ntfy/server/visitor.go

package server

import (
	"errors"
	"heckel.io/ntfy/user"
	"net/netip"
	"sync"
	"time"

	"golang.org/x/time/rate"
	"heckel.io/ntfy/util"
)

const (
	// visitorExpungeAfter defines how long a visitor is active before it is removed from memory. This number
	// has to be very high to prevent e-mail abuse, but it doesn't really affect the other limits anyway, since
	// they are replenished faster (typically).
	visitorExpungeAfter = 24 * time.Hour
)

var (
	errVisitorLimitReached = errors.New("limit reached")
)

// visitor represents an API user, and its associated rate.Limiter used for rate limiting
type visitor struct {
	config              *Config
	messageCache        *messageCache
	ip                  netip.Addr
	user                *user.User
	messages            int64         // Number of messages sent
	emails              int64         // Number of emails sent
	requestLimiter      *rate.Limiter // Rate limiter for (almost) all requests (including messages)
	emailsLimiter       *rate.Limiter // Rate limiter for emails
	subscriptionLimiter util.Limiter  // Fixed limiter for active subscriptions (ongoing connections)
	bandwidthLimiter    util.Limiter
	accountLimiter      *rate.Limiter // Rate limiter for account creation
	firebase            time.Time     // Next allowed Firebase message
	seen                time.Time
	mu                  sync.Mutex
}

type visitorStats struct {
	Basis                        string // "ip", "role" or "plan"
	Messages                     int64
	MessagesLimit                int64
	MessagesRemaining            int64
	Emails                       int64
	EmailsLimit                  int64
	EmailsRemaining              int64
	AttachmentTotalSize          int64
	AttachmentTotalSizeLimit     int64
	AttachmentTotalSizeRemaining int64
	AttachmentFileSizeLimit      int64
}

func newVisitor(conf *Config, messageCache *messageCache, ip netip.Addr, user *user.User) *visitor {
	var requestLimiter, emailsLimiter, accountLimiter *rate.Limiter
	var messages, emails int64
	if user != nil {
		messages = user.Stats.Messages
		emails = user.Stats.Emails
	} else {
		accountLimiter = rate.NewLimiter(rate.Every(conf.VisitorAccountCreateLimitReplenish), conf.VisitorAccountCreateLimitBurst)
	}
	if user != nil && user.Plan != nil {
		requestLimiter = rate.NewLimiter(dailyLimitToRate(user.Plan.MessagesLimit), conf.VisitorRequestLimitBurst)
		emailsLimiter = rate.NewLimiter(dailyLimitToRate(user.Plan.EmailsLimit), conf.VisitorEmailLimitBurst)
	} else {
		requestLimiter = rate.NewLimiter(rate.Every(conf.VisitorRequestLimitReplenish), conf.VisitorRequestLimitBurst)
		emailsLimiter = rate.NewLimiter(rate.Every(conf.VisitorEmailLimitReplenish), conf.VisitorEmailLimitBurst)
	}
	return &visitor{
		config:              conf,
		messageCache:        messageCache,
		ip:                  ip,
		user:                user,
		messages:            messages,
		emails:              emails,
		requestLimiter:      requestLimiter,
		emailsLimiter:       emailsLimiter,
		subscriptionLimiter: util.NewFixedLimiter(int64(conf.VisitorSubscriptionLimit)),
		bandwidthLimiter:    util.NewBytesLimiter(conf.VisitorAttachmentDailyBandwidthLimit, 24*time.Hour),
		accountLimiter:      accountLimiter, // May be nil
		firebase:            time.Unix(0, 0),
		seen:                time.Now(),
	}
}

func (v *visitor) RequestAllowed() error {
	if !v.requestLimiter.Allow() {
		return errVisitorLimitReached
	}
	return nil
}

func (v *visitor) FirebaseAllowed() error {
	v.mu.Lock()
	defer v.mu.Unlock()
	if time.Now().Before(v.firebase) {
		return errVisitorLimitReached
	}
	return nil
}

