Files
xlgo-core/middleware/ratelimit.go
T
杭州明婳科技 dcfd24b624 release: v1.0.3 bug fix release
v1.0.3 定位为 bug fix release,收口 v1.0.2 引入的破坏性清理并修复
4 个轻量 bug + 依赖复查 + 版本号治理 + 文档对齐。同时包含此前未提交
的 v1.0.2 全部工作。

v1.0.3 变更:

Fixed:
- generateJTI 忽略 rand.Read 错误(jwt)— 改为 (string, error) 并传播
- QueryBuilder.Page Count 受残留 Limit 截断(repository)— countDB 加 Limit(-1).Offset(-1)
- OSS/本地存储文件名冲突(storage)— 新增 uniqueFilename 加 8 字节随机后缀
- 数据库重试策略对不可恢复错误无效(database)— 新增 isTransientDBError

Dependencies:
- go mod tidy 补全 postgres 方言传递依赖;安全补丁升级
  x/crypto v0.49→v0.53、golang-jwt/jwt/v5 v5.2.1→v5.3.1、gorilla/websocket v1.5.1→v1.5.3

Removed:
- Breaking: 清理 v1.0.2 兼容别名(InitMySQL* / driverName)
- 死代码 database.DBResolver
- 代码中 292 行"评分/理由"自夸注释(#26,23 个文件)

Changed:
- Breaking: 错误码体系重构 CodeSuccess 1→0、CodeFail 0→1,删除 CodeInvalidParams,加编译期防撞码
- database/mysql.go → manager.go;Logger 拆分三独立 core 修复 Tee 重复写入
- 版本号常量化:app.go 新增 const Version 作为唯一来源,CLI/脚手架模板引用之,不再散落字面量

Security:
- CORS 中间件按 W3C 规范修复 Allow-Credentials / Vary: Origin / 非白名单不回显

Added:
- console 包显式 level 控制(SetLevel/WithLevel/LevelSilent,atomic.Int32 并发安全)
- 新增测试 jwt/repository/storage/database/router/middleware/app
- 文档:新增 CHANGELOG.md、Version_v1.0.2_report.md;更新 README/GUIDE 顶部更新日志
- 文档对齐:删除对不存在的 config.DefaultManager() getter 的描述(保持 API 与文档一致)

