Add cache ttl support (#3)

* Add ability to use `@cached(ttl: 120)`

* Update documentation.

.github/workflows/test.yaml

@@ -4,14 +4,17 @@ on:
   workflow_dispatch:
   push:
     paths-ignore:
-    - '**.md'
+    - '**/**.md'
+    - '**/**.yaml'
+    - 'static/**'
     branches:
-      - "*"
+    - 'main'
 
 jobs:
   shared:
     uses: telegram-bot-app/ci-scripts/.github/workflows/build-test-publish-inject.yaml@main
     with:
       enable-code-scans: false
+      should-deploy: false
     secrets:
       ghcr-token: ${{ secrets.GHCR_TOKEN }}

Dockerfile

@@ -4,5 +4,6 @@ WORKDIR /go/src/app
 ARG TARGETARCH
 ARG TARGETOS
 ADD dist/bot-$TARGETOS-$TARGETARCH /go/src/app/graphql-proxy
+ADD static/default-ratelimit.json /app/ratelimit.json
 RUN chmod +x /go/src/app/graphql-proxy
 ENTRYPOINT ["/go/src/app/graphql-proxy"]

Makefile

@@ -10,8 +10,8 @@ help:  ## display this help
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n\nTargets:\n"} /^[a-zA-Z0-9_-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 }' $(MAKEFILE_LIST)
 
 .PHONY: run
-run: ## run application
-	@LOG_LEVEL=debug BLOCK_SCHEMA_INTROSPECTION=true JWT_USER_CLAIM_PATH="Hasura.x-hasura-user-id" HOST_GRAPHQL=https://hasura8.lan/v1/graphql go run *.go
+run: build ## run application
+	@LOG_LEVEL=debug BLOCK_SCHEMA_INTROSPECTION=false JWT_ROLE_RATE_LIMIT=false JWT_ROLE_CLAIM_PATH="Hasura.x-hasura-default-role" JWT_USER_CLAIM_PATH="Hasura.x-hasura-user-id" HOST_GRAPHQL=https://hasura8.lan/v1/graphql ./graphql-proxy
 
 .PHONY: build
 build: ## build the binary

README.md

@@ -26,6 +26,7 @@ I wanted to monitor the queries and responses of our graphql endpoint, but we di
 * MONITORING: Calculating the query duration and adding it to the metrics
 * SPEED: Caching the queries
 * SECURITY: Blocking schema introspection
+* SECURITY: Rate limiting queries based on user role
 
 ### Configuration
 
@@ -33,10 +34,56 @@ I wanted to monitor the queries and responses of our graphql endpoint, but we di
 * `PORT_GRAPHQL` - the port to expose the graphql endpoint on (default: 8080)
 * `HOST_GRAPHQL` - the host to proxy the graphql endpoint to (default: `http://localhost/v1/graphql`)
 * `JWT_USER_CLAIM_PATH` - the path to the user claim in the JWT token (default: ``)
-* `ENABLE_CACHE` - enable the cache (default: `false`)
+* `JWT_ROLE_CLAIM_PATH` - the path to the role claim in the JWT token (default: ``)
+* `JWT_ROLE_RATE_LIMITING` - enable request rate limiting based on the role (default: `false`)
+* `ENABLE_GLOBAL_CACHE` - enable the cache (default: `false`)
 * `CACHE_TTL` - the cache TTL (default: `60s`)
 * `LOG_LEVEL` - the log level (default: `info`)
 * `BLOCK_SCHEMA_INTROSPECTION` - blocks the schema introspection (default: `false`)
+* `ENABLE_ACCESS_LOG` - enable the access log (default: `false`)
+
+### Caching
+
+Cache engine is enabled in background as it does not use any additional resources.
+You can then start using the cache by setting the `ENABLE_GLOBAL_CACHE` environment variable to `true` - which will enable the cache for all queries, without introspection of the query. You can leave the global cache disabled and enable the cache for specific queries by adding the `@cached` directive to the query.
+
+In case of the `@cached` you can add additional parameters to the directive which will set the cache for specific query to provided time.
+For example `query MyCachedQuery @cached(ttl: 90) ....` will set the cache for the query to 90 seconds.
+
+### Role based rate limiting
+
+You are able to rate limit requests using the `JWT_ROLE_RATE_LIMITING` environment variable. If enabled, the proxy will rate limit the requests based on the role claim in the JWT token. You can then provide the json file in following format to specify the limits.
+Default interval is `second`, but you can use other values as well. If you want to disable the rate limiting for specific role, you can set the `req` to `0`.
+
+Available values:
+`nano`, `micro`, `milli`, `second`, `minute`, `hour`, `day`
+
+To define path in JWT token where current user role is present use the `JWT_ROLE_CLAIM_PATH` environment variable.
+
+*Default / sample configuration:*
+
+```json
+{
+  "ratelimit": {
+      "admin": {
+          "req": 100,
+          "interval": "second"
+      },
+      "guest": {
+          "req": 50,
+          "interval": "minute"
+      },
+      "-": {
+          "req": 100,
+          "interval": "day"
+      }
+  }
+}
+```
+
+If you'd like to change it - mount your configmap as `/app/ratelimit.json` file.
+Remember to include the `-` role, which is used for unauthenticated users or when claim can't be found for any reason.
+If rate limit has been reached - the proxy will return `429 Too Many Requests` error.
 
