Add tests (#2)

* Initial tests draft.

* Add tests for parsing jwt token

* Further code optimisations

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: [ lukaszraczylo ]
+custom: [ monzo.me/lukaszraczylo ]

.github/workflows/test.yaml

@@ -0,0 +1,20 @@
+name: Test and release
+
+on:
+  workflow_dispatch:
+  push:
+    paths-ignore:
+    - '**/**.md'
+    - '**/**.yaml'
+    - 'static/**'
+    branches:
+    - 'main'
+
+jobs:
+  shared:
+    uses: telegram-bot-app/ci-scripts/.github/workflows/build-test-publish-inject.yaml@main
+    with:
+      enable-code-scans: false
+      should-deploy: false
+    secrets:
+      ghcr-token: ${{ secrets.GHCR_TOKEN }}

.gitignore

@@ -1,3 +1,2 @@
 graphql-proxy
 test.sh
-banned.json*

Dockerfile

@@ -0,0 +1,9 @@
+FROM alpine:latest
+RUN apk add --no-cache ca-certificates
+WORKDIR /go/src/app
+ARG TARGETARCH
+ARG TARGETOS
+ADD dist/bot-$TARGETOS-$TARGETARCH /go/src/app/graphql-proxy
+ADD static/default-ratelimit.json /app/ratelimit.json
+RUN chmod +x /go/src/app/graphql-proxy
+ENTRYPOINT ["/go/src/app/graphql-proxy"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Lukasz Raczylo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,34 @@
+CI_RUN?=false
+ADDITIONAL_BUILD_FLAGS=""
+
+ifeq ($(CI_RUN), true)
+	ADDITIONAL_BUILD_FLAGS="-test.short"
+endif
+
+.PHONY: help
+help:  ## display this help
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n\nTargets:\n"} /^[a-zA-Z0-9_-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 }' $(MAKEFILE_LIST)
+
+.PHONY: run
+run: build ## run application
+	@LOG_LEVEL=warn BLOCK_SCHEMA_INTROSPECTION=false JWT_ROLE_RATE_LIMIT=false JWT_ROLE_CLAIM_PATH="Hasura.x-hasura-default-role" JWT_USER_CLAIM_PATH="Hasura.x-hasura-user-id" HOST_GRAPHQL=https://hasura8.lan/v1/graphql ./graphql-proxy
+
+.PHONY: build
+build: ## build the binary
+	go build -o graphql-proxy *.go
+
+.PHONY: test
+test: ## run tests on library
+	@LOG_LEVEL=debug go test $(ADDITIONAL_BUILD_FLAGS) -v -cover ./... -race
+
+.PHONY: test-packages
+test-packages: ## run tests on packages
+	@go test -v -cover ./pkg/...
+
+.PHONY: all
+all: test-packages test
+
+.PHONY: update
+update: ## update dependencies
+	@go get -u -v ./...
+	@go mod tidy -v

README.md

@@ -1,211 +1,63 @@
 ## graphql monitoring proxy
 
-Creates a passthrough proxy to a graphql endpoint(s), allowing you to analyse the queries and responses, producing the Prometheus metrics at a fraction of the cost - because, as we know - $0 is a fair price.
+Creates a passthrough proxy to a graphql endpoint(s), allowing you for analysis of the queries and responses, producing the prometheus metrics at a fraction of the cost - because as we know - $0 is a fair price.
 
-This project is in active use by [telegram-bot.app](https://telegram-bot.app), and was tested with 30k queries per second on a single instance, consuming 10 MB of RAM and 0.1% CPU. [Benchmarks](https://lukaszraczylo.github.io/graphql-monitoring-proxy/dev/bench/) are available.
+This project is in active use by [telegram-bot.app](https://telegram-bot.app), and was tested with 30k queries per second on a single instance, consuming 10mb of RAM and 0.1% CPU.
 
 ![Example of monitoring dashboard](static/monitoring-at-glance.png?raw=true)
 
-- [graphql monitoring proxy](#graphql-monitoring-proxy)
-  - [Why this project exists](#why-this-project-exists)
-  - [How to deploy](#how-to-deploy)
-    - [Note on websocket support](#note-on-websocket-support)
-  - [Endpoints](#endpoints)
-  - [Features](#features)
-  - [Configuration](#configuration)
-  - [Speed](#speed)
-    - [Caching](#caching)
-    - [Read-only endpoint](#read-only-endpoint)
-  - [Maintenance](#maintenance)
-    - [Hasura event cleaner](#hasura-event-cleaner)
-  - [Security](#security)
-    - [Role-based rate limiting](#role-based-rate-limiting)
-    - [Read-only mode](#read-only-mode)
-    - [Allowing access to listed URLs](#allowing-access-to-listed-urls)
-    - [Blocking introspection](#blocking-introspection)
-  - [API endpoints](#api-endpoints)
-    - [Ban or unban the user](#ban-or-unban-the-user)
-    - [Cache operations](#cache-operations)
-  - [General](#general)
-    - [Metrics which matter](#metrics-which-matter)
-    - [Healthcheck](#healthcheck)
-    - [Monitoring endpoint](#monitoring-endpoint)
+You can find the example of the kubernetes manifest in the [example deployment](static/kubernetes-deployment.yaml) file.
 
 ### Why this project exists
 
-I wanted to monitor the queries and responses of our graphql endpoint. Still, we didn't want to pay the price of the graphql server itself ( and I will not point fingers at a particular well-known project), as monitoring and basic security features should be a standard, free functionality.
-
-### How to deploy
-
-You can find the example of the Kubernetes manifest in the [example standalone deployment](static/kubernetes-deployment.yaml) or [example combined deployment](static/kubernetes-single-deployment.yaml) files. Observed advantage of multideployment is that it allows the network requests to travel via localhost, without leaving the deployment which brings quite significant network performance boost.
-
-#### Note on websocket support
-
-Proxy in its current version 0.5.30 does not support websockets. If you need to proxy the websocket requests - you can use following trick whilst setting up the proxy. As I'm a big fan of Traefik - there's an example which works with the mentioned above combined deployment.
-
-<details>
-  <summary>Click to show working Traefik Ingress Route example.</summary>
-
-```yaml
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: hasura-internal
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    # NON WEBSOCKET CONNECTION
-    - kind: Rule
-      match: Host(`example.com`) && PathPrefix(`/v1/graphql`) && !HeadersRegexp(`Upgrade`, `websocket`)
-      services:
-      - name: hasura-w-proxy-internal
-        port: proxy
-      middlewares:
-        - name: compression
-          namespace: default
-
-    # WEBSOCKET CONNECTION
-    - kind: Rule
-      match: Host(`example.com`) && PathPrefix(`/v1/graphql`) && HeadersRegexp(`Upgrade`, `websocket`)
-      services:
-      - name: hasura-w-proxy-internal
-        port: hasura
-      middlewares:
-        - name: compression
-          namespace: default
-```
-
-In this case, both proxy and websockets will be available under the `/v1/graphql` path, and the websocket connection will be proxied directly to the hasura service, bypassing the proxy.
-
-</details>
+I wanted to monitor the queries and responses of our graphql endpoint, but we didn't want to pay the price of the graphql server itself ( and I will not point fingers and certain well-known project), as monitoring and basic security features should be a common, free functionality.
 