func (v *visitor) FirebaseTemporarilyDeny() {
	v.mu.Lock()
	defer v.mu.Unlock()
	v.firebase = time.Now().Add(v.config.FirebaseQuotaExceededPenaltyDuration)
}

func (v *visitor) EmailAllowed() error {
	if !v.emailsLimiter.Allow() {
		return errVisitorLimitReached
	}
	return nil
}

func (v *visitor) SubscriptionAllowed() error {
	v.mu.Lock()
	defer v.mu.Unlock()
	if err := v.subscriptionLimiter.Allow(1); err != nil {
		return errVisitorLimitReached
	}
	return nil
}

func (v *visitor) RemoveSubscription() {
	v.mu.Lock()
	defer v.mu.Unlock()
	v.subscriptionLimiter.Allow(-1)
}

func (v *visitor) Keepalive() {
	v.mu.Lock()
	defer v.mu.Unlock()
	v.seen = time.Now()
}

func (v *visitor) BandwidthLimiter() util.Limiter {
	return v.bandwidthLimiter
}

func (v *visitor) Stale() bool {
	v.mu.Lock()
	defer v.mu.Unlock()
	return time.Since(v.seen) > visitorExpungeAfter
}

func (v *visitor) IncrMessages() {
	v.mu.Lock()
	defer v.mu.Unlock()
	v.messages++
	if v.user != nil {
		v.user.Stats.Messages = v.messages
	}
}

func (v *visitor) IncrEmails() {
	v.mu.Lock()
	defer v.mu.Unlock()
	v.emails++
	if v.user != nil {
		v.user.Stats.Emails = v.emails
	}
}

func (v *visitor) Stats() (*visitorStats, error) {
	v.mu.Lock()
	messages := v.messages
	emails := v.emails
	v.mu.Unlock()
	stats := &visitorStats{}
	if v.user != nil && v.user.Role == user.RoleAdmin {
		stats.Basis = "role"
		stats.MessagesLimit = 0
		stats.EmailsLimit = 0
		stats.AttachmentTotalSizeLimit = 0
		stats.AttachmentFileSizeLimit = 0
	} else if v.user != nil && v.user.Plan != nil {
		stats.Basis = "plan"
		stats.MessagesLimit = v.user.Plan.MessagesLimit
		stats.EmailsLimit = v.user.Plan.EmailsLimit
		stats.AttachmentTotalSizeLimit = v.user.Plan.AttachmentTotalSizeLimit
		stats.AttachmentFileSizeLimit = v.user.Plan.AttachmentFileSizeLimit
	} else {
		stats.Basis = "ip"
		stats.MessagesLimit = replenishDurationToDailyLimit(v.config.VisitorRequestLimitReplenish)
		stats.EmailsLimit = replenishDurationToDailyLimit(v.config.VisitorEmailLimitReplenish)
		stats.AttachmentTotalSizeLimit = v.config.VisitorAttachmentTotalSizeLimit
		stats.AttachmentFileSizeLimit = v.config.AttachmentFileSizeLimit
	}
	var attachmentsBytesUsed int64
	var err error
	if v.user != nil {
		attachmentsBytesUsed, err = v.messageCache.AttachmentBytesUsedByUser(v.user.Name)
	} else {
		attachmentsBytesUsed, err = v.messageCache.AttachmentBytesUsedBySender(v.ip.String())
	}
	if err != nil {
		return nil, err
	}
	stats.Messages = messages
	stats.MessagesRemaining = zeroIfNegative(stats.MessagesLimit - stats.Messages)
	stats.Emails = emails
	stats.EmailsRemaining = zeroIfNegative(stats.EmailsLimit - stats.Emails)
	stats.AttachmentTotalSize = attachmentsBytesUsed
	stats.AttachmentTotalSizeRemaining = zeroIfNegative(stats.AttachmentTotalSizeLimit - stats.AttachmentTotalSize)
	return stats, nil
}

func zeroIfNegative(value int64) int64 {
	if value < 0 {
		return 0
	}
	return value
}

func replenishDurationToDailyLimit(duration time.Duration) int64 {
	return int64(24 * time.Hour / duration)
}

func dailyLimitToRate(limit int64) rate.Limit {
	return rate.Limit(limit) * rate.Every(24*time.Hour)
}
Subscription limit 2021-11-02 08:21:38 +13:00			`package server`