 ### Monitoring endpoint
 

cache_test.go

@@ -0,0 +1,49 @@
+package main
+
+import (
+	"testing"
+	"time"
+)
+
+func (suite *Tests) Test_cacheLookup() {
+	type args struct {
+		hash string
+	}
+	tests := []struct {
+		name     string
+		args     args
+		want     []byte
+		addCache struct {
+			data []byte
+		}
+	}{
+		{
+			name: "test_non_existent",
+			args: args{
+				hash: "00000000000000000000000000000000000000",
+			},
+			want: nil,
+		},
+		{
+			name: "test_existent",
+			args: args{
+				hash: "00000000000000000000000000000000000001",
+			},
+			want: []byte("it's fine."),
+			addCache: struct {
+				data []byte
+			}{
+				data: []byte("it's fine."),
+			},
+		},
+	}
+	for _, tt := range tests {
+		suite.T().Run(tt.name, func(t *testing.T) {
+			if tt.addCache.data != nil {
+				cfg.Cache.CacheClient.Set(tt.args.hash, tt.addCache.data, time.Duration(1)*time.Second)
+			}
+			got := cacheLookup(tt.args.hash)
+			assert.Equal(tt.want, got, "Unexpected cache lookup result")
+		})
+	}
+}

details.go

@@ -2,37 +2,51 @@ package main
 
 import (
 	"encoding/base64"
+	"fmt"
 	"strings"
 
 	"github.com/lukaszraczylo/ask"
 	libpack_monitoring "github.com/telegram-bot-app/libpack/monitoring"
 )
 
-func extractClaimsFromJWTHeader(authorization string) (usr string) {
+func extractClaimsFromJWTHeader(authorization string) (usr string, role string) {
+	usr, role = "-", "-"
+
+	handleError := func(msg string, details map[string]interface{}) {
+		cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
+		cfg.Logger.Error(msg, details)
+	}
+
 	tokenParts := strings.Split(authorization, ".")
 	if len(tokenParts) != 3 {
-		cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
-		cfg.Logger.Error("Can't split the token", map[string]interface{}{"token": authorization})
+		handleError("Can't split the token", map[string]interface{}{"token": authorization})
 		return
 	}
+
 	claim, err := base64.RawURLEncoding.DecodeString(tokenParts[1])
 	if err != nil {
-		cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
-		cfg.Logger.Error("Can't decode the token", map[string]interface{}{"token": authorization})
+		handleError("Can't decode the token", map[string]interface{}{"token": authorization})
 		return
 	}
+
 	var claimMap map[string]interface{}
-	err = json.Unmarshal(claim, &claimMap)
-	if err != nil {
-		cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
-		cfg.Logger.Error("Can't unmarshal the claim", map[string]interface{}{"token": authorization})
+	if err = json.Unmarshal(claim, &claimMap); err != nil {
+		handleError("Can't unmarshal the claim", map[string]interface{}{"token": authorization})
 		return
 	}
-	usr, ok := ask.For(claimMap, cfg.Client.JWTUserClaimPath).String("-")
-	if !ok {
-		cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
-		cfg.Logger.Error("Can't find the user id", map[string]interface{}{"claim_map": claimMap, "path": cfg.Client.JWTUserClaimPath})
-		return
+
+	extractClaim := func(claimPath string, target *string, name string) {
+		if len(claimPath) > 0 {
+			var ok bool
+			*target, ok = ask.For(claimMap, claimPath).String("-")
+			if !ok {
+				handleError(fmt.Sprintf("Can't find the %s", name), map[string]interface{}{"claim_map": claimMap, "path": claimPath})
+			}
+		}
 	}
-	return usr
+
+	extractClaim(cfg.Client.JWTUserClaimPath, &usr, "user id")
+	extractClaim(cfg.Client.JWTRoleClaimPath, &role, "role")
+
+	return
 }