 ### Endpoints
 
-* `:8080/*` - the graphql passthrough endpoint
+* `:8080/v1/graphql` - the graphql endpoint
 * `:9393/metrics` - the prometheus metrics endpoint
 * `:8080/healthz` - the healthcheck endpoint
-* `:8080/livez` - the liveness probe endpoint
-* `:9090/api/*` - the monitoring proxy API endpoint
 
 ### Features
 
-| Category   | Detail                                                                |
-|------------|-----------------------------------------------------------------------|
-| monitor    | Prometheus / VictoriaMetrics metrics                                  |
-| monitor    | Extracting user id from JWT token and adding it as a label to metrics |
-| monitor    | Extracting the query name and type and adding it as a label to metrics|
-| monitor    | Calculating the query duration and adding it to the metrics           |
-| speed      | Caching the queries, together with per-query cache and TTL            |
-| speed      | Support for READ ONLY graphql endpoint                                |
-| security   | Blocking schema introspection                                         |
-| security   | Rate limiting queries based on user role                              |
-| security   | Blocking mutations in read-only mode                                  |
-| security   | Allow access only to listed URLs                                      |
-| security   | Ban / unban specific user from accessing the application              |
-| maintenance | Hasura event cleaner                                                 |
-
+* MONITORING: Prometheus / VictoriaMetrics metrics
+* MONITORING: Extracting user id from JWT token and adding it as a label to the metrics
+* MONITORING: Extracting the query name and type and adding it as a label to the metrics
+* MONITORING: Calculating the query duration and adding it to the metrics
+* SPEED: Caching the queries
+* SECURITY: Blocking schema introspection
+* SECURITY: Rate limiting queries based on user role
 
 ### Configuration
 
-All the environment variables **should** be prefixed with `GMP_` to avoid conflicts with other applications.
-If `GMP_` prefixed environment variable is present - it will take precedence over the non-prefixed one.
-You can still use the non-prefixed environment variables in the spirit of the backward compatibility, but it's not recommended.
+* `MONITORING_PORT` - the port to expose the metrics endpoint on (default: 9393)
+* `PORT_GRAPHQL` - the port to expose the graphql endpoint on (default: 8080)
+* `HOST_GRAPHQL` - the host to proxy the graphql endpoint to (default: `http://localhost/v1/graphql`)
+* `JWT_USER_CLAIM_PATH` - the path to the user claim in the JWT token (default: ``)
+* `JWT_ROLE_CLAIM_PATH` - the path to the role claim in the JWT token (default: ``)
+* `JWT_ROLE_RATE_LIMITING` - enable request rate limiting based on the role (default: `false`)
+* `ENABLE_GLOBAL_CACHE` - enable the cache (default: `false`)
+* `CACHE_TTL` - the cache TTL (default: `60s`)
+* `LOG_LEVEL` - the log level (default: `info`)
+* `BLOCK_SCHEMA_INTROSPECTION` - blocks the schema introspection (default: `false`)
+* `ENABLE_ACCESS_LOG` - enable the access log (default: `false`)
 
-| Parameter                 | Description                              | Default Value              |
-|---------------------------|------------------------------------------|----------------------------|
-| `MONITORING_PORT`         | The port to expose the metrics endpoint  | `9393`                     |
-| `PORT_GRAPHQL`            | The port to expose the graphql endpoint  | `8080`                     |
-| `HOST_GRAPHQL`            | The host to proxy the graphql endpoint   | `http://localhost/` |
-| `HOST_GRAPHQL_READONLY`   | The host to proxy the read-only graphql endpoint | ``               |
-| `HEALTHCHECK_GRAPHQL_URL` | The URL to check the health of the graphql endpoint | `` |
-| `JWT_USER_CLAIM_PATH`     | Path to the user claim in the JWT token  | ``                         |
-| `JWT_ROLE_CLAIM_PATH`     | Path to the role claim in the JWT token  | ``                         |
-| `ROLE_FROM_HEADER`        | Header name to extract the role from     | ``                         |
-| `ROLE_RATE_LIMIT`         | Enable request rate limiting based on role| `false`                   |
-| `ENABLE_GLOBAL_CACHE`     | Enable the cache                        | `false`                    |
-| `CACHE_TTL`               | The cache TTL                           | `60`                       |
-| `ENABLE_REDIS_CACHE`      | Enable distributed Redis cache          | `false`                    |
-| `CACHE_REDIS_URL`         | URL to redis server / cluster endpoint  | `localhost:6379`           |
-| `CACHE_REDIS_PASSWORD`    | Redis connection password               | ``                         |
-| `CACHE_REDIS_DB`          | Redis DB id                             | `0`                        |
-| `LOG_LEVEL`               | The log level                           | `info`                     |
-| `BLOCK_SCHEMA_INTROSPECTION`| Blocks the schema introspection       | `false`                    |
-| `ALLOWED_INTROSPECTION`  | Allow only certain queries in introspection | ``                  |
-| `ENABLE_ACCESS_LOG`       | Enable the access log                   | `false`                    |
-| `READ_ONLY_MODE`          | Enable the read only mode               | `false`                    |
-| `ALLOWED_URLS`              | Allow access only to certain URLs       | `/v1/graphql,/v1/version`  |
-| `ENABLE_API`              | Enable the monitoring API               | `false`                    |
-| `API_PORT`                | The port to expose the monitoring API   | `9090`                     |
-| `BANNED_USERS_FILE`       | The path to the file with banned users  | `/go/src/app/banned_users.json`   |
-| `PROXIED_CLIENT_TIMEOUT` | The timeout for the proxied client in seconds     | `120`                      |
-| `PURGE_METRICS_ON_CRAWL` | Purge metrics on each /metrics crawl    | `false`                      |
-| `PURGE_METRICS_ON_TIMER` | Purge metrics every x seconds. `0` - disabled | `0`                      |
-| `HASURA_EVENT_CLEANER`   | Enable the hasura event cleaner          | `false`                    |
-| `HASURA_EVENT_CLEANER_OLDER_THAN` | The interval for the hasura event cleaner (in days) | `1`                  |
-| `HASURA_EVENT_METADATA_DB` | URL to the hasura metadata database    | `postgresql://localhost:5432/hasura` |
+### Caching
 
-### Speed
+Cache engine is enabled in background as it does not use any additional resources.
+You can then start using the cache by setting the `ENABLE_GLOBAL_CACHE` environment variable to `true` - which will enable the cache for all queries, without introspection of the query. You can leave the global cache disabled and enable the cache for specific queries by adding the `@cache` directive to the query.
 
-#### Caching
+### Role based rate limiting
 
-The cache engine is enabled in the background by default, using no additional resources.
-You can then start using the cache by setting the `ENABLE_GLOBAL_CACHE` or `ENABLE_REDIS_CACHE` environment variable to `true` - which will enable the cache for all queries without introspection. You can leave the global cache disabled and enable the cache for specific queries by adding the `@cached` directive to the query.
-
-In the case of the `@cached` you can add additional parameters to the directive which will set the cache for specific queries to the provided time.
-For example, `query MyCachedQuery @cached(ttl: 90) ....` will set the cache for the query to 90 seconds.
-
-You can also set cache for specific query by using `X-Cache-Graphql-Query` header, which will set the cache for the query to the provided time, for example `X-Cache-Graphql-Query: 90` will set the cache for the query to 90 seconds.
-
-You can also force refresh of the cache by using `@cached(refresh: true)` directive in the query, for example:
-
-```
-query MyProducts @cached(refresh: true) {
-  products {
-    id
-    name
-  }
-}
-```
-
-Since version `0.5.30` the cache is gzipped in the memory, which should optimise the memory usage quite significantly.
-Since version `0.15.48` the you can also use the distributed Redis cache.
-
-#### Read-only endpoint
-
-You can now specify the read-only GraphQL endpoint by setting the `HOST_GRAPHQL_READONLY` environment variable. The default value is empty, preventing the proxy from using the read-only endpoint for the queries and directing all the requests to the main endpoint specified as `HOST_GRAPHQL`. If the `HOST_GRAPHQL_READONLY` is set, the proxy will use the read-only endpoint for the queries with the `query` type and the main endpoint for the `mutation` type queries. Format of the read-only endpoint is the same as `HOST_GRAPHQL` endpoint, for example `http://localhost:8080/`.
-
-You can check out the [example of combined deployment with RW and read-only hasura](static/kubernetes-single-deployment-with-ro.yaml).
-
-### Maintenance
-
-#### Hasura event cleaner
-
-When enabled via `HASURA_EVENT_CLEANER=true` - proxy needs to have a direct access to the database to execute simple delete queries on schedule. You can specify number of days the logs should be kept for using `HASURA_EVENT_CLEANER_OLDER_THAN`, for example `HASURA_EVENT_CLEANER_OLDER_THAN=14` will keep 14 days of event execution logs. Ticker managing the cleaner routine will be executed every hour.
-
-Following tables are being cleaned:
-- `hdb_catalog.event_invocation_logs`
-- `hdb_catalog.event_log`
-- `hdb_catalog.hdb_action_log`
-- `hdb_catalog.hdb_cron_event_invocation_logs`
-- `hdb_catalog.hdb_scheduled_event_invocation_logs`
-
-
-### Security
-
-#### Role-based rate limiting
-
-You can rate limit requests using the `ROLE_RATE_LIMIT` environment variable. If enabled, the proxy will rate limit the requests based on the role claim in the JWT token. You can then provide the JSON file in the following format to specify the limits.
-The default interval is `second`, but you can use other values as well. If you want to disable the rate limiting for a specific role, you can set the `req` to `0`.
+You are able to rate limit requests using the `JWT_ROLE_RATE_LIMITING` environment variable. If enabled, the proxy will rate limit the requests based on the role claim in the JWT token. You can then provide the json file in following format to specify the limits.
+Default interval is `second`, but you can use other values as well. If you want to disable the rate limiting for specific role, you can set the `req` to `0`.
 