			`import (`
JSON API errors 2021-12-26 03:15:05 +13:00			`"errors"`
Rename auth package to user; add extendToken feature 2022-12-26 05:41:38 +13:00			`"heckel.io/ntfy/user"`
refactor visitor IPs and allow exempting IP Ranges Use netip.Addr instead of storing addresses as strings. This requires conversions at the database level and in tests, but is more memory efficient otherwise, and facilitates the following. Parse rate limit exemptions as netip.Prefix. This allows storing IP ranges in the exemption list. Regular IP addresses (entered explicitly or resolved from hostnames) are IPV4/32, denoting a range of one address. 2022-10-06 09:42:07 +13:00			`"net/netip"`
Subscription limit 2021-11-02 08:21:38 +13:00			`"sync"`
			`"time"`
refactor visitor IPs and allow exempting IP Ranges Use netip.Addr instead of storing addresses as strings. This requires conversions at the database level and in tests, but is more memory efficient otherwise, and facilitates the following. Parse rate limit exemptions as netip.Prefix. This allows storing IP ranges in the exemption list. Regular IP addresses (entered explicitly or resolved from hostnames) are IPV4/32, denoting a range of one address. 2022-10-06 09:42:07 +13:00
			`"golang.org/x/time/rate"`
			`"heckel.io/ntfy/util"`
Subscription limit 2021-11-02 08:21:38 +13:00			`)`

			`const (`
Email rate limiting + tests 2021-12-24 12:03:04 +13:00			`// visitorExpungeAfter defines how long a visitor is active before it is removed from memory. This number`
			`// has to be very high to prevent e-mail abuse, but it doesn't really affect the other limits anyway, since`
			`// they are replenished faster (typically).`
			`visitorExpungeAfter = 24 * time.Hour`
Subscription limit 2021-11-02 08:21:38 +13:00			`)`

JSON API errors 2021-12-26 03:15:05 +13:00			`var (`
			`errVisitorLimitReached = errors.New("limit reached")`
			`)`

Subscription limit 2021-11-02 08:21:38 +13:00			`// visitor represents an API user, and its associated rate.Limiter used for rate limiting`
			`type visitor struct {`
Limits 2022-12-20 03:59:32 +13:00			`config *Config`
			`messageCache *messageCache`
			`ip netip.Addr`
Rename auth package to user; add extendToken feature 2022-12-26 05:41:38 +13:00			`user *user.User`
Write stats to user table asynchronously 2022-12-21 15:18:33 +13:00			`messages int64 // Number of messages sent`
			`emails int64 // Number of emails sent`
			`requestLimiter *rate.Limiter // Rate limiter for (almost) all requests (including messages)`
			`emailsLimiter *rate.Limiter // Rate limiter for emails`
			`subscriptionLimiter util.Limiter // Fixed limiter for active subscriptions (ongoing connections)`
Limits 2022-12-20 03:59:32 +13:00			`bandwidthLimiter util.Limiter`
Sign up rate limit 2022-12-25 06:10:51 +13:00			`accountLimiter *rate.Limiter // Rate limiter for account creation`
			`firebase time.Time // Next allowed Firebase message`
Limits 2022-12-20 03:59:32 +13:00			`seen time.Time`
			`mu sync.Mutex`
Subscription limit 2021-11-02 08:21:38 +13:00			`}`