details_test.go

@@ -0,0 +1,83 @@
+package main
+
+import "testing"
+
+func (suite *Tests) Test_extractClaimsFromJWTHeader() {
+	jwt_token_for_tests := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiSGFzdXJhIjp7IngtaGFzdXJhLWFsbG93ZWQtcm9sZXMiOlsiZ3Vlc3QiLCJ1c2VyIiwiZ3JvdXBhZG1pbiIsInBheWFkbWluIl0sIngtaGFzdXJhLWRlZmF1bHQtcm9sZSI6Imd1ZXN0IiwieC1oYXN1cmEtdXNlci1pZCI6IjE2NyIsIngtaGFzdXJhLXVzZXItdXVpZCI6ImRkM2U2ZTM1LTA0MDktNDNiMC1iZmYxLWNlZjNjNmVkNWYxMCJ9LCJpc3MiOiJBdXRoU2VydmljZSIsImV4cCI6MTY5NjgwMTcyNiwibmJmIjoxNjk2NTg1NzI2LCJpYXQiOjE2OTY1ODU3MjZ9.dsJ5JKzG5tXOlqeZ_Gfe2XC-vyrcwtYwOGfhvt8q9UY"
+
+	type args struct {
+		authorization string
+	}
+
+	tests := []struct {
+		name           string
+		args           args
+		wantUsr        string
+		wantRole       string
+		jwt_token_path string
+		jwt_role_path  string
+	}{
+		{
+			name:     "test_empty",
+			wantUsr:  "-",
+			wantRole: "-",
+		},
+		{
+			name: "test_invalid_path",
+			args: args{
+				authorization: jwt_token_for_tests,
+			},
+			wantUsr:        "-",
+			wantRole:       "-",
+			jwt_token_path: "invalid",
+		},
+		{
+			name: "test_invalid_role_path",
+			args: args{
+				authorization: jwt_token_for_tests,
+			},
+			wantUsr:       "-",
+			wantRole:      "-",
+			jwt_role_path: "invalid",
+		},
+		{
+			name: "test_valid",
+			args: args{
+				authorization: jwt_token_for_tests,
+			},
+			wantUsr:        "167",
+			wantRole:       "guest",
+			jwt_token_path: "Hasura.x-hasura-user-id",
+			jwt_role_path:  "Hasura.x-hasura-default-role",
+		},
+		{
+			name: "test_invalid_token",
+			args: args{
+				authorization: "invalid",
+			},
+			wantUsr:  "-",
+			wantRole: "-",
+		},
+		{
+			name: "test_invalid_three_part_token",
+			args: args{
+				authorization: "invalid.threepart.token",
+			},
+			wantUsr:  "-",
+			wantRole: "-",
+		},
+	}
+	for _, tt := range tests {
+		suite.T().Run(tt.name, func(t *testing.T) {
+			if len(tt.jwt_token_path) > 0 {
+				cfg.Client.JWTUserClaimPath = tt.jwt_token_path
+			}
+			if len(tt.jwt_role_path) > 0 {
+				cfg.Client.JWTRoleClaimPath = tt.jwt_role_path
+			}
+			gotUsr, gotRole := extractClaimsFromJWTHeader(tt.args.authorization)
+			assert.Equal(tt.wantUsr, gotUsr, "Unexpected user ID")
+			assert.Equal(tt.wantRole, gotRole, "Unexpected role")
+		})
+	}
+}

