Add public middleware with basic rate limiting and timestamp checks

[gocanto]

Summary

• introduce PublicMiddleware for IP-based rate limiting and timestamp validation
• block replayed requests via TTLCache and provide tests

Testing

• go test ./pkg/middleware -count=1

---

https://chatgpt.com/codex/tasks/task_e_68be7b7819608333a4c727b82c5b3f1e

Summary by CodeRabbit

• New Features
  • Added middleware protecting public endpoints with IP-based rate limiting, timestamp validation (with clock skew tolerance), and duplicate-request (replay) detection.
  • Provides clearer responses: 401 for missing/invalid headers, expired timestamps, or replayed requests; 429 when rate limits are exceeded.
• Tests
  • Introduced unit tests covering invalid/missing headers, expired timestamps, replay detection, and rate-limit scenarios to ensure reliable behavior.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Warning

Rate limit exceeded

@gocanto has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 21 minutes and 57 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 10cbc68 and e41af96.

📒 Files selected for processing (5)

• docs/middleware/public_middleware.md (1 hunks)
• docs/middleware/token_analysis_v1.md (0 hunks)
• docs/middleware/token_middleware.md (2 hunks)
• pkg/middleware/public_middleware.go (1 hunks)
• pkg/middleware/public_middleware_test.go (1 hunks)

Walkthrough

Adds a new PublicMiddleware for public endpoints with request header validation, IP extraction, rate limiting, timestamp validation, and replay protection via TTL cache. Includes constructor with defaults, dependency guard, and unit tests covering missing/expired timestamps, replay detection, and rate limiting.

Changes

Cohort / File(s)	Summary of Changes
Public middleware implementation pkg/middleware/public_middleware.go	Introduces PublicMiddleware struct, constructor with defaults, dependency guard, and Handle method enforcing header presence, IP extraction, rate limiting, timestamp validation, and duplicate request detection via TTL cache.
Unit tests for middleware pkg/middleware/public_middleware_test.go	Adds tests for missing timestamp header (401), expired timestamp (401), replay detection (401), and subsequent rate limit exceedance (429); configures time source and in-memory rate limiter.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Client
  participant PM as PublicMiddleware
  participant RL as RateLimiter
  participant TS as Timestamp Validator
  participant RC as TTL Cache
  participant H as Next Handler

  C->>PM: HTTP request (X-Request-ID, X-API-Timestamp, X-Forwarded-For)
  PM->>PM: guardDependencies()
  alt Missing headers / invalid IP
    PM-->>C: 401 UnauthenticatedError
  else Dependencies OK
    PM->>RL: Check IP quota
    alt Rate limit exceeded
      RL-->>PM: TooMany
      PM-->>C: 429 Too Many Requests
    else Within quota
      PM->>TS: Validate timestamp (clockSkew, disallowFuture)
      alt Invalid/expired timestamp
        TS-->>PM: Invalid
        PM-->>C: 401 UnauthenticatedError
      else Timestamp valid
        PM->>RC: Check/set (IP + RequestID) within requestTTL
        alt Duplicate found
          RC-->>PM: Duplicate
          PM->>RL: Increment IP usage
          PM-->>C: 401 UnauthenticatedError (replay)
        else New request
          RC-->>PM: Stored
          PM->>H: Call next handler
          H-->>PM: Response
          PM-->>C: Response
        end
      end
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Align tests with updated middleware API #85 — Adjusted timestamp validation constructor/parameters used by PublicMiddleware; alignment between middleware and validator is likely required.

Poem

A bunny hops through headers bright,
Sniffs timestamps left and right,
Caches footprints, blocks a replay,
Counts the hops per minute’s sway.
If queues are full—thump!—please wait;
Fresh IDs pass the garden gate.
All clear—onward, through the crate! 🐇⏱️🚦

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/create-rate-limiting-middleware

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @gocanto, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new PublicMiddleware component designed to enhance the security and stability of public API endpoints. It implements essential protections such as IP-based rate limiting and timestamp validation to prevent common attack vectors like replay attacks, ensuring that requests are legitimate and not excessively frequent.

Highlights

• New Public Middleware: Introduces PublicMiddleware to provide basic security for public endpoints, including IP-based rate limiting and timestamp validation.
• Replay Attack Prevention: Implements a mechanism using TTLCache to block replayed requests by checking for duplicate request IDs within a defined time-to-live window.
• Comprehensive Testing: Adds a dedicated test file (public_middleware_test.go) with tests covering invalid headers, expired timestamps, and the rate limiting and replay prevention functionalities.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a PublicMiddleware to provide rate limiting and replay attack protection for public endpoints. The implementation is clean and uses a TTLCache for checking request nonces and an in-memory rate limiter. The tests cover the main success and failure paths, including rate limiting after a replayed request. My review includes a suggestion to correct an error status code for server-side configuration issues and a recommendation to expand test coverage for invalid request headers using a table-driven approach.