Attachment behavior fix for Firefox 2022-04-04 04:39:52 +12:00			`type visitorStats struct {`
Restructure limits 2022-12-20 10:22:13 +13:00			`Basis string // "ip", "role" or "plan"`
			`Messages int64`
			`MessagesLimit int64`
			`MessagesRemaining int64`
			`Emails int64`
			`EmailsLimit int64`
			`EmailsRemaining int64`
			`AttachmentTotalSize int64`
			`AttachmentTotalSizeLimit int64`
			`AttachmentTotalSizeRemaining int64`
			`AttachmentFileSizeLimit int64`
Attachment behavior fix for Firefox 2022-04-04 04:39:52 +12:00			`}`

Rename auth package to user; add extendToken feature 2022-12-26 05:41:38 +13:00			`func newVisitor(conf Config, messageCache messageCache, ip netip.Addr, user user.User) visitor {`
Sign up rate limit 2022-12-25 06:10:51 +13:00			`var requestLimiter, emailsLimiter, accountLimiter *rate.Limiter`
Write stats to user table asynchronously 2022-12-21 15:18:33 +13:00			`var messages, emails int64`
			`if user != nil {`
			`messages = user.Stats.Messages`
			`emails = user.Stats.Emails`
Sign up rate limit 2022-12-25 06:10:51 +13:00			`} else {`
			`accountLimiter = rate.NewLimiter(rate.Every(conf.VisitorAccountCreateLimitReplenish), conf.VisitorAccountCreateLimitBurst)`
Write stats to user table asynchronously 2022-12-21 15:18:33 +13:00			`}`
v1/account API response, rate limiting bla 2022-12-18 17:54:19 +13:00			`if user != nil && user.Plan != nil {`
Restructure limits 2022-12-20 10:22:13 +13:00			`requestLimiter = rate.NewLimiter(dailyLimitToRate(user.Plan.MessagesLimit), conf.VisitorRequestLimitBurst)`
			`emailsLimiter = rate.NewLimiter(dailyLimitToRate(user.Plan.EmailsLimit), conf.VisitorEmailLimitBurst)`
v1/account API response, rate limiting bla 2022-12-18 17:54:19 +13:00			`} else {`
Limit work 2022-12-19 08:35:05 +13:00			`requestLimiter = rate.NewLimiter(rate.Every(conf.VisitorRequestLimitReplenish), conf.VisitorRequestLimitBurst)`
Restructure limits 2022-12-20 10:22:13 +13:00			`emailsLimiter = rate.NewLimiter(rate.Every(conf.VisitorEmailLimitReplenish), conf.VisitorEmailLimitBurst)`
v1/account API response, rate limiting bla 2022-12-18 17:54:19 +13:00			`}`
Subscription limit 2021-11-02 08:21:38 +13:00			`return &visitor{`
Limits 2022-12-20 03:59:32 +13:00			`config: conf,`
			`messageCache: messageCache,`
			`ip: ip,`
			`user: user,`
Write stats to user table asynchronously 2022-12-21 15:18:33 +13:00			`messages: messages,`
			`emails: emails,`
Limits 2022-12-20 03:59:32 +13:00			`requestLimiter: requestLimiter,`
Restructure limits 2022-12-20 10:22:13 +13:00			`emailsLimiter: emailsLimiter,`
Limits 2022-12-20 03:59:32 +13:00			`subscriptionLimiter: util.NewFixedLimiter(int64(conf.VisitorSubscriptionLimit)),`
			`bandwidthLimiter: util.NewBytesLimiter(conf.VisitorAttachmentDailyBandwidthLimit, 24*time.Hour),`
Sign up rate limit 2022-12-25 06:10:51 +13:00			`accountLimiter: accountLimiter, // May be nil`
Limits 2022-12-20 03:59:32 +13:00			`firebase: time.Unix(0, 0),`
			`seen: time.Now(),`
Subscription limit 2021-11-02 08:21:38 +13:00			`}`
			`}`