go.mod

@@ -8,9 +8,10 @@ require (
 	github.com/gookit/goutil v0.6.12
 	github.com/graphql-go/graphql v0.8.1
 	github.com/json-iterator/go v1.1.12
-	github.com/k0kubun/pp v3.0.1+incompatible
 	github.com/lukaszraczylo/ask v0.0.0-20230927103145-2ff1123b4415
+	github.com/lukaszraczylo/go-ratecounter v0.1.8
 	github.com/lukaszraczylo/go-simple-graphql v1.1.31
+	github.com/stretchr/testify v1.8.4
 	github.com/telegram-bot-app/libpack v0.0.0-20231008100411-9f7f8bf94315
 )
 
@@ -19,16 +20,18 @@ require (
 	github.com/VictoriaMetrics/metrics v1.24.0 // indirect
 	github.com/andybalholm/brotli v1.0.5 // indirect
 	github.com/avast/retry-go/v4 v4.5.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/google/uuid v1.3.1 // indirect
 	github.com/gookit/color v1.5.4 // indirect
-	github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88 // indirect
 	github.com/klauspost/compress v1.17.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/lukaszraczylo/pandati v0.0.29 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/rs/zerolog v1.31.0 // indirect
 	github.com/telegram-bot-app/lib-logging v0.0.19 // indirect
@@ -39,9 +42,10 @@ require (
 	github.com/valyala/tcplisten v1.0.0 // indirect
 	github.com/wI2L/jsondiff v0.4.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	golang.org/x/net v0.16.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/sync v0.4.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -11,6 +11,7 @@ github.com/avast/retry-go/v4 v4.5.0/go.mod h1:7hLEXp0oku2Nir2xBAsg0PTphp9z71bN5A
 github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=
 github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -28,14 +29,16 @@ github.com/graphql-go/graphql v0.8.1 h1:p7/Ou/WpmulocJeEx7wjQy611rtXGQaAcXGqanuM
 github.com/graphql-go/graphql v0.8.1/go.mod h1:nKiHzRM0qopJEwCITUuIsxk9PlVlwIiiI8pnJEhordQ=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88 h1:uC1QfSlInpQF+M0ao65imhwqKnz3Q2z/d8PWZRMQvDM=
-github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k=
-github.com/k0kubun/pp v3.0.1+incompatible h1:3tqvf7QgUnZ5tXO6pNAZlrvHgl6DvifjDrd9g2S9Z40=
-github.com/k0kubun/pp v3.0.1+incompatible/go.mod h1:GWse8YhT0p8pT4ir3ZgBbfZild3tgzSScAn6HmfYukg=
 github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM=
 github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/lukaszraczylo/ask v0.0.0-20230927103145-2ff1123b4415 h1:lvI8Wlbg4PxkRcg2f10wgoaRpfN19v+YdRek3+dLtlM=
 github.com/lukaszraczylo/ask v0.0.0-20230927103145-2ff1123b4415/go.mod h1:M+UVdyqZs++xtEPrascaVmZdOMhCnxjZ2SgH+xHpR0c=
+github.com/lukaszraczylo/go-ratecounter v0.1.8 h1:ZYm6Wkn58ZAlFWRmC7PaD4oAYHWcu8/0MUDWGe3PnJQ=
+github.com/lukaszraczylo/go-ratecounter v0.1.8/go.mod h1:TqXEOCtFJStk1i0tkipprv1kiDHGon1MVUisjSTBSKM=
 github.com/lukaszraczylo/go-simple-graphql v1.1.31 h1:UA3f8M1cV+XnO8UZlAqveW0qF/2NN512eB/gRqe+BHs=
 github.com/lukaszraczylo/go-simple-graphql v1.1.31/go.mod h1:MyftQ8jTdtkYImPXJpHoxz6+E53Ydv+7q9+Jr+eT8WU=
 github.com/lukaszraczylo/pandati v0.0.29 h1:WUEWm1+hWjE5KJbIL8OctG00x2dk4XKGJSlrjhxZ55k=
@@ -58,6 +61,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.31.0 h1:FcTR3NnLWW+NnTwwhFWiJSZr4ECLpqCm6QsEnyvbV4A=
 github.com/rs/zerolog v1.31.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
@@ -85,8 +90,8 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavM
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
-golang.org/x/net v0.16.0 h1:7eBu7KsSvFDtSXUIDbh3aqlK4DPsZ1rByC8PFfBThos=
-golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
 golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -99,5 +104,7 @@ golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