详见 CHANGELOG.md 与 README.md 更新日志。

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 21:40:10 +08:00

398 lines
8.8 KiB
Go

package middleware
import (
"context"
"fmt"
"sync"
"time"
"github.com/EthanCodeCraft/xlgo-core/database"
"github.com/EthanCodeCraft/xlgo-core/response"
"github.com/gin-gonic/gin"
)
// RateLimiter 速率限制器(内存版,单实例使用)
type RateLimiter struct {
visitors map[string]*visitor
mu sync.RWMutex
rate int // 每分钟允许的请求数
window time.Duration // 时间窗口
ctx context.Context
cancel context.CancelFunc
wg sync.WaitGroup
}
type visitor struct {
lastSeen time.Time
count int
}
// NewRateLimiter 创建速率限制器(内存版)
func NewRateLimiter(rate int, window time.Duration) *RateLimiter {
ctx, cancel := context.WithCancel(context.Background())
limiter := &RateLimiter{
visitors: make(map[string]*visitor),
rate: rate,
window: window,
ctx: ctx,
cancel: cancel,
}
limiter.wg.Add(1)
go limiter.cleanupVisitors()
return limiter
}
// Allow 检查是否允许请求
func (rl *RateLimiter) Allow(ip string) bool {
rl.mu.Lock()
defer rl.mu.Unlock()
v, exists := rl.visitors[ip]
if !exists {
rl.visitors[ip] = &visitor{
lastSeen: time.Now(),
count: 1,
}
return true
}
if time.Since(v.lastSeen) > rl.window {
v.count = 1
v.lastSeen = time.Now()
return true
}
if v.count >= rl.rate {
return false
}
v.count++
v.lastSeen = time.Now()
return true
}
// cleanupVisitors 清理过期的访问者记录
func (rl *RateLimiter) cleanupVisitors() {
defer rl.wg.Done()
ticker := time.NewTicker(time.Minute)
defer ticker.Stop()
for {
select {
case <-rl.ctx.Done():
return
case <-ticker.C:
rl.mu.Lock()
for ip, v := range rl.visitors {
if time.Since(v.lastSeen) > rl.window {
delete(rl.visitors, ip)
}
}
rl.mu.Unlock()
}
}
}
// Stop 停止限流器(释放资源)
func (rl *RateLimiter) Stop() {
rl.cancel()
rl.wg.Wait()
}
// ===== Redis 分布式限流器 =====
// RedisRateLimiter Redis 分布式限流器
type RedisRateLimiter struct {
keyPrefix string // 键名前缀
rate int // 每分钟允许的请求数
window time.Duration // 时间窗口
}
// slidingWindowLua 滑动窗口限流 Lua 脚本
// 返回: 当前窗口内的请求数
const slidingWindowLua = `
local key = KEYS[1]
local now = tonumber(ARGV[1])
local window = tonumber(ARGV[2])
local rate = tonumber(ARGV[3])
-- 移除窗口外的旧记录
redis.call('ZREMRANGEBYSCORE', key, 0, now - window)
-- 获取当前窗口内的请求数
local count = redis.call('ZCARD', key)
if count < rate then
-- 添加当前请求
redis.call('ZADD', key, now, now .. '-' .. math.random())
redis.call('PEXPIRE', key, window)
return 0
else
return count
end
`
// NewRedisRateLimiter 创建 Redis 分布式限流器
func NewRedisRateLimiter(keyPrefix string, rate int, window time.Duration) *RedisRateLimiter {
return &RedisRateLimiter{
keyPrefix: keyPrefix,
rate: rate,
window: window,
}
}
// Allow 检查是否允许请求
func (rl *RedisRateLimiter) Allow(ctx context.Context, identifier string) (bool, error) {
if database.RedisClient == nil {
// Redis 未启用,默认允许
return true, nil
}
key := rl.keyPrefix + ":" + identifier
now := float64(time.Now().UnixMilli())
windowMs := float64(rl.window.Milliseconds())
result, err := database.RedisClient.Eval(ctx, slidingWindowLua, []string{key}, now, windowMs, rl.rate).Result()
if err != nil {
return true, err // 出错时允许请求,避免影响业务
}
count := result.(int64)
return count == 0, nil
}
// GetCount 获取当前窗口内的请求数
func (rl *RedisRateLimiter) GetCount(ctx context.Context, identifier string) (int64, error) {
if database.RedisClient == nil {
return 0, nil
}
key := rl.keyPrefix + ":" + identifier
now := time.Now().UnixMilli()
windowStart := now - rl.window.Milliseconds()
// 移除旧记录并获取当前计数
database.RedisClient.ZRemRangeByScore(ctx, key, "0", fmt.Sprintf("%d", windowStart))
return database.RedisClient.ZCard(ctx, key).Result()
}
// Reset 重置限流计数
func (rl *RedisRateLimiter) Reset(ctx context.Context, identifier string) error {
if database.RedisClient == nil {
return nil
}
key := rl.keyPrefix + ":" + identifier
return database.RedisClient.Del(ctx, key).Err()
}
// ===== 全局限速器 =====
var (
loginLimiter *RateLimiter
apiLimiter *RateLimiter
uploadLimiter *RateLimiter