			`func (v *visitor) RequestAllowed() error {`
Limit work 2022-12-19 08:35:05 +13:00			`if !v.requestLimiter.Allow() {`
JSON API errors 2021-12-26 03:15:05 +13:00			`return errVisitorLimitReached`
Email rate limiting + tests 2021-12-24 12:03:04 +13:00			`}`
			`return nil`
			`}`

Firebase quota limit 2022-06-01 12:38:56 +12:00			`func (v *visitor) FirebaseAllowed() error {`
			`v.mu.Lock()`
			`defer v.mu.Unlock()`
			`if time.Now().Before(v.firebase) {`
			`return errVisitorLimitReached`
			`}`
			`return nil`
			`}`

			`func (v *visitor) FirebaseTemporarilyDeny() {`
			`v.mu.Lock()`
			`defer v.mu.Unlock()`
Refining, changelog 2022-06-01 15:27:24 +12:00			`v.firebase = time.Now().Add(v.config.FirebaseQuotaExceededPenaltyDuration)`
Firebase quota limit 2022-06-01 12:38:56 +12:00			`}`

Email rate limiting + tests 2021-12-24 12:03:04 +13:00			`func (v *visitor) EmailAllowed() error {`
Limits 2022-12-20 03:59:32 +13:00			`if !v.emailsLimiter.Allow() {`
JSON API errors 2021-12-26 03:15:05 +13:00			`return errVisitorLimitReached`
Subscription limit 2021-11-02 08:21:38 +13:00			`}`
			`return nil`
			`}`

JSON API errors 2021-12-26 03:15:05 +13:00			`func (v *visitor) SubscriptionAllowed() error {`
Subscription limit 2021-11-02 08:21:38 +13:00			`v.mu.Lock()`
			`defer v.mu.Unlock()`
Limits 2022-12-20 03:59:32 +13:00			`if err := v.subscriptionLimiter.Allow(1); err != nil {`
JSON API errors 2021-12-26 03:15:05 +13:00			`return errVisitorLimitReached`
Subscription limit 2021-11-02 08:21:38 +13:00			`}`
			`return nil`
			`}`

			`func (v *visitor) RemoveSubscription() {`
			`v.mu.Lock()`
			`defer v.mu.Unlock()`
Limits 2022-12-20 03:59:32 +13:00			`v.subscriptionLimiter.Allow(-1)`
Subscription limit 2021-11-02 08:21:38 +13:00			`}`

			`func (v *visitor) Keepalive() {`
			`v.mu.Lock()`
			`defer v.mu.Unlock()`
			`v.seen = time.Now()`
			`}`

CLI; docs docs docs 2022-01-13 15:24:48 +13:00			`func (v *visitor) BandwidthLimiter() util.Limiter {`
Limits 2022-12-20 03:59:32 +13:00			`return v.bandwidthLimiter`
Daily traffic limit 2022-01-13 12:52:07 +13:00			`}`

Subscription limit 2021-11-02 08:21:38 +13:00			`func (v *visitor) Stale() bool {`
			`v.mu.Lock()`
			`defer v.mu.Unlock()`
			`return time.Since(v.seen) > visitorExpungeAfter`
			`}`
Attachment behavior fix for Firefox 2022-04-04 04:39:52 +12:00
Limits 2022-12-20 03:59:32 +13:00			`func (v *visitor) IncrMessages() {`
			`v.mu.Lock()`
			`defer v.mu.Unlock()`
			`v.messages++`
Write stats to user table asynchronously 2022-12-21 15:18:33 +13:00			`if v.user != nil {`
			`v.user.Stats.Messages = v.messages`
			`}`
Limits 2022-12-20 03:59:32 +13:00			`}`

			`func (v *visitor) IncrEmails() {`
			`v.mu.Lock()`
			`defer v.mu.Unlock()`
			`v.emails++`
Write stats to user table asynchronously 2022-12-21 15:18:33 +13:00			`if v.user != nil {`
			`v.user.Stats.Emails = v.emails`
			`}`
Limits 2022-12-20 03:59:32 +13:00			`}`