 Available values:
 `nano`, `micro`, `milli`, `second`, `minute`, `hour`, `day`
 
-To define path in JWT token where the current user role is present, use the `JWT_ROLE_CLAIM_PATH` environment variable.
+To define path in JWT token where current user role is present use the `JWT_ROLE_CLAIM_PATH` environment variable.
 
-You can also set up the `ROLE_FROM_HEADER` environment variable to extract the role from the header instead of the JWT token. This is useful if you want to rate limit the requests for unauthenticated users. It's worth mentioning that `ROLE_FROM_HEADER` takes a priority over the `JWT_ROLE_CLAIM_PATH` environment variable and if its set, the proxy will not try to extract the role from the JWT token.
-
-*Default/sample configuration:*
+*Default / sample configuration:*
 
 ```json
 {
@@ -230,74 +82,7 @@ If you'd like to change it - mount your configmap as `/app/ratelimit.json` file.
 Remember to include the `-` role, which is used for unauthenticated users or when claim can't be found for any reason.
 If rate limit has been reached - the proxy will return `429 Too Many Requests` error.
 
-
-#### Read-only mode
-
-You can enable the read-only mode by setting the `READ_ONLY_MODE` environment variable to `true` - which will block all the `mutation` queries.
-
-#### Allowing access to listed URLs
-
-You can allow access only to certain URLs by setting the `ALLOWED_URLS` environment variable to a comma-separated list of URLs. If enabled - other URLs will return `403 Forbidden` error and request will **not** reach the proxied service.
-
-#### Blocking introspection
-
-You can block the schema introspection by setting the `BLOCK_SCHEMA_INTROSPECTION` environment variable to `true` - which will block all the queries with introspection parts, like:
-
-`__schema`, `__type`, `__typename`, `__directive`, `__directivelocation`, `__field`, `__inputvalue`, `__enumvalue`, `__typekind`, `__fieldtype`, `__inputobjecttype`, `__enumtype`, `__uniontype`, `__scalars`, `__objects`, `__interfaces`, `__unions`, `__enums`, `__inputobjects`, `__directives`
-
-If you'd like to keep blocking of the schema introspection on but allow one or more of from the list of above for any reason, you can use the `ALLOWED_INTROSPECTION` environment variable to specify the list of allowed queries.
-
-`ALLOWED_INTROSPECTION="__typename,__type"`
-
-### API endpoints
-
-#### Ban or unban the user
-
-Your monitoring system can detect user misbehaving, for example trying to extract / scrap the data. To prevent user from doing so you can use the simple API to ban the user from accessing the application.
-
-To do so - you need to enable the api by setting env variable `ENABLE_API=true` which will expose the API on the port `API_PORT=9090`. Nedless to say - keep it secure and don't expose it outside of your cluster.
-
- Then you can use the following endpoints:
-
-* `POST /api/user-ban` - ban the user from accessing the application
-* `POST /api/user-unban` - unban the user from accessing the application
-
-#### Cache operations
-
-* `POST /api/cache-clear` - clear the cache
-* `GET /api/cache-stats` - get the cache statistics ( hits, misses, size )
-
-Both endpoints require the `user_id` parameter to be present in the request body and allow you to provide the reason for the ban.
-
-Example request:
-
-```bash
-curl -X POST \
-  http://localhost:9090/api/user-ban \
-  -H 'Content-Type: application/json' \
-  -d '{
-      "user_id": "1337",
-      "reason": "Scraping data"
-    }'
-```
-
-Ban details will be stored in the `banned_users.json` file, which you can mount as a file or configmap to the `/go/src/app/banned_users.json` path ( or use `BANNED_USERS_FILE` environment variable to specify the path to the file). The file operation is important if you have multiple instances of the proxy running, as it will allow you to ban the user from accessing the application on all instances.
-
-### General
-
-#### Metrics which matter
-
-You can always enable `PURGE_METRICS_ON_CRAWL` environment variable to purge the metrics on each `/metrics` crawl. This will allow you to see only the current metrics, without potential leftovers from the previous crawls. This is useful if you want to monitor the metrics in real-time and / or limit the amount of data ingested into the monitoring system. When enabled you will most likely need to update your monitoring queries.
-
-With the `PURGE_METRICS_ON_CRAWL` enabled, the `graphql_proxy_requests_failed`, `graphql_proxy_requests_skipped` and `graphql_proxy_requests_succesful` metrics will remain between resets.
-
-If you prefer more control over the metrics purging - you can enable `PURGE_METRICS_ON_TIMER` environment variable and set the interval in seconds. This will allow you to purge the metrics on a regular basis, for example every 90 seconds. It could be better solution if you have multiple crawlers checking the metrics endpoints and you want to avoid the situation when metrics are purged by for example healthcheck.
-
-#### Healthcheck
-
-If you'd like the `/healthz` endpoint to perform actual check for the connectivity to the graphql endpoint - set the `HEALTHCHECK_GRAPHQL_URL` environment variable to the exact URL of the graphql endpoint. The query executed will be `query { __typename }` and if the response is not `200 OK` - the healthcheck will fail. Remember that the endpoint is a full URL which you'd like to check, so it should include the protocol, host and path - for example `http://localhost:8080/v1/graphql` and it's NOT the same as value of `HOST_GRAPHQL` environment variable which should provide only the host, without path, ending with slash.
-
-#### Monitoring endpoint
+### Monitoring endpoint
 
 Example metrics produced by the proxy:
 
@@ -314,7 +99,4 @@ graphql_proxy_executed_query{user_id="-",op_type="query",op_name="checkIfSpamAIR
 graphql_proxy_requests_failed 324
 graphql_proxy_requests_skipped 0
 graphql_proxy_requests_succesful 454823
-graphql_proxy_cache_hit{microservice="graphql_proxy",pod="hasura-w-proxy-internal-6b5f4b4bbb-9xwfc"} 7
-graphql_proxy_cache_hit{pod="hasura-w-proxy-internal-6b5f4b4bbb-9xwfc",microservice="graphql_proxy"} 1
-graphql_proxy_cache_miss{microservice="graphql_proxy",pod="hasura-w-proxy-internal-6b5f4b4bbb-9xwfc"} 23
-```
+```

cache.go

@@ -0,0 +1,33 @@
+package main
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/akyoto/cache"
+	fiber "github.com/gofiber/fiber/v2"
+	"github.com/gookit/goutil/strutil"
+)
+
+func calculateHash(c *fiber.Ctx) string {
+	return strutil.Md5(fmt.Sprintf("%s", c.Body()))
+}
+
+func enableCache() {
+	var err error
+	cfg.Cache.CacheClient = cache.New(time.Duration(cfg.Cache.CacheTTL) * time.Second * 2)
+	if err != nil {
+		cfg.Logger.Critical("Can't create cache client", map[string]interface{}{"error": err.Error()})
+		panic(err)
+	}
+}
+
+func cacheLookup(hash string) []byte {
+	if cfg.Cache.CacheClient != nil {
+		obj, found := cfg.Cache.CacheClient.Get(hash)
+		if found {
+			return obj.([]byte)
+		}
+	}
+	return nil
+}

cache_test.go

@@ -0,0 +1,49 @@
+package main
+
+import (
+	"testing"
+	"time"
+)
+
+func (suite *Tests) Test_cacheLookup() {
+	type args struct {
+		hash string
+	}
+	tests := []struct {
+		name     string
+		args     args
+		want     []byte
+		addCache struct {
+			data []byte