redisLimiters map[string]*RedisRateLimiter
limitersMu sync.Mutex
)
func init() {
redisLimiters = make(map[string]*RedisRateLimiter)
}
// InitRateLimiters 初始化限速器
func InitRateLimiters() {
limitersMu.Lock()
defer limitersMu.Unlock()
// 先停止旧的限流器
if loginLimiter != nil {
loginLimiter.Stop()
}
if apiLimiter != nil {
apiLimiter.Stop()
}
if uploadLimiter != nil {
uploadLimiter.Stop()
}
// 内存限流器(单实例)
loginLimiter = NewRateLimiter(10, time.Minute)
apiLimiter = NewRateLimiter(100, time.Minute)
uploadLimiter = NewRateLimiter(20, time.Minute)
}
// StopRateLimiters 停止所有限速器(应用关闭时调用)
func StopRateLimiters() {
limitersMu.Lock()
defer limitersMu.Unlock()
if loginLimiter != nil {
loginLimiter.Stop()
loginLimiter = nil
}
if apiLimiter != nil {
apiLimiter.Stop()
apiLimiter = nil
}
if uploadLimiter != nil {
uploadLimiter.Stop()
uploadLimiter = nil
}
}
// RateLimit 通用速率限制中间件(内存版)
func RateLimit(limiter *RateLimiter) gin.HandlerFunc {
return func(c *gin.Context) {
ip := c.ClientIP()
if !limiter.Allow(ip) {
response.RateLimit(c)
c.Abort()
return
}
c.Next()
}
}
// LoginRateLimit 登录接口速率限制
func LoginRateLimit() gin.HandlerFunc {
limitersMu.Lock()
if loginLimiter == nil {
loginLimiter = NewRateLimiter(10, time.Minute)
}
limiter := loginLimiter
limitersMu.Unlock()
return RateLimit(limiter)
}
// APIRateLimit 普通 API 速率限制
func APIRateLimit() gin.HandlerFunc {
limitersMu.Lock()
if apiLimiter == nil {
apiLimiter = NewRateLimiter(100, time.Minute)
}
limiter := apiLimiter
limitersMu.Unlock()
return RateLimit(limiter)
}
// UploadRateLimit 上传接口速率限制
func UploadRateLimit() gin.HandlerFunc {
limitersMu.Lock()
if uploadLimiter == nil {
uploadLimiter = NewRateLimiter(20, time.Minute)
}
limiter := uploadLimiter
limitersMu.Unlock()
return RateLimit(limiter)
}
// CustomRateLimit 自定义速率限制(内存版)
func CustomRateLimit(rate int, window time.Duration) gin.HandlerFunc {
limiter := NewRateLimiter(rate, window)
return RateLimit(limiter)
}
// ===== Redis 分布式限流中间件 =====
// RedisRateLimit Redis 分布式限流中间件
// 参数: keyPrefix 键名前缀(如 "login_limit"),rate 每分钟请求数
func RedisRateLimit(keyPrefix string, rate int) gin.HandlerFunc {
limiter := NewRedisRateLimiter(keyPrefix, rate, time.Minute)
return func(c *gin.Context) {
identifier := c.ClientIP()
// 可选:使用用户ID作为标识(登录后)
// userID := GetUserID(c)
// if userID > 0 {
// identifier = fmt.Sprintf("user:%d", userID)
// }
allowed, err := limiter.Allow(c.Request.Context(), identifier)
if err != nil {
// Redis 错误时允许请求,避免影响业务
c.Next()
return
}
if !allowed {
response.RateLimit(c)
c.Abort()
return
}
c.Next()
}
}
// RedisRateLimitWithIdentifier 自定义标识的 Redis 分布式限流
// 参数: keyPrefix 键名前缀,rate 每分钟请求数,identifierFunc 标识获取函数
func RedisRateLimitWithIdentifier(keyPrefix string, rate int, identifierFunc func(c *gin.Context) string) gin.HandlerFunc {
limiter := NewRedisRateLimiter(keyPrefix, rate, time.Minute)
return func(c *gin.Context) {
identifier := identifierFunc(c)
if identifier == "" {
identifier = c.ClientIP()
}
allowed, err := limiter.Allow(c.Request.Context(), identifier)
if err != nil {
c.Next()
return
}
if !allowed {
response.RateLimit(c)
c.Abort()
return
}
c.Next()
}
}
// LoginRedisRateLimit 登录接口 Redis 分布式限流
func LoginRedisRateLimit() gin.HandlerFunc {
return RedisRateLimit("login_limit", 10)
}
// APIRedisRateLimit API Redis 分布式限流
func APIRedisRateLimit() gin.HandlerFunc {
return RedisRateLimit("api_limit", 100)
}
// UploadRedisRateLimit 上传接口 Redis 分布式限流
func UploadRedisRateLimit() gin.HandlerFunc {
return RedisRateLimit("upload_limit", 20)
}
// CustomRedisRateLimit 自定义 Redis 分布式限流
func CustomRedisRateLimit(keyPrefix string, rate int, window time.Duration) gin.HandlerFunc {
limiter := NewRedisRateLimiter(keyPrefix, rate, window)
return func(c *gin.Context) {
identifier := c.ClientIP()
allowed, err := limiter.Allow(c.Request.Context(), identifier)
if err != nil {
c.Next()
return
}
if !allowed {
response.RateLimit(c)
c.Abort()
return
}
c.Next()
}
}