ntfy/server/visitor.go

499 lines
16 KiB
Go
Raw Normal View History

2021-11-01 20:21:38 +01:00
package server
import (
2021-12-25 15:15:05 +01:00
"errors"
2023-01-23 04:21:30 +01:00
"fmt"
"heckel.io/ntfy/log"
"heckel.io/ntfy/user"
"net/netip"
2021-11-01 20:21:38 +01:00
"sync"
"time"
"golang.org/x/time/rate"
"heckel.io/ntfy/util"
2021-11-01 20:21:38 +01:00
)
const (
2023-01-27 04:57:18 +01:00
// oneDay is an approximation of a day as a time.Duration
oneDay = 24 * time.Hour
2021-12-24 00:03:04 +01:00
// visitorExpungeAfter defines how long a visitor is active before it is removed from memory. This number
// has to be very high to prevent e-mail abuse, but it doesn't really affect the other limits anyway, since
// they are replenished faster (typically).
2023-01-27 04:57:18 +01:00
visitorExpungeAfter = oneDay
// visitorDefaultReservationsLimit is the amount of topic names a user without a tier is allowed to reserve.
// This number is zero, and changing it may have unintended consequences in the web app, or otherwise
visitorDefaultReservationsLimit = int64(0)
2021-11-01 20:21:38 +01:00
)
2023-01-27 04:57:18 +01:00
// Constants used to convert a tier-user's MessageLimit (see user.Tier) into adequate request limiter
// values (token bucket).
//
// Example: Assuming a user.Tier's MessageLimit is 10,000:
// - the allowed burst is 500 (= 10,000 * 5%), which is < 1000 (the max)
// - the replenish rate is 2 * 10,000 / 24 hours
const (
visitorMessageToRequestLimitBurstRate = 0.05
visitorMessageToRequestLimitBurstMax = 1000
visitorMessageToRequestLimitReplenishFactor = 2
)
// Constants used to convert a tier-user's EmailLimit (see user.Tier) into adequate email limiter
// values (token bucket). Example: Assuming a user.Tier's EmailLimit is 200, the allowed burst is
// 40 (= 200 * 20%), which is <150 (the max).
const (
visitorEmailLimitBurstRate = 0.2
visitorEmailLimitBurstMax = 150
)
2021-12-25 15:15:05 +01:00
var (
errVisitorLimitReached = errors.New("limit reached")
)
2021-11-01 20:21:38 +01:00
// visitor represents an API user, and its associated rate.Limiter used for rate limiting
type visitor struct {
2022-12-19 15:59:32 +01:00
config *Config
messageCache *messageCache
2023-01-27 15:42:54 +01:00
userManager *user.Manager // May be nil
ip netip.Addr // Visitor IP address
user *user.User // Only set if authenticated user, otherwise nil
requestLimiter *rate.Limiter // Rate limiter for (almost) all requests (including messages)
2023-01-27 16:06:48 +01:00
messagesLimiter *util.FixedLimiter // Rate limiter for messages
emailsLimiter *util.RateLimiter // Rate limiter for emails
subscriptionLimiter *util.FixedLimiter // Fixed limiter for active subscriptions (ongoing connections)
bandwidthLimiter *util.RateLimiter // Limiter for attachment bandwidth downloads
2023-01-27 15:42:54 +01:00
accountLimiter *rate.Limiter // Rate limiter for account creation, may be nil
2023-02-08 21:20:44 +01:00
authLimiter *rate.Limiter // Limiter for incorrect login attempts
2023-01-27 15:42:54 +01:00
firebase time.Time // Next allowed Firebase message
seen time.Time // Last seen time of this visitor (needed for removal of stale visitors)
2022-12-19 15:59:32 +01:00
mu sync.Mutex
2021-11-01 20:21:38 +01:00
}
2022-12-28 04:14:14 +01:00
type visitorInfo struct {
2023-01-09 21:40:46 +01:00
Limits *visitorLimits
Stats *visitorStats
}
type visitorLimits struct {
Basis visitorLimitBasis
2023-01-27 04:57:18 +01:00
RequestLimitBurst int
RequestLimitReplenish rate.Limit
MessageLimit int64
MessageExpiryDuration time.Duration
EmailLimit int64
EmailLimitBurst int
EmailLimitReplenish rate.Limit
2023-01-09 21:40:46 +01:00
ReservationsLimit int64
AttachmentTotalSizeLimit int64
AttachmentFileSizeLimit int64
AttachmentExpiryDuration time.Duration
AttachmentBandwidthLimit int64
2023-01-09 21:40:46 +01:00
}
type visitorStats struct {
2022-12-19 22:22:13 +01:00
Messages int64
MessagesRemaining int64
Emails int64
EmailsRemaining int64
Reservations int64
ReservationsRemaining int64
2022-12-19 22:22:13 +01:00
AttachmentTotalSize int64
AttachmentTotalSizeRemaining int64
2022-04-03 18:39:52 +02:00
}
2023-01-09 21:40:46 +01:00
// visitorLimitBasis describes how the visitor limits were derived, either from a user's
// IP address (default config), or from its tier
type visitorLimitBasis string
const (
visitorLimitBasisIP = visitorLimitBasis("ip")
visitorLimitBasisTier = visitorLimitBasis("tier")
)
2023-01-03 02:08:37 +01:00
func newVisitor(conf *Config, messageCache *messageCache, userManager *user.Manager, ip netip.Addr, user *user.User) *visitor {
