adds middleware for rate limiting

[iambenkay]

What's New?

This feature implements a store agnostic rate limiting middleware i.e configurable with any store of user's choice.

Here is a dummy snippet of how a certain (unconventional) redis store might be integrated with the rate limiting middleware

type RedisStore struct {
   client redis.Client
}

// Store config must implement Allow for rate limiting middleware
func (store *RedisStore) Allow(identifier) bool {
   // run logic here that decides if user should be permitted
   return true
}

func main(){
   e := echo.New()

   redisStore := RedisStore{
      client: redis.Client{}
   }
   
   limiterMW := middleware.RateLimiter(redisStore)
   e.Use(limiterMW)
}

I threw in an InMemory implementation for people like me who want to get on the go fast.

func main(){
   e := echo.New()

   var inMemoryStore = middleware.RateLimiterMemoryStore{
      rate: 1,
      burst: 3,
   }
   
   limiterMW := middleware.RateLimiterWithConfig(RateLimiterConfig{
      Store: &inMemoryStore,
      SourceFunc: func(ctx echo.Context) string {
         return ctx.RealIP()
      },
   })
   e.Use(limiterMW)
}

closes #1721

[codecov]

Codecov Report

Merging #1724 (bbfb0ab) into master (67263b5) will increase coverage by 0.44%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #1724      +/-   ##
==========================================
+ Coverage   86.88%   87.32%   +0.44%     
==========================================
  Files          30       31       +1     
  Lines        2089     2162      +73     
==========================================
+ Hits         1815     1888      +73     
  Misses        175      175              
  Partials       99       99              

Impacted Files	Coverage Δ
middleware/rate_limiter.go	100.00% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 67263b5...bbfb0ab. Read the comment docs.

[iambenkay]

Using time.Sleep in tests produces different results on different machines due to different computation speeds on different machines for example the github action ran the tests sucessfully on ubuntu but failed on macos before I had to take it out.

TODO: Find a more reliable method for testing the rate limiting which does not involve using the time.Sleep

I am open to any suggestions on this time issue.

[lammel]

Lovely overall!
I'm looking forward to put that beast into action. As we are using freecache currently I'll probably implement something like a FreeCacheLimiterStore for that then. Good to know that's easily doable.

[iambenkay]

TODO: Implement an expire functionality in order to automatically manage the amount of visitors that are currently active.

Added a last seen property to the visitor struct. I intend on adding an Optional AutoExpire method to the default InMemoryStore eventually.

[lammel]

Looks even better now...

[iambenkay]

Now Custom Error Handler can be specified using RateLimiterWithConfig

mw := middleware.RateLimiterWithConfig(RateLimiterConfig{
   ErrorHandler: func(c echo.Context) error {
      return c.JSON(http.StatusTooManyRequests, nil)
   },
   Store: inMemoryStore,
})

[lammel]

@pafuent you missed again all the fun. Feedback welcome, ready to merge.

@iambenkay Good work. Can you prepare a PR for the docs too in echox?

[pafuent]

@iambenkay I like the overall implementation. Please let me know if my comments makes sense for you.

@lammel Yep, it seems that I missed the fun 😢 (it was hard to resist the temptation to stop working and have some fun when I saw the emails back and forth)

[pafuent]

@iambenkay please address this two comments:
#1724 (comment)
#1724 (comment)
Besides of those two LGTM, so after addressing those I'll approve the PR. Thanks for the hard work and patience.

[lammel]

Very nice. We should just discuss the Allow signature.

[lammel]

Allow may have internal errors due to hash limits or other issues.
In this case it may make sense to make the signature to be Allow(identifier string) bool, error to be able to handle this special cases as we will be able to pass the error also to the DenyHandler. Use case would be for example to allow access (not apply rate limit) for DB connection errors (or other internal errors).

Not sure if this is needed, but it was also suggested by @aldas

[iambenkay]

Okay let me include this. it is a valid point.

[lammel]

@iambenkay Pushed some comment improvements to resolve some remaining comments.

[lammel]

@iambenkay Can you do a documentation PR in labstack/echox too?

[iambenkay]

Yes!

[lammel]

@pafuent Approved from my side. Feel free to merge.
Thanks (especially for your patience) @iambenkay.

Btw. tested the limiter locally with a simple hello world and it worked as expected with up to 30000 req/s and my laptop (from single local IP)

[iambenkay]

That's super!

[iambenkay]

@pafuent calling your attention to this!

[pafuent]

@iambenkay Thanks for this new middleware and thanks for your patience