graphql.go

@@ -1,6 +1,8 @@
 package main
 
 import (
+	"strconv"
+
 	fiber "github.com/gofiber/fiber/v2"
 	"github.com/graphql-go/graphql/language/ast"
 	"github.com/graphql-go/graphql/language/parser"
@@ -33,7 +35,7 @@ var retrospection_queries = []string{
 // Saving the introspection queries as a map O(1) operation instead of O(n) for a slice.
 var retrospectionQuerySet = make(map[string]struct{}, len(retrospection_queries))
 
-func parseGraphQLQuery(c *fiber.Ctx) (operationType, operationName string, cacheRequest bool, should_block bool) {
+func parseGraphQLQuery(c *fiber.Ctx) (operationType, operationName string, cacheRequest bool, cache_time int, should_block bool) {
 	m := make(map[string]interface{})
 	err := json.Unmarshal(c.Body(), &m)
 	if err != nil {
@@ -68,6 +70,16 @@ func parseGraphQLQuery(c *fiber.Ctx) (operationType, operationName string, cache
 			for _, dir := range oper.Directives {
 				if dir.Name.Value == "cached" {
 					cacheRequest = true
+					for _, arg := range dir.Arguments {
+						if arg.Name.Value == "ttl" {
+							cache_time, err = strconv.Atoi(arg.Value.GetValue().(string))
+							if err != nil {
+								cfg.Logger.Error("Can't parse the ttl", map[string]interface{}{"ttl": arg.Value.GetValue().(string)})
+								cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
+								return
+							}
+						}
+					}
 				}
 			}
 			if cfg.Security.BlockIntrospection {

main.go

@@ -22,14 +22,18 @@ func parseConfig() {
 	c.Server.PortMonitoring = envutil.GetInt("MONITORING_PORT", 9393)
 	c.Server.HostGraphQL = envutil.Getenv("HOST_GRAPHQL", "http://localhost/v1/graphql")
 	c.Client.JWTUserClaimPath = envutil.Getenv("JWT_USER_CLAIM_PATH", "")
-	c.Cache.CacheEnable = envutil.GetBool("CACHE_ENABLE", false)
+	c.Client.JWTRoleClaimPath = envutil.Getenv("JWT_ROLE_CLAIM_PATH", "")
+	c.Client.JWTRoleRateLimit = envutil.GetBool("JWT_ROLE_RATE_LIMIT", false)
+	c.Cache.CacheEnable = envutil.GetBool("ENABLE_GLOBAL_CACHE", false)
 	c.Cache.CacheTTL = envutil.GetInt("CACHE_TTL", 60)
 	c.Security.BlockIntrospection = envutil.GetBool("BLOCK_SCHEMA_INTROSPECTION", false)
 	c.Logger = libpack_logging.NewLogger()
 	c.Client.GQLClient = graphql.NewConnection()
 	c.Client.GQLClient.SetEndpoint(c.Server.HostGraphQL)
+	c.Server.AccessLog = envutil.GetBool("ENABLE_ACCESS_LOG", false)
 	cfg = &c
 	enableCache() // takes close to no resources, but can be used with dynamic query cache
+	loadRatelimitConfig()
 }
 