+		}
+	}{
+		{
+			name: "test_non_existent",
+			args: args{
+				hash: "00000000000000000000000000000000000000",
+			},
+			want: nil,
+		},
+		{
+			name: "test_existent",
+			args: args{
+				hash: "00000000000000000000000000000000000001",
+			},
+			want: []byte("it's fine."),
+			addCache: struct {
+				data []byte
+			}{
+				data: []byte("it's fine."),
+			},
+		},
+	}
+	for _, tt := range tests {
+		suite.T().Run(tt.name, func(t *testing.T) {
+			if tt.addCache.data != nil {
+				cfg.Cache.CacheClient.Set(tt.args.hash, tt.addCache.data, time.Duration(1)*time.Second)
+			}
+			got := cacheLookup(tt.args.hash)
+			assert.Equal(tt.want, got, "Unexpected cache lookup result")
+		})
+	}
+}

details.go

@@ -0,0 +1,52 @@
+package main
+
+import (
+	"encoding/base64"
+	"fmt"
+	"strings"
+
+	"github.com/lukaszraczylo/ask"
+	libpack_monitoring "github.com/telegram-bot-app/libpack/monitoring"
+)
+
+func extractClaimsFromJWTHeader(authorization string) (usr string, role string) {
+	usr, role = "-", "-"
+
+	handleError := func(msg string, details map[string]interface{}) {
+		cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
+		cfg.Logger.Error(msg, details)
+	}
+
+	tokenParts := strings.Split(authorization, ".")
+	if len(tokenParts) != 3 {
+		handleError("Can't split the token", map[string]interface{}{"token": authorization})
+		return
+	}
+
+	claim, err := base64.RawURLEncoding.DecodeString(tokenParts[1])
+	if err != nil {
+		handleError("Can't decode the token", map[string]interface{}{"token": authorization})
+		return
+	}
+
+	var claimMap map[string]interface{}
+	if err = json.Unmarshal(claim, &claimMap); err != nil {
+		handleError("Can't unmarshal the claim", map[string]interface{}{"token": authorization})
+		return
+	}
+
+	extractClaim := func(claimPath string, target *string, name string) {
+		if len(claimPath) > 0 {
+			var ok bool
+			*target, ok = ask.For(claimMap, claimPath).String("-")
+			if !ok {
+				handleError(fmt.Sprintf("Can't find the %s", name), map[string]interface{}{"claim_map": claimMap, "path": claimPath})
+			}
+		}
+	}
+
+	extractClaim(cfg.Client.JWTUserClaimPath, &usr, "user id")
+	extractClaim(cfg.Client.JWTRoleClaimPath, &role, "role")
+
+	return
+}

details_test.go

@@ -0,0 +1,83 @@
+package main
+
+import "testing"
+
+func (suite *Tests) Test_extractClaimsFromJWTHeader() {
+	jwt_token_for_tests := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiSGFzdXJhIjp7IngtaGFzdXJhLWFsbG93ZWQtcm9sZXMiOlsiZ3Vlc3QiLCJ1c2VyIiwiZ3JvdXBhZG1pbiIsInBheWFkbWluIl0sIngtaGFzdXJhLWRlZmF1bHQtcm9sZSI6Imd1ZXN0IiwieC1oYXN1cmEtdXNlci1pZCI6IjE2NyIsIngtaGFzdXJhLXVzZXItdXVpZCI6ImRkM2U2ZTM1LTA0MDktNDNiMC1iZmYxLWNlZjNjNmVkNWYxMCJ9LCJpc3MiOiJBdXRoU2VydmljZSIsImV4cCI6MTY5NjgwMTcyNiwibmJmIjoxNjk2NTg1NzI2LCJpYXQiOjE2OTY1ODU3MjZ9.dsJ5JKzG5tXOlqeZ_Gfe2XC-vyrcwtYwOGfhvt8q9UY"
+
+	type args struct {
+		authorization string
+	}
+
+	tests := []struct {
+		name           string
+		args           args
+		wantUsr        string
+		wantRole       string
+		jwt_token_path string
+		jwt_role_path  string
+	}{
+		{
+			name:     "test_empty",
+			wantUsr:  "-",
+			wantRole: "-",
+		},
+		{
+			name: "test_invalid_path",
+			args: args{
+				authorization: jwt_token_for_tests,
+			},
+			wantUsr:        "-",
+			wantRole:       "-",
+			jwt_token_path: "invalid",
+		},
+		{
+			name: "test_invalid_role_path",
+			args: args{
+				authorization: jwt_token_for_tests,
+			},
+			wantUsr:       "-",
+			wantRole:      "-",
+			jwt_role_path: "invalid",
+		},
+		{
+			name: "test_valid",
+			args: args{
+				authorization: jwt_token_for_tests,
+			},
+			wantUsr:        "167",
+			wantRole:       "guest",
+			jwt_token_path: "Hasura.x-hasura-user-id",
+			jwt_role_path:  "Hasura.x-hasura-default-role",
+		},
+		{
+			name: "test_invalid_token",
+			args: args{
+				authorization: "invalid",
+			},
+			wantUsr:  "-",
+			wantRole: "-",
+		},
+		{
+			name: "test_invalid_three_part_token",
+			args: args{
+				authorization: "invalid.threepart.token",
+			},
+			wantUsr:  "-",
+			wantRole: "-",
+		},
+	}
+	for _, tt := range tests {
+		suite.T().Run(tt.name, func(t *testing.T) {
+			if len(tt.jwt_token_path) > 0 {
+				cfg.Client.JWTUserClaimPath = tt.jwt_token_path
+			}
+			if len(tt.jwt_role_path) > 0 {
+				cfg.Client.JWTRoleClaimPath = tt.jwt_role_path
+			}
+			gotUsr, gotRole := extractClaimsFromJWTHeader(tt.args.authorization)
+			assert.Equal(tt.wantUsr, gotUsr, "Unexpected user ID")
+			assert.Equal(tt.wantRole, gotRole, "Unexpected role")
+		})
+	}
+}

docs/index.html

@@ -1,281 +0,0 @@
-<!DOCTYPE html>
-<html>
-  <head>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, minimum-scale=1.0, initial-scale=1, user-scalable=yes" />
-    <style>
-      html {
-        font-family: BlinkMacSystemFont,-apple-system,"Segoe UI",Roboto,Oxygen,Ubuntu,Cantarell,"Fira Sans","Droid Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
-        -webkit-font-smoothing: antialiased;
-        background-color: #fff;
-        font-size: 16px;
-      }
-      body {
-        color: #4a4a4a;
-        margin: 8px;
-        font-size: 1em;
-        font-weight: 400;
-      }
-      header {
-        margin-bottom: 8px;
-        display: flex;
-        flex-direction: column;
-      }
-      main {
-        width: 100%;
-        display: flex;
-        flex-direction: column;
-      }
-      a {
-        color: #3273dc;
-        cursor: pointer;
-        text-decoration: none;
-      }
-      a:hover {
-        color: #000;
-      }
-      button {
-        color: #fff;
-        background-color: #3298dc;
-        border-color: transparent;
-        cursor: pointer;
-        text-align: center;
-      }
-      button:hover {
-        background-color: #2793da;
-        flex: none;
-      }
-      .spacer {
-        flex: auto;
-      }
-      .small {
-        font-size: 0.75rem;
-      }
-      footer {
-        margin-top: 16px;
-        display: flex;
-        align-items: center;
-      }
-      .header-label {
-        margin-right: 4px;
-      }
-      .benchmark-set {
-        margin: 8px 0;
-        width: 100%;
-        display: flex;
-        flex-direction: column;
-      }
-      .benchmark-title {
-        font-size: 3rem;
-        font-weight: 600;
-        word-break: break-word;
-        text-align: center;
-      }
-      .benchmark-graphs {
-        display: flex;
-        flex-direction: row;
-        justify-content: space-around;
-        align-items: center;
-        flex-wrap: wrap;
-        width: 100%;
-      }
-      .benchmark-chart {
-        max-width: 1000px;
-      }
-    </style>
-    <title>Benchmarks</title>
-  </head>
-
-  <body>
-    <header id="header">
-      <div class="header-item">
-        <strong class="header-label">Last Update:</strong>
-        <span id="last-update"></span>
-      </div>
-      <div class="header-item">
-        <strong class="header-label">Repository:</strong>
-        <a id="repository-link" rel="noopener"></a>
-      </div>
-    </header>
-    <main id="main"></main>
-    <footer>
-      <button id="dl-button">Download data as JSON</button>
-      <div class="spacer"></div>
-      <div class="small">Powered by <a rel="noopener" href="https://github.com/marketplace/actions/continuous-benchmark">github-action-benchmark</a></div>
-    </footer>
