`
			`}`