 func main() {

main_test.go

@@ -0,0 +1,34 @@
+package main
+
+import (
+	"fmt"
+	"testing"
+
+	assertions "github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/suite"
+)
+
+type Tests struct {
+	suite.Suite
+}
+
+var (
+	assert *assertions.Assertions
+)
+
+func (suite *Tests) SetupTest() {
+	assert = assertions.New(suite.T())
+}
+
+func (suite *Tests) BeforeTest(suiteName, testName string) {
+	fmt.Println("BeforeTest")
+	cfg = &config{}
+	parseConfig()
+	StartMonitoringServer()
+}
+
+// func (suite *Tests) AfterTest(suiteName, testName string) {)
+
+func TestSuite(t *testing.T) {
+	suite.Run(t, new(Tests))
+}

ratelimit.go

@@ -0,0 +1,113 @@
+package main
+
+import (
+	"os"
+	"time"
+
+	goratecounter "github.com/lukaszraczylo/go-ratecounter"
+)
+
+type RateLimitConfig struct {
+	Req               int    `json:"req"`
+	Interval          string `json:"interval"`
+	RateCounterTicker *goratecounter.RateCounter
+}
+
+var rateLimits map[string]RateLimitConfig
+var ratelimit_intervals = map[string]time.Duration{
+	"milli":  time.Millisecond,
+	"micro":  time.Microsecond,
+	"nano":   time.Nanosecond,
+	"second": time.Second,
+	"minute": time.Minute,
+	"hour":   time.Hour,
+	"day":    time.Hour * 24,
+}
+
+func loadRatelimitConfig() error {
+	paths := []string{"/app/ratelimit.json", "./ratelimit.json", "./static/default-ratelimit.json"}
+
+	for _, path := range paths {
+		err := loadConfigFromPath(path)
+		if err == nil {
+			return nil
+		}
+		cfg.Logger.Error("Failed to load config", map[string]interface{}{"path": path, "error": err})
+	}
+
+	cfg.Logger.Debug("Rate limit config not found")
+	return os.ErrNotExist
+}
+
+func loadConfigFromPath(path string) error {
+	file, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	config := struct {
+		RateLimit map[string]RateLimitConfig `json:"ratelimit"`
+	}{}
+
+	decoder := json.NewDecoder(file)
+	if err := decoder.Decode(&config); err != nil {
+		return err
+	}
+
+	for key, value := range config.RateLimit {
+		value.RateCounterTicker = goratecounter.NewRateCounter().WithConfig(goratecounter.RateCounterConfig{
+			Interval: time.Duration(value.Req) * ratelimit_intervals[value.Interval],
+		})
+		cfg.Logger.Debug("Setting ratelimit config for role", map[string]interface{}{
+			"role":              key,
+			"interval_provided": value.Interval,
+			"interval_used":     ratelimit_intervals[value.Interval],
+			"ratelimit":         value.Req,
+		})
+		config.RateLimit[key] = value
+	}
+
+	rateLimits = config.RateLimit
+	cfg.Logger.Debug("Rate limit config loaded", map[string]interface{}{"ratelimit": rateLimits})
+	return nil
+}
+
+func rateLimitedRequest(userID string, userRole string) (shouldAllow bool) {
+	if rateLimits == nil {
+		cfg.Logger.Debug("Rate limit config not found", map[string]interface{}{"user_role": userRole})
+		return true
+	}
+
+	// Fetch role config once to avoid multiple map lookups
+	roleConfig, ok := rateLimits[userRole]
+	if !ok {
+		cfg.Logger.Warning("Rate limit role not found", map[string]interface{}{"user_role": userRole})
+		return true
+	}
+
+	if roleConfig.RateCounterTicker == nil {
+		cfg.Logger.Warning("Rate limit ticker not found", map[string]interface{}{"user_role": userRole})
+		return true
+	}
+
+	roleConfig.RateCounterTicker.Incr(1)
+	tickerRate := roleConfig.RateCounterTicker.GetRate()
+
+	logDetails := map[string]interface{}{
+		"user_role":   userRole,
+		"user_id":     userID,
+		"rate":        tickerRate,
+		"config_rate": roleConfig.Req,
+		"interval":    roleConfig.Interval,
+	}
+
+	cfg.Logger.Debug("Rate limit ticker", logDetails)
+
+	if tickerRate > float64(roleConfig.Req) {
+		cfg.Logger.Debug("Rate limit exceeded", logDetails)
+		return false
+	}
+
+	return true
+}