-
-    <script src="https://cdn.jsdelivr.net/npm/chart.js@2.9.2/dist/Chart.min.js"></script>
-    <script src="data.js"></script>
-    <script id="main-script">
-      'use strict';
-      (function() {
-        // Colors from https://github.com/github/linguist/blob/master/lib/linguist/languages.yml
-        const toolColors = {
-          cargo: '#dea584',
-          go: '#00add8',
-          benchmarkjs: '#f1e05a',
-          benchmarkluau: '#000080',
-          pytest: '#3572a5',
-          googlecpp: '#f34b7d',
-          catch2: '#f34b7d',
-          julia: '#a270ba',
-          jmh: '#b07219',
-          benchmarkdotnet: '#178600',
-          customBiggerIsBetter: '#38ff38',
-          customSmallerIsBetter: '#ff3838',
-          _: '#333333'
-        };
-
-        function init() {
-          function collectBenchesPerTestCase(entries) {
-            const map = new Map();
-            for (const entry of entries) {
-              const {commit, date, tool, benches} = entry;
-              for (const bench of benches) {
-                const result = { commit, date, tool, bench };
-                const arr = map.get(bench.name);
-                if (arr === undefined) {
-                  map.set(bench.name, [result]);
-                } else {
-                  arr.push(result);
-                }
-              }
-            }
-            return map;
-          }
-
-          const data = window.BENCHMARK_DATA;
-
-          // Render header
-          document.getElementById('last-update').textContent = new Date(data.lastUpdate).toString();
-          const repoLink = document.getElementById('repository-link');
-          repoLink.href = data.repoUrl;
-          repoLink.textContent = data.repoUrl;
-
-          // Render footer
-          document.getElementById('dl-button').onclick = () => {
-            const dataUrl = 'data:,' + JSON.stringify(data, null, 2);
-            const a = document.createElement('a');
-            a.href = dataUrl;
-            a.download = 'benchmark_data.json';
-            a.click();
-          };
-
-          // Prepare data points for charts
-          return Object.keys(data.entries).map(name => ({
-            name,
-            dataSet: collectBenchesPerTestCase(data.entries[name]),
-          }));
-        }
-
-        function renderAllChars(dataSets) {
-
-          function renderGraph(parent, name, dataset) {
-            const canvas = document.createElement('canvas');
-            canvas.className = 'benchmark-chart';
-            parent.appendChild(canvas);
-
-            const color = toolColors[dataset.length > 0 ? dataset[0].tool : '_'];
-            const data = {
-              labels: dataset.map(d => d.commit.id.slice(0, 7)),
-              datasets: [
-                {
-                  label: name,
-                  data: dataset.map(d => d.bench.value),
-                  borderColor: color,
-                  backgroundColor: color + '60', // Add alpha for #rrggbbaa
-                }
-              ],
-            };
-            const options = {
-              scales: {
-                xAxes: [
-                  {
-                    scaleLabel: {
-                      display: true,
-                      labelString: 'commit',
-                    },
-                  }
-                ],
-                yAxes: [
-                  {
-                    scaleLabel: {
-                      display: true,
-                      labelString: dataset.length > 0 ? dataset[0].bench.unit : '',
-                    },
-                    ticks: {
-                      beginAtZero: true,
-                    }
-                  }
-                ],
-              },
-              tooltips: {
-                callbacks: {
-                  afterTitle: items => {
-                    const {index} = items[0];
-                    const data = dataset[index];
-                    return '\n' + data.commit.message + '\n\n' + data.commit.timestamp + ' committed by @' + data.commit.committer.username + '\n';
-                  },
-                  label: item => {
-                    let label = item.value;
-                    const { range, unit } = dataset[item.index].bench;
-                    label += ' ' + unit;
-                    if (range) {
-                      label += ' (' + range + ')';
-                    }
-                    return label;
-                  },
-                  afterLabel: item => {
-                    const { extra } = dataset[item.index].bench;
-                    return extra ? '\n' + extra : '';
-                  }
-                }
-              },
-              onClick: (_mouseEvent, activeElems) => {
-                if (activeElems.length === 0) {
-                  return;
-                }
-                // XXX: Undocumented. How can we know the index?
-                const index = activeElems[0]._index;
-                const url = dataset[index].commit.url;
-                window.open(url, '_blank');
-              },
-            };
-
-            new Chart(canvas, {
-              type: 'line',
-              data,
-              options,
-            });
-          }
-
-          function renderBenchSet(name, benchSet, main) {
-            const setElem = document.createElement('div');
-            setElem.className = 'benchmark-set';
-            main.appendChild(setElem);
-
-            const nameElem = document.createElement('h1');
-            nameElem.className = 'benchmark-title';
-            nameElem.textContent = name;
-            setElem.appendChild(nameElem);
-
-            const graphsElem = document.createElement('div');
-            graphsElem.className = 'benchmark-graphs';
-            setElem.appendChild(graphsElem);
-
-            for (const [benchName, benches] of benchSet.entries()) {
-              renderGraph(graphsElem, benchName, benches)
-            }
-          }
-
-          const main = document.getElementById('main');
-          for (const {name, dataSet} of dataSets) {
-            renderBenchSet(name, dataSet, main);
-          }
-        }
-
-        renderAllChars(init()); // Start
-      })();
-    </script>
-  </body>
-</html>

go.mod

@@ -0,0 +1,51 @@
+module github.com/lukaszraczylo/graphql-monitoring-proxy
+
+go 1.21
+
+require (
+	github.com/akyoto/cache v1.0.6
+	github.com/gofiber/fiber/v2 v2.49.2
+	github.com/gookit/goutil v0.6.12
+	github.com/graphql-go/graphql v0.8.1
+	github.com/json-iterator/go v1.1.12
+	github.com/lukaszraczylo/ask v0.0.0-20230927103145-2ff1123b4415
+	github.com/lukaszraczylo/go-ratecounter v0.1.8
+	github.com/lukaszraczylo/go-simple-graphql v1.1.31
+	github.com/stretchr/testify v1.8.4
+	github.com/telegram-bot-app/libpack v0.0.0-20231008100411-9f7f8bf94315
+)
+
+require (
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/VictoriaMetrics/metrics v1.24.0 // indirect
+	github.com/andybalholm/brotli v1.0.5 // indirect
+	github.com/avast/retry-go/v4 v4.5.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/google/uuid v1.3.1 // indirect
+	github.com/gookit/color v1.5.4 // indirect
+	github.com/klauspost/compress v1.17.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/lukaszraczylo/pandati v0.0.29 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/rs/zerolog v1.31.0 // indirect