Attachment behavior fix for Firefox 2022-04-04 04:39:52 +12:00			`func (v visitor) Stats() (visitorStats, error) {`
Limits 2022-12-20 03:59:32 +13:00			`v.mu.Lock()`
Associate messages with a user 2022-12-20 15:42:36 +13:00			`messages := v.messages`
			`emails := v.emails`
			`v.mu.Unlock()`
Restructure limits 2022-12-20 10:22:13 +13:00			`stats := &visitorStats{}`
Rename auth package to user; add extendToken feature 2022-12-26 05:41:38 +13:00			`if v.user != nil && v.user.Role == user.RoleAdmin {`
Restructure limits 2022-12-20 10:22:13 +13:00			`stats.Basis = "role"`
			`stats.MessagesLimit = 0`
			`stats.EmailsLimit = 0`
			`stats.AttachmentTotalSizeLimit = 0`
			`stats.AttachmentFileSizeLimit = 0`
			`} else if v.user != nil && v.user.Plan != nil {`
			`stats.Basis = "plan"`
			`stats.MessagesLimit = v.user.Plan.MessagesLimit`
			`stats.EmailsLimit = v.user.Plan.EmailsLimit`
			`stats.AttachmentTotalSizeLimit = v.user.Plan.AttachmentTotalSizeLimit`
			`stats.AttachmentFileSizeLimit = v.user.Plan.AttachmentFileSizeLimit`
			`} else {`
			`stats.Basis = "ip"`
			`stats.MessagesLimit = replenishDurationToDailyLimit(v.config.VisitorRequestLimitReplenish)`
			`stats.EmailsLimit = replenishDurationToDailyLimit(v.config.VisitorEmailLimitReplenish)`
Associate messages with a user 2022-12-20 15:42:36 +13:00			`stats.AttachmentTotalSizeLimit = v.config.VisitorAttachmentTotalSizeLimit`
Restructure limits 2022-12-20 10:22:13 +13:00			`stats.AttachmentFileSizeLimit = v.config.AttachmentFileSizeLimit`
			`}`
Associate messages with a user 2022-12-20 15:42:36 +13:00			`var attachmentsBytesUsed int64`
			`var err error`
			`if v.user != nil {`
			`attachmentsBytesUsed, err = v.messageCache.AttachmentBytesUsedByUser(v.user.Name)`
			`} else {`
			`attachmentsBytesUsed, err = v.messageCache.AttachmentBytesUsedBySender(v.ip.String())`
			`}`
			`if err != nil {`
			`return nil, err`
			`}`
			`stats.Messages = messages`
Write stats to user table asynchronously 2022-12-21 15:18:33 +13:00			`stats.MessagesRemaining = zeroIfNegative(stats.MessagesLimit - stats.Messages)`
Associate messages with a user 2022-12-20 15:42:36 +13:00			`stats.Emails = emails`
Write stats to user table asynchronously 2022-12-21 15:18:33 +13:00			`stats.EmailsRemaining = zeroIfNegative(stats.EmailsLimit - stats.Emails)`
Restructure limits 2022-12-20 10:22:13 +13:00			`stats.AttachmentTotalSize = attachmentsBytesUsed`
			`stats.AttachmentTotalSizeRemaining = zeroIfNegative(stats.AttachmentTotalSizeLimit - stats.AttachmentTotalSize)`
			`return stats, nil`
			`}`

			`func zeroIfNegative(value int64) int64 {`
			`if value < 0 {`
			`return 0`
			`}`
			`return value`
			`}`

			`func replenishDurationToDailyLimit(duration time.Duration) int64 {`
			`return int64(24 * time.Hour / duration)`
			`}`

			`func dailyLimitToRate(limit int64) rate.Limit {`
			`return rate.Limit(limit) * rate.Every(24*time.Hour)`
Attachment behavior fix for Firefox 2022-04-04 04:39:52 +12:00			`}`