semver.yaml

@@ -11,5 +11,6 @@ wording:
   minor:
     - change
     - improve
+    - release
   major:
     - breaking

server.go

@@ -6,6 +6,7 @@ import (
 
 	fiber "github.com/gofiber/fiber/v2"
 	"github.com/gofiber/fiber/v2/middleware/cors"
+
 	jsoniter "github.com/json-iterator/go"
 	libpack_monitoring "github.com/telegram-bot-app/libpack/monitoring"
 )
@@ -41,58 +42,95 @@ func healthCheck(c *fiber.Ctx) error {
 }
 
 func processGraphQLRequest(c *fiber.Ctx) error {
-	t := time.Now()
+	startTime := time.Now()
 
-	var extracted_user_id string = "-"
-	var query_cache_hash string = ""
+	// Initialize variables with default values
+	extractedUserID := "-"
+	extractedRoleName := "-"
+	var queryCacheHash string
 
 	authorization := c.Request().Header.Peek("Authorization")
-	if authorization != nil && len(cfg.Client.JWTUserClaimPath) > 0 {
-		extracted_user_id = extractClaimsFromJWTHeader(string(authorization))
+	if authorization != nil && (len(cfg.Client.JWTUserClaimPath) > 0 || len(cfg.Client.JWTRoleClaimPath) > 0) {
+		extractedUserID, extractedRoleName = extractClaimsFromJWTHeader(string(authorization))
 	}
-	opType, opName, cache_from_query, should_block := parseGraphQLQuery(c)
 
-	if should_block {
+	// Implementing rate limiting if enabled
+	if cfg.Client.JWTRoleRateLimit {
+		cfg.Logger.Debug("Rate limiting enabled", map[string]interface{}{"user_id": extractedUserID, "role_name": extractedRoleName})
+		if !rateLimitedRequest(extractedUserID, extractedRoleName) {
+			c.Status(429).SendString("Rate limit exceeded, try again later")
+			return nil
+		}
+	}
+
+	opType, opName, cacheFromQuery, cache_time, shouldBlock := parseGraphQLQuery(c)
+	if shouldBlock {
 		return nil
 	}
 
-	was_cached := false
+	if cache_time > 0 {
+		cfg.Logger.Debug("Cache time set via query", map[string]interface{}{"cache_time": cache_time})
+		cache_time = cfg.Cache.CacheTTL
+	}
 
-	if cache_from_query || cfg.Cache.CacheEnable {
-		cfg.Logger.Debug("Cache enabled", map[string]interface{}{"via_query": cache_from_query, "via_env": cfg.Cache.CacheEnable})
-		query_cache_hash = calculateHash(c)
-		cachedResponse := cacheLookup(query_cache_hash)
-		if cachedResponse != nil {
-			cfg.Logger.Debug("Cache hit", map[string]interface{}{"hash": query_cache_hash, "user_id": extracted_user_id})
+	wasCached := false
+
+	// Handling Cache Logic
+	if cacheFromQuery || cfg.Cache.CacheEnable {
+		cfg.Logger.Debug("Cache enabled", map[string]interface{}{"via_query": cacheFromQuery, "via_env": cfg.Cache.CacheEnable})
+		queryCacheHash = calculateHash(c)
+
+		if cachedResponse := cacheLookup(queryCacheHash); cachedResponse != nil {
+			cfg.Logger.Debug("Cache hit", map[string]interface{}{"hash": queryCacheHash, "user_id": extractedUserID})
 			c.Send(cachedResponse)
-			was_cached = true
+			wasCached = true
 		} else {
-			cfg.Logger.Debug("Cache miss", map[string]interface{}{"hash": query_cache_hash, "user_id": extracted_user_id})
-			proxyTheRequest(c)
-			cfg.Cache.CacheClient.Set(query_cache_hash, c.Response().Body(), time.Duration(cfg.Cache.CacheTTL)*time.Second)
-			c.Send(c.Response().Body())
+			cfg.Logger.Debug("Cache miss", map[string]interface{}{"hash": queryCacheHash, "user_id": extractedUserID})
+			proxyAndCacheTheRequest(c, queryCacheHash, cache_time)
 		}
 	} else {
 		proxyTheRequest(c)
 	}
-	time_taken := time.Since(t)
 