+	github.com/telegram-bot-app/lib-logging v0.0.19 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/valyala/fasthttp v1.50.0 // indirect
+	github.com/valyala/fastrand v1.1.0 // indirect
+	github.com/valyala/histogram v1.2.0 // indirect
+	github.com/valyala/tcplisten v1.0.0 // indirect
+	github.com/wI2L/jsondiff v0.4.0 // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	golang.org/x/net v0.16.0 // indirect
+	golang.org/x/sync v0.4.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/term v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)

go.sum

@@ -0,0 +1,110 @@
+dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
+dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+github.com/VictoriaMetrics/metrics v1.24.0 h1:ILavebReOjYctAGY5QU2F9X0MYvkcrG3aEn2RKa1Zkw=
+github.com/VictoriaMetrics/metrics v1.24.0/go.mod h1:eFT25kvsTidQFHb6U0oa0rTrDRdz4xTYjpL8+UPohys=
+github.com/akyoto/cache v1.0.6 h1:5XGVVYoi2i+DZLLPuVIXtsNIJ/qaAM16XT0LaBaXd2k=
+github.com/akyoto/cache v1.0.6/go.mod h1:WfxTRqKhfgAG71Xh6E3WLpjhBtZI37O53G4h5s+3iM4=
+github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
+github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/avast/retry-go/v4 v4.5.0 h1:QoRAZZ90cj5oni2Lsgl2GW8mNTnUCnmpx/iKpwVisHg=
+github.com/avast/retry-go/v4 v4.5.0/go.mod h1:7hLEXp0oku2Nir2xBAsg0PTphp9z71bN5Aq1fboC3+I=
+github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=
+github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gofiber/fiber/v2 v2.49.2 h1:ONEN3/Vc+dUCxxDgZZwpqvhISgHqb+bu+isBiEyKEQs=
+github.com/gofiber/fiber/v2 v2.49.2/go.mod h1:gNsKnyrmfEWFpJxQAV0qvW6l70K1dZGno12oLtukcts=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
+github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0=
+github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w=
+github.com/gookit/goutil v0.6.12 h1:73vPUcTtVGXbhSzBOFcnSB1aJl7Jq9np3RAE50yIDZc=
+github.com/gookit/goutil v0.6.12/go.mod h1:g6krlFib8xSe3G1h02IETowOtrUGpAmetT8IevDpvpM=
+github.com/graphql-go/graphql v0.8.1 h1:p7/Ou/WpmulocJeEx7wjQy611rtXGQaAcXGqanuMMgc=
+github.com/graphql-go/graphql v0.8.1/go.mod h1:nKiHzRM0qopJEwCITUuIsxk9PlVlwIiiI8pnJEhordQ=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM=
+github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/lukaszraczylo/ask v0.0.0-20230927103145-2ff1123b4415 h1:lvI8Wlbg4PxkRcg2f10wgoaRpfN19v+YdRek3+dLtlM=
+github.com/lukaszraczylo/ask v0.0.0-20230927103145-2ff1123b4415/go.mod h1:M+UVdyqZs++xtEPrascaVmZdOMhCnxjZ2SgH+xHpR0c=
+github.com/lukaszraczylo/go-ratecounter v0.1.8 h1:ZYm6Wkn58ZAlFWRmC7PaD4oAYHWcu8/0MUDWGe3PnJQ=
+github.com/lukaszraczylo/go-ratecounter v0.1.8/go.mod h1:TqXEOCtFJStk1i0tkipprv1kiDHGon1MVUisjSTBSKM=
+github.com/lukaszraczylo/go-simple-graphql v1.1.31 h1:UA3f8M1cV+XnO8UZlAqveW0qF/2NN512eB/gRqe+BHs=
+github.com/lukaszraczylo/go-simple-graphql v1.1.31/go.mod h1:MyftQ8jTdtkYImPXJpHoxz6+E53Ydv+7q9+Jr+eT8WU=
+github.com/lukaszraczylo/pandati v0.0.29 h1:WUEWm1+hWjE5KJbIL8OctG00x2dk4XKGJSlrjhxZ55k=
+github.com/lukaszraczylo/pandati v0.0.29/go.mod h1:+DyTWKFaXd+jIfe7GW5w2S5PyTko/RXxMyOa+Vl713A=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
+github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
+github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
+github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
+github.com/rs/zerolog v1.31.0 h1:FcTR3NnLWW+NnTwwhFWiJSZr4ECLpqCm6QsEnyvbV4A=
+github.com/rs/zerolog v1.31.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/telegram-bot-app/lib-logging v0.0.19 h1:zbyFr2ygeBY+yuaB9moXyOGk8dIBCn0jPJQjvx7YvLE=
+github.com/telegram-bot-app/lib-logging v0.0.19/go.mod h1:n8d29fRUTdgJhC4RZ8s4lP2RHiGCCRYEj2ENEClUGc8=
+github.com/telegram-bot-app/libpack v0.0.0-20231008100411-9f7f8bf94315 h1:gf+3gFgtdh48RQNmLNdK1IcGqpuTuj6RAdHxDMd/YPY=
+github.com/telegram-bot-app/libpack v0.0.0-20231008100411-9f7f8bf94315/go.mod h1:W2kWHcfNNS0r++dJ1T2XX/C4cTSxI3MsoiMbOtyqu+I=
+github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
+github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
+github.com/valyala/fasthttp v1.50.0 h1:H7fweIlBm0rXLs2q0XbalvJ6r0CUPFWK3/bB4N13e9M=
+github.com/valyala/fasthttp v1.50.0/go.mod h1:k2zXd82h/7UZc3VOdJ2WaUqt1uZ/XpXAfE9i+HBC3lA=
+github.com/valyala/fastrand v1.1.0 h1:f+5HkLW4rsgzdNoleUOB69hyT9IlD2ZQh9GyDMfb5G8=
+github.com/valyala/fastrand v1.1.0/go.mod h1:HWqCzkrkg6QXT8V2EXWvXCoow7vLwOFN002oeRzjapQ=
+github.com/valyala/histogram v1.2.0 h1:wyYGAZZt3CpwUiIb9AU/Zbllg1llXyrtApRS815OLoQ=
+github.com/valyala/histogram v1.2.0/go.mod h1:Hb4kBwb4UxsaNbbbh+RRz8ZR6pdodR57tzWUS3BUzXY=
+github.com/valyala/tcplisten v1.0.0 h1:rBHj/Xf+E1tRGZyWIWwJDiRY0zc1Js+CV5DqwacVSA8=
+github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
+github.com/wI2L/jsondiff v0.4.0 h1:iP56F9tK83eiLttg3YdmEENtZnwlYd3ezEpNNnfZVyM=
+github.com/wI2L/jsondiff v0.4.0/go.mod h1:nR/vyy1efuDeAtMwc3AF6nZf/2LD1ID8GTyyJ+K8YB0=
+github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
+github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
+golang.org/x/net v0.16.0 h1:7eBu7KsSvFDtSXUIDbh3aqlK4DPsZ1rByC8PFfBThos=
+golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
+golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
+golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

graphql.go

@@ -0,0 +1,90 @@
+package main
+
+import (
+	fiber "github.com/gofiber/fiber/v2"
+	"github.com/graphql-go/graphql/language/ast"
+	"github.com/graphql-go/graphql/language/parser"
+	libpack_monitoring "github.com/telegram-bot-app/libpack/monitoring"
+)
+
+var retrospection_queries = []string{
+	"__schema",
+	"__type",
+	"__typename",
+	"__directive",
+	"__directivelocation",
+	"__field",
+	"__inputvalue",
+	"__enumvalue",
+	"__typekind",
+	"__fieldtype",
+	"__inputobjecttype",
+	"__enumtype",
+	"__uniontype",
+	"__scalars",
+	"__objects",
+	"__interfaces",
+	"__unions",
+	"__enums",
+	"__inputobjects",
+	"__directives",
+}
+
+// Saving the introspection queries as a map O(1) operation instead of O(n) for a slice.
+var retrospectionQuerySet = make(map[string]struct{}, len(retrospection_queries))
+
+func parseGraphQLQuery(c *fiber.Ctx) (operationType, operationName string, cacheRequest bool, should_block bool) {
+	m := make(map[string]interface{})
+	err := json.Unmarshal(c.Body(), &m)
+	if err != nil {
+		cfg.Logger.Error("Can't unmarshal the request", map[string]interface{}{"error": err.Error(), "body": string(c.Body())})
+		cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
+		return
+	}
+	// get the query
+	query, ok := m["query"].(string)
+	if !ok {
+		cfg.Logger.Error("Can't find the query", map[string]interface{}{"query": query, "m_val": m})
+		cfg.Monitoring.Increment(libpack_monitoring.MetricsSkipped, nil)
+		return
+	}
+
+	p, err := parser.Parse(parser.ParseParams{Source: query})
+	if err != nil {
+		cfg.Logger.Error("Can't parse the query", map[string]interface{}{"query": query, "m_val": m})
+		cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
+		return
+	}
+
+	operationName = "undefined"
+	for _, d := range p.Definitions {
+		if oper, ok := d.(*ast.OperationDefinition); ok {
+			operationType = oper.Operation
+			if oper.Name != nil {
+				operationName = oper.Name.Value
+			} else {
+				operationName = "undefined"
+			}
+			for _, dir := range oper.Directives {
