fix(echo): rate-limit + idempotent likes on public endpoint

lin-snow · claude · lin-snow · commit cecc2c19b590 · 2026-05-03T11:59:05.000+08:00
匿名 PUT /echo/like/:id 此前无任何限流或去重，单 IP 可任意刷 fav_count 并触发 四键缓存失效（GHSA-pj6q-4vq4-r8cg）。新增通用 RateLimitWithIdempotency 中间件 组合两层防御：单 IP 令牌桶限速（2 rps / 5 burst）+ (IP, echoID) 维度的小时级 幂等窗口；窗口内重复请求按幂等处理，返回与正常成功路径形状一致的响应，客户端 无感知。 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/internal/middleware/ratelimit.go b/internal/middleware/ratelimit.go
@@ -65,29 +65,122 @@ func (rl *rateLimiter) allow(key string) bool {
 
 func RateLimit(rps, burst int) gin.HandlerFunc {
 	limiter := newRateLimiter(rps, burst)
+	startBucketGC(limiter, 5*time.Minute, 10*time.Minute)
 
+	return func(c *gin.Context) {
+		key := c.ClientIP()
+		if !limiter.allow(key) {
+			c.JSON(http.StatusTooManyRequests, gin.H{"error": "rate limit exceeded"})
+			c.Abort()
+			return
+		}
+		c.Next()
+	}
+}
+
+// RateLimitWithIdempotency 在 RateLimit 基础上叠加幂等窗口，适用于"写多读少且天然幂等"的接口
+// （例如点赞）。
+//
+//   - 单 IP 令牌桶限速：超过阈值返回 429。
+//   - (IP, 资源 ID) 维度的去重窗口：同一 IP 在 dedupTTL 内对同一资源的请求被视作已处理，
+//     调用 onIdempotent 写出响应并中止后续处理，避免重复请求触发数据库写入与缓存失效。
+//
+// resourceParam 是 gin 路径参数名（如 "id"）。当 IP 或资源 ID 缺失时跳过去重检查，
+// 由 handler 进行业务校验并返回业务错误，避免幂等逻辑掩盖参数问题。
+//
+// onIdempotent 必须自行写出响应并 Abort；推荐返回与正常成功路径形状一致的响应，
+// 使客户端无感知。
+func RateLimitWithIdempotency(
+	rps, burst int,
+	dedupTTL time.Duration,
+	resourceParam string,
+	onIdempotent gin.HandlerFunc,
+) gin.HandlerFunc {
+	limiter := newRateLimiter(rps, burst)
+	dedup := newIdempotencyStore(dedupTTL)
+
+	gcInterval := max(dedupTTL, time.Minute)
+	startBucketGC(limiter, gcInterval, 10*time.Minute)
+	startIdempotencyGC(dedup, gcInterval)
+
+	return func(c *gin.Context) {
+		ip := c.ClientIP()
+		if !limiter.allow(ip) {
+			c.JSON(http.StatusTooManyRequests, gin.H{"error": "rate limit exceeded"})
+			c.Abort()
+			return
+		}
+
+		resourceID := c.Param(resourceParam)
+		if ip != "" && resourceID != "" && !dedup.acquire(ip+"|"+resourceID, time.Now()) {
+			onIdempotent(c)
+			c.Abort()
+			return
+		}
+
+		c.Next()
+	}
+}
+
+func startBucketGC(rl *rateLimiter, interval, idle time.Duration) {
 	go func() {
-		ticker := time.NewTicker(5 * time.Minute)
+		ticker := time.NewTicker(interval)
 		defer ticker.Stop()
 		for range ticker.C {
-			limiter.mu.Lock()
-			cutoff := time.Now().Add(-10 * time.Minute)
-			for k, b := range limiter.buckets {
+			rl.mu.Lock()
+			cutoff := time.Now().Add(-idle)
+			for k, b := range rl.buckets {
 				if b.lastTime.Before(cutoff) {
-					delete(limiter.buckets, k)
+					delete(rl.buckets, k)
 				}
 			}
-			limiter.mu.Unlock()
+			rl.mu.Unlock()
 		}
 	}()
+}
 
-	return func(c *gin.Context) {
-		key := c.ClientIP()
-		if !limiter.allow(key) {
-			c.JSON(http.StatusTooManyRequests, gin.H{"error": "rate limit exceeded"})
-			c.Abort()
-			return
+// idempotencyStore 维护 (IP, 资源 ID) → 最近一次命中时间的映射，由后台 goroutine
+// 周期性回收过期条目，使内存占用与活跃来源数成正比而非历史累积。
+type idempotencyStore struct {
+	mu   sync.Mutex
+	seen map[string]time.Time
+	ttl  time.Duration
+}
+
+func newIdempotencyStore(ttl time.Duration) *idempotencyStore {
+	return &idempotencyStore{
+		seen: make(map[string]time.Time),
+		ttl:  ttl,
+	}
+}
+
+// acquire 在窗口内未命中时记录并返回 true（允许放行）；命中时返回 false（应作幂等处理）。
+func (s *idempotencyStore) acquire(key string, now time.Time) bool {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if t, ok := s.seen[key]; ok && now.Sub(t) < s.ttl {
+		return false
+	}
+	s.seen[key] = now
+	return true
+}
+
+func (s *idempotencyStore) gc(now time.Time) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	for k, t := range s.seen {
+		if now.Sub(t) >= s.ttl {
+			delete(s.seen, k)
 		}
-		c.Next()
 	}
 }
+
+func startIdempotencyGC(s *idempotencyStore, interval time.Duration) {
+	go func() {
+		ticker := time.NewTicker(interval)
+		defer ticker.Stop()
+		for range ticker.C {
+			s.gc(time.Now())
+		}
+	}()
+}
diff --git a/internal/router/echo.go b/internal/router/echo.go
@@ -4,15 +4,29 @@
 package router
 
 import (
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
 	"github.com/lin-snow/ech0/internal/handler"
 	"github.com/lin-snow/ech0/internal/middleware"
 	authModel "github.com/lin-snow/ech0/internal/model/auth"
+	commonModel "github.com/lin-snow/ech0/internal/model/common"
 )
 
 // setupEchoRoutes 设置Echo路由
 func setupEchoRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {
 	// Public
-	appRouterGroup.PublicRouterGroup.PUT("/echo/like/:id", h.EchoHandler.LikeEcho())
+	// 点赞接口保持匿名可访问，但叠加 IP 维度的限速 + (IP, echoID) 维度的去重窗口，
+	// 防止匿名调用方反复刷 fav_count、放大数据库与缓存压力。窗口内的重复请求按
+	// 幂等处理，返回与正常成功路径形状一致的响应。
+	appRouterGroup.PublicRouterGroup.PUT(
+		"/echo/like/:id",
+		middleware.RateLimitWithIdempotency(2, 5, time.Hour, "id", func(c *gin.Context) {
+			c.JSON(http.StatusOK, commonModel.OK[any](nil, commonModel.LIKE_ECHO_SUCCESS))
+		}),
+		h.EchoHandler.LikeEcho(),
+	)
 	appRouterGroup.PublicRouterGroup.GET("/tags", h.EchoHandler.GetAllTags())
 
 	// Auth