-	cfg.Logger.Info("Request processed", map[string]interface{}{"ip": c.IP(), "user_id": extracted_user_id, "op_type": opType, "op_name": opName, "time": time_taken, "cache": was_cached})
-	cfg.Monitoring.Increment(libpack_monitoring.MetricsSucceeded, nil)
+	timeTaken := time.Since(startTime)
 
+	// Logging & Monitoring
+	logAndMonitorRequest(c, extractedUserID, opType, opName, wasCached, timeTaken, startTime)
+
+	return nil
+}
+
+// Additional helper function to avoid code repetition
+func proxyAndCacheTheRequest(c *fiber.Ctx, queryCacheHash string, cache_time int) {
+	proxyTheRequest(c)
+	cfg.Cache.CacheClient.Set(queryCacheHash, c.Response().Body(), time.Duration(cache_time)*time.Second)
+	c.Send(c.Response().Body())
+}
+
+func logAndMonitorRequest(c *fiber.Ctx, userID, opType, opName string, wasCached bool, duration time.Duration, startTime time.Time) {
 	labels := map[string]string{
 		"op_type": opType,
 		"op_name": opName,
-		"cached":  fmt.Sprintf("%t", was_cached),
-		"user_id": extracted_user_id,
+		"cached":  fmt.Sprintf("%t", wasCached),
+		"user_id": userID,
 	}
 
+	if cfg.Server.AccessLog {
+		cfg.Logger.Info("Request processed", map[string]interface{}{
+			"ip":      c.IP(),
+			"user_id": userID,
+			"op_type": opType,
+			"op_name": opName,
+			"time":    duration,
+			"cache":   wasCached,
+		})
+	}
+
+	cfg.Monitoring.Increment(libpack_monitoring.MetricsSucceeded, nil)
 	cfg.Monitoring.Increment("executed_query", labels)
 
-	if !was_cached {
-		cfg.Monitoring.UpdateDuration("timed_query", labels, t)
-		cfg.Monitoring.Update("timed_query", labels, float64(time_taken.Milliseconds()))
+	if !wasCached {
+		cfg.Monitoring.UpdateDuration("timed_query", labels, startTime)
+		cfg.Monitoring.Update("timed_query", labels, float64(duration.Milliseconds()))
 	}
-	// // cfg.Monitoring.Set("timed_query", time_taken.Milliseconds())
-	return nil
 }

static/default-ratelimit.json

@@ -0,0 +1,16 @@
+{
+  "ratelimit": {
+      "admin": {
+          "req": 100,
+          "interval": "second"
+      },
+      "guest": {
+          "req": 3,
+          "interval": "second"
+      },
+      "-": {
+          "req": 100,
+          "interval": "hour"
+      }
+  }
+}

static/kubernetes-deployment.yaml

@@ -59,7 +59,7 @@ spec:
             value: "9393"
           - name: HOST_GRAPHQL
             value: http://hasura-internal:8080/v1/graphql
-          - name: ENABLE_CACHE
+          - name: ENABLE_GLOBAL_CACHE
             value: "true"
           - name: CACHE_TTL
             value: "10"

struct_config.go

@@ -17,10 +17,13 @@ type config struct {
 		PortGraphQL    int
 		PortMonitoring int
 		HostGraphQL    string
+		AccessLog      bool
 	}
 
 	Client struct {
 		JWTUserClaimPath string
+		JWTRoleClaimPath string
+		JWTRoleRateLimit bool
 		GQLClient        *graphql.BaseClient
 	}