+				if dir.Name.Value == "cached" {
+					cacheRequest = true
+				}
+			}
+			if cfg.Security.BlockIntrospection {
+				for _, s := range oper.SelectionSet.Selections {
+					for _, s2 := range s.GetSelectionSet().Selections {
+						if _, exists := retrospectionQuerySet[s2.(*ast.Field).Name.Value]; exists {
+							cfg.Logger.Warning("Introspection query blocked", m)
+							cfg.Monitoring.Increment(libpack_monitoring.MetricsSkipped, nil)
+							c.Status(403).SendString("Introspection queries are not allowed")
+							should_block = true
+							return
+						}
+					}
+				}
+			}
+		}
+	}
+
+	return
+}

main.go

@@ -0,0 +1,43 @@
+package main
+
+import (
+	"github.com/gookit/goutil/envutil"
+	graphql "github.com/lukaszraczylo/go-simple-graphql"
+	libpack_config "github.com/telegram-bot-app/libpack/config"
+	libpack_logging "github.com/telegram-bot-app/libpack/logging"
+)
+
+var cfg *config
+
+func init() {
+	for _, query := range retrospection_queries {
+		retrospectionQuerySet[query] = struct{}{}
+	}
+}
+
+func parseConfig() {
+	libpack_config.PKG_NAME = "graphql_proxy"
+	var c config
+	c.Server.PortGraphQL = envutil.GetInt("PORT_GRAPHQL", 8080)
+	c.Server.PortMonitoring = envutil.GetInt("MONITORING_PORT", 9393)
+	c.Server.HostGraphQL = envutil.Getenv("HOST_GRAPHQL", "http://localhost/v1/graphql")
+	c.Client.JWTUserClaimPath = envutil.Getenv("JWT_USER_CLAIM_PATH", "")
+	c.Client.JWTRoleClaimPath = envutil.Getenv("JWT_ROLE_CLAIM_PATH", "")
+	c.Client.JWTRoleRateLimit = envutil.GetBool("JWT_ROLE_RATE_LIMIT", false)
+	c.Cache.CacheEnable = envutil.GetBool("ENABLE_GLOBAL_CACHE", false)
+	c.Cache.CacheTTL = envutil.GetInt("CACHE_TTL", 60)
+	c.Security.BlockIntrospection = envutil.GetBool("BLOCK_SCHEMA_INTROSPECTION", false)
+	c.Logger = libpack_logging.NewLogger()
+	c.Client.GQLClient = graphql.NewConnection()
+	c.Client.GQLClient.SetEndpoint(c.Server.HostGraphQL)
+	c.Server.AccessLog = envutil.GetBool("ENABLE_ACCESS_LOG", false)
+	cfg = &c
+	enableCache() // takes close to no resources, but can be used with dynamic query cache
+	loadRatelimitConfig()
+}
+
+func main() {
+	parseConfig()
+	StartMonitoringServer()
+	StartHTTPProxy()
+}

main_test.go

@@ -0,0 +1,34 @@
+package main
+
+import (
+	"fmt"
+	"testing"
+
+	assertions "github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/suite"
+)
+
+type Tests struct {
+	suite.Suite
+}
+
+var (
+	assert *assertions.Assertions
+)
+
+func (suite *Tests) SetupTest() {
+	assert = assertions.New(suite.T())
+}
+
+func (suite *Tests) BeforeTest(suiteName, testName string) {
+	fmt.Println("BeforeTest")
+	cfg = &config{}
+	parseConfig()
+	StartMonitoringServer()
+}
+
+// func (suite *Tests) AfterTest(suiteName, testName string) {)
+
+func TestSuite(t *testing.T) {
+	suite.Run(t, new(Tests))
+}

monitoring.go

@@ -0,0 +1,11 @@
+package main
+
+import (
+	libpack_monitoring "github.com/telegram-bot-app/libpack/monitoring"
+)
+
+func StartMonitoringServer() {
+	cfg.Monitoring = libpack_monitoring.NewMonitoring()
+	cfg.Monitoring.AddMetricsPrefix("graphql_proxy")
+	cfg.Monitoring.RegisterDefaultMetrics()
+}

proxy.go

@@ -0,0 +1,28 @@
+package main
+
+import (
+	"crypto/tls"
+
+	fiber "github.com/gofiber/fiber/v2"
+	"github.com/gofiber/fiber/v2/middleware/proxy"
+	libpack_monitoring "github.com/telegram-bot-app/libpack/monitoring"
+)
+
+func proxyTheRequest(c *fiber.Ctx) error {
+	c.Request().Header.Add("X-Real-IP", c.IP())
+	c.Request().Header.Add("X-Forwarded-For", c.IP())
+
+	proxy.WithTlsConfig(&tls.Config{
+		InsecureSkipVerify: true,
+	})
+
+	err := proxy.DoRedirects(c, cfg.Server.HostGraphQL, 3)
+	if err != nil {
+		cfg.Logger.Error("Can't proxy the request", map[string]interface{}{"error": err.Error()})
+		cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
+		return err
+	}
+
+	c.Response().Header.Del(fiber.HeaderServer)
+	return nil
+}

ratelimit.go

@@ -0,0 +1,113 @@
+package main
+
+import (
+	"os"
+	"time"
+
+	goratecounter "github.com/lukaszraczylo/go-ratecounter"
+)
+
+type RateLimitConfig struct {
+	Req               int    `json:"req"`
+	Interval          string `json:"interval"`
+	RateCounterTicker *goratecounter.RateCounter
+}
+
+var rateLimits map[string]RateLimitConfig
+var ratelimit_intervals = map[string]time.Duration{
+	"milli":  time.Millisecond,
+	"micro":  time.Microsecond,
+	"nano":   time.Nanosecond,
+	"second": time.Second,
+	"minute": time.Minute,
+	"hour":   time.Hour,
+	"day":    time.Hour * 24,
+}
+
+func loadRatelimitConfig() error {
+	paths := []string{"/app/ratelimit.json", "./ratelimit.json", "./static/default-ratelimit.json"}
+
+	for _, path := range paths {
+		err := loadConfigFromPath(path)
+		if err == nil {
+			return nil
+		}
+		cfg.Logger.Error("Failed to load config", map[string]interface{}{"path": path, "error": err})
+	}
+
+	cfg.Logger.Debug("Rate limit config not found")
+	return os.ErrNotExist
+}
+
+func loadConfigFromPath(path string) error {
+	file, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	config := struct {
+		RateLimit map[string]RateLimitConfig `json:"ratelimit"`
+	}{}
+
+	decoder := json.NewDecoder(file)
+	if err := decoder.Decode(&config); err != nil {
+		return err
+	}
+
+	for key, value := range config.RateLimit {
+		value.RateCounterTicker = goratecounter.NewRateCounter().WithConfig(goratecounter.RateCounterConfig{
+			Interval: time.Duration(value.Req) * ratelimit_intervals[value.Interval],
+		})
+		cfg.Logger.Debug("Setting ratelimit config for role", map[string]interface{}{
+			"role":              key,
+			"interval_provided": value.Interval,
+			"interval_used":     ratelimit_intervals[value.Interval],
+			"ratelimit":         value.Req,
+		})
+		config.RateLimit[key] = value
+	}
+
+	rateLimits = config.RateLimit
+	cfg.Logger.Debug("Rate limit config loaded", map[string]interface{}{"ratelimit": rateLimits})
+	return nil
+}
+
+func rateLimitedRequest(userID string, userRole string) (shouldAllow bool) {
+	if rateLimits == nil {
+		cfg.Logger.Debug("Rate limit config not found", map[string]interface{}{"user_role": userRole})
+		return true
+	}
+
+	// Fetch role config once to avoid multiple map lookups
+	roleConfig, ok := rateLimits[userRole]
+	if !ok {
+		cfg.Logger.Warning("Rate limit role not found", map[string]interface{}{"user_role": userRole})
+		return true
+	}
+
+	if roleConfig.RateCounterTicker == nil {
+		cfg.Logger.Warning("Rate limit ticker not found", map[string]interface{}{"user_role": userRole})
+		return true
+	}
+
+	roleConfig.RateCounterTicker.Incr(1)
+	tickerRate := roleConfig.RateCounterTicker.GetRate()
+
+	logDetails := map[string]interface{}{
+		"user_role":   userRole,
+		"user_id":     userID,
+		"rate":        tickerRate,
+		"config_rate": roleConfig.Req,
+		"interval":    roleConfig.Interval,
+	}
+
+	cfg.Logger.Debug("Rate limit ticker", logDetails)
+
+	if tickerRate > float64(roleConfig.Req) {
+		cfg.Logger.Debug("Rate limit exceeded", logDetails)
+		return false
+	}
+
+	return true
+}

semver.yaml

@@ -0,0 +1,16 @@
+version: 1
+force:
+  existing: true
+  strict: false
+  minor: 1
+wording:
+  patch:
+    - update
+    - initial
+    - fix
+  minor:
+    - change
+    - improve
+    - release
+  major:
+    - breaking

server.go

@@ -0,0 +1,131 @@
+package main
+
+import (
+	"fmt"
+	"time"
+
+	fiber "github.com/gofiber/fiber/v2"
+	"github.com/gofiber/fiber/v2/middleware/cors"
+
+	jsoniter "github.com/json-iterator/go"
+	libpack_monitoring "github.com/telegram-bot-app/libpack/monitoring"
+)
+
+var json = jsoniter.ConfigCompatibleWithStandardLibrary
+
+// StartHTTPProxy starts the HTTP and points it to the GraphQL server.
+func StartHTTPProxy() {
+	server := fiber.New()
+
+	server.Use(cors.New(cors.Config{
+		AllowOrigins: "*",
+	}))
+
+	server.Post("/v1/graphql", processGraphQLRequest)
+
+	server.Get("/healthz", healthCheck)
+	err := server.Listen(fmt.Sprintf(":%d", cfg.Server.PortGraphQL))
+	if err != nil {
+		cfg.Logger.Critical("Can't start the service", map[string]interface{}{"error": err.Error()})
+	}
+}
+
+func healthCheck(c *fiber.Ctx) error {
+	// query := `{ __typename }`
+	// _, err := cfg.Client.GQLClient.Query(query, nil, nil)
+	// if err != nil {
+	// 	cfg.Logger.Error("Can't reach the GraphQL server", map[string]interface{}{"error": err.Error()})
+	// 	cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
+	// 	return c.SendStatus(500)
+	// }
+	return c.SendStatus(200)
+}
+
+func processGraphQLRequest(c *fiber.Ctx) error {
+	startTime := time.Now()
+
+	// Initialize variables with default values
+	extractedUserID := "-"
+	extractedRoleName := "-"
+	var queryCacheHash string
+
+	authorization := c.Request().Header.Peek("Authorization")
+	if authorization != nil && (len(cfg.Client.JWTUserClaimPath) > 0 || len(cfg.Client.JWTRoleClaimPath) > 0) {
+		extractedUserID, extractedRoleName = extractClaimsFromJWTHeader(string(authorization))
+	}
+
+	// Implementing rate limiting if enabled
+	if cfg.Client.JWTRoleRateLimit {
+		cfg.Logger.Debug("Rate limiting enabled", map[string]interface{}{"user_id": extractedUserID, "role_name": extractedRoleName})
+		if !rateLimitedRequest(extractedUserID, extractedRoleName) {
+			c.Status(429).SendString("Rate limit exceeded, try again later")
+			return nil
+		}
+	}
+
+	opType, opName, cacheFromQuery, shouldBlock := parseGraphQLQuery(c)
+	if shouldBlock {
+		return nil
+	}
+
+	wasCached := false
+
+	// Handling Cache Logic
+	if cacheFromQuery || cfg.Cache.CacheEnable {
+		cfg.Logger.Debug("Cache enabled", map[string]interface{}{"via_query": cacheFromQuery, "via_env": cfg.Cache.CacheEnable})
+		queryCacheHash = calculateHash(c)
+
+		if cachedResponse := cacheLookup(queryCacheHash); cachedResponse != nil {
+			cfg.Logger.Debug("Cache hit", map[string]interface{}{"hash": queryCacheHash, "user_id": extractedUserID})
+			c.Send(cachedResponse)
+			wasCached = true
+		} else {
+			cfg.Logger.Debug("Cache miss", map[string]interface{}{"hash": queryCacheHash, "user_id": extractedUserID})
+			proxyAndCacheTheRequest(c, queryCacheHash)
+		}
+	} else {
+		proxyTheRequest(c)
+	}
+
+	timeTaken := time.Since(startTime)
+
+	// Logging & Monitoring
+	logAndMonitorRequest(c, extractedUserID, opType, opName, wasCached, timeTaken, startTime)
+
+	return nil
+}
+
+// Additional helper function to avoid code repetition
+func proxyAndCacheTheRequest(c *fiber.Ctx, queryCacheHash string) {
+	proxyTheRequest(c)
+	cfg.Cache.CacheClient.Set(queryCacheHash, c.Response().Body(), time.Duration(cfg.Cache.CacheTTL)*time.Second)
+	c.Send(c.Response().Body())
+}
+
+func logAndMonitorRequest(c *fiber.Ctx, userID, opType, opName string, wasCached bool, duration time.Duration, startTime time.Time) {
+	labels := map[string]string{
+		"op_type": opType,
+		"op_name": opName,
+		"cached":  fmt.Sprintf("%t", wasCached),
+		"user_id": userID,
+	}
+
+	if cfg.Server.AccessLog {
+		cfg.Logger.Info("Request processed", map[string]interface{}{
+			"ip":      c.IP(),
+			"user_id": userID,
+			"op_type": opType,
+			"op_name": opName,
+			"time":    duration,
+			"cache":   wasCached,
+		})
+	}
+
+	cfg.Monitoring.Increment(libpack_monitoring.MetricsSucceeded, nil)
+	cfg.Monitoring.Increment("executed_query", labels)
+
+	if !wasCached {
+		cfg.Monitoring.UpdateDuration("timed_query", labels, startTime)
+		cfg.Monitoring.Update("timed_query", labels, float64(duration.Milliseconds()))
+	}
+}

static/default-ratelimit.json

@@ -0,0 +1,16 @@
+{
+  "ratelimit": {
+      "admin": {
+          "req": 100,
+          "interval": "second"
+      },
+      "guest": {
+          "req": 3,
+          "interval": "second"
+      },
+      "-": {
+          "req": 100,
+          "interval": "hour"
+      }
+  }
+}

static/kubernetes-deployment.yaml

@@ -0,0 +1,92 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hasura-proxy-internal
+  labels:
+    app: hasura-proxy-internal
+    type: support
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: hasura-proxy-internal
+      type: support
+  template:
+    metadata:
+      labels:
+        app: hasura-proxy-internal
+        type: support
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9393"
+        prometheus.io/path: "/metrics"
+    spec:
+      securityContext:
+        runAsUser: 65534 # nobody
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io/worker
+                operator: Exists
+      containers:
+      - name: graphql-proxy
+        image: ghcr.io/lukaszraczylo/graphql-monitoring-proxy:latest
+        imagePullPolicy: Always
+        resources:
+          limits:
+            cpu: "1"
+            memory: "640Mi"
+          requests:
+            cpu: "0.75"
+            memory: "512Mi"
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 5
+        ports:
+          - name: web
+            containerPort: 8080
+          - name: monitoring
+            containerPort: 9393
+        env:
+          - name: PORT_GRAPHQL
+            value: "8080"
+          - name: MONITORING_PORT
+            value: "9393"
+          - name: HOST_GRAPHQL
+            value: http://hasura-internal:8080/v1/graphql
+          - name: ENABLE_GLOBAL_CACHE
+            value: "true"
+          - name: CACHE_TTL
+            value: "10"
+          - name: BLOCK_SCHEMA_INTROSPECTION
+            value: "true"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hasura-proxy-internal
+  labels:
+    app: hasura-proxy-internal
+    type: support
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "9393"
+    prometheus.io/path: "/metrics"
+spec:
+  ports:
+  - name: web
+    port: 8080
+    targetPort: 8080
+  - name: monitoring
+    port: 9393
+    targetPort: 9393
+  selector:
+    app: hasura-proxy-internal
+    type: support
+  type: ClusterIP

struct_config.go

@@ -0,0 +1,39 @@
+package main
+
+import (
+	"github.com/akyoto/cache"
+	graphql "github.com/lukaszraczylo/go-simple-graphql"
+	libpack_logging "github.com/telegram-bot-app/libpack/logging"
+	libpack_monitoring "github.com/telegram-bot-app/libpack/monitoring"
+)
+
+// config is a struct that holds the configuration of the application.
+type config struct {
+	Logger     *libpack_logging.LogConfig
+	Monitoring *libpack_monitoring.MetricsSetup
+
+	// Server holds the configuration of the server _ONLY_.
+	Server struct {
+		PortGraphQL    int
+		PortMonitoring int
+		HostGraphQL    string
+		AccessLog      bool
+	}
+
+	Client struct {
+		JWTUserClaimPath string
+		JWTRoleClaimPath string
+		JWTRoleRateLimit bool
+		GQLClient        *graphql.BaseClient
+	}
+
+	Cache struct {
+		CacheEnable bool
+		CacheTTL    int
+		CacheClient *cache.Cache
+	}
+
+	Security struct {
+		BlockIntrospection bool
+	}
+}