var messages, emails int64
if user != nil {
messages = user.Stats.Messages
emails = user.Stats.Emails
}
v := &visitor{
2022-12-19 15:59:32 +01:00
config: conf,
messageCache: messageCache,
2023-01-09 21:40:46 +01:00
userManager: userManager, // May be nil
2022-12-19 15:59:32 +01:00
ip: ip,
user: user,
firebase: time.Unix(0, 0),
seen: time.Now(),
subscriptionLimiter: util.NewFixedLimiter(int64(conf.VisitorSubscriptionLimit)),
requestLimiter: nil, // Set in resetLimiters
messagesLimiter: nil, // Set in resetLimiters, may be nil
emailsLimiter: nil, // Set in resetLimiters
bandwidthLimiter: nil, // Set in resetLimiters
accountLimiter: nil, // Set in resetLimiters, may be nil
2023-02-08 21:20:44 +01:00
authLimiter: nil, // Set in resetLimiters, may be nil
2021-11-01 20:21:38 +01:00
}
2023-01-29 02:29:06 +01:00
v.resetLimitersNoLock(messages, emails, false)
return v
2021-11-01 20:21:38 +01:00
}
2023-02-06 05:34:27 +01:00
func (v *visitor) Context() log.Context {
2023-01-23 04:21:30 +01:00
v.mu.Lock()
defer v.mu.Unlock()
2023-02-06 05:34:27 +01:00
return v.contextNoLock()
}
2023-02-06 05:34:27 +01:00
func (v *visitor) contextNoLock() log.Context {
2023-02-07 22:20:49 +01:00
info := v.infoLightNoLock()
2023-02-06 05:34:27 +01:00
fields := log.Context{
2023-02-07 22:20:49 +01:00
"visitor_ip": v.ip.String(),
"visitor_messages": info.Stats.Messages,
"visitor_messages_limit": info.Limits.MessageLimit,
"visitor_messages_remaining": info.Stats.MessagesRemaining,
"visitor_emails": info.Stats.Emails,
"visitor_emails_limit": info.Limits.EmailLimit,
"visitor_emails_remaining": info.Stats.EmailsRemaining,
"visitor_request_limiter_limit": v.requestLimiter.Limit(),
"visitor_request_limiter_tokens": v.requestLimiter.Tokens(),
2023-02-04 04:21:50 +01:00
}
2023-02-08 21:20:44 +01:00
if v.authLimiter != nil {
fields["visitor_auth_limiter_limit"] = v.authLimiter.Limit()
fields["visitor_auth_limiter_tokens"] = v.authLimiter.Tokens()
}
2023-02-04 04:21:50 +01:00
if v.user != nil {
fields["user_id"] = v.user.ID
fields["user_name"] = v.user.Name
2023-02-05 03:26:01 +01:00
if v.user.Tier != nil {
fields["tier_id"] = v.user.Tier.ID
fields["tier_name"] = v.user.Tier.Name
}
2023-02-04 04:21:50 +01:00
if v.user.Billing.StripeCustomerID != "" {
fields["stripe_customer_id"] = v.user.Billing.StripeCustomerID
}
if v.user.Billing.StripeSubscriptionID != "" {
fields["stripe_subscription_id"] = v.user.Billing.StripeSubscriptionID
}
}
return fields
}
2023-02-07 22:20:49 +01:00
func visitorExtendedInfoContext(info *visitorInfo) log.Context {
return log.Context{
"visitor_reservations": info.Stats.Reservations,
"visitor_reservations_limit": info.Limits.ReservationsLimit,
"visitor_reservations_remaining": info.Stats.ReservationsRemaining,
"visitor_attachment_total_size": info.Stats.AttachmentTotalSize,
"visitor_attachment_total_size_limit": info.Limits.AttachmentTotalSizeLimit,
"visitor_attachment_total_size_remaining": info.Stats.AttachmentTotalSizeRemaining,
}
}
2023-02-08 21:20:44 +01:00
func (v *visitor) RequestAllowed() bool {
2023-02-05 03:26:01 +01:00
v.mu.Lock() // limiters could be replaced!
defer v.mu.Unlock()
2023-02-08 21:20:44 +01:00
return v.requestLimiter.Allow()
2023-02-05 03:26:01 +01:00
}
2023-02-08 21:20:44 +01:00
func (v *visitor) FirebaseAllowed() bool {
2022-06-01 02:38:56 +02:00
v.mu.Lock()
defer v.mu.Unlock()
2023-02-08 21:20:44 +01:00
return !time.Now().Before(v.firebase)
2022-06-01 02:38:56 +02:00
}
func (v *visitor) FirebaseTemporarilyDeny() {
v.mu.Lock()
defer v.mu.Unlock()
2022-06-01 05:27:24 +02:00
v.firebase = time.Now().Add(v.config.FirebaseQuotaExceededPenaltyDuration)
2022-06-01 02:38:56 +02:00
}
func (v *visitor) MessageAllowed() bool {
v.mu.Lock() // limiters could be replaced!
defer v.mu.Unlock()
return v.messagesLimiter.Allow()
2023-01-09 02:46:46 +01:00
}
func (v *visitor) EmailAllowed() bool {
v.mu.Lock() // limiters could be replaced!
defer v.mu.Unlock()
return v.emailsLimiter.Allow()
2021-11-01 20:21:38 +01:00
}
func (v *visitor) SubscriptionAllowed() bool {
v.mu.Lock() // limiters could be replaced!
2021-11-01 20:21:38 +01:00
defer v.mu.Unlock()
return v.subscriptionLimiter.Allow()
2021-11-01 20:21:38 +01:00
}
2023-02-08 21:20:44 +01:00
// AuthAllowed returns true if an auth request can be attempted (> 1 token available)
func (v *visitor) AuthAllowed() bool {
v.mu.Lock() // limiters could be replaced!
defer v.mu.Unlock()
if v.authLimiter == nil {
return true
}
return v.authLimiter.Tokens() > 1
}
// AuthFailed records an auth failure
func (v *visitor) AuthFailed() {
v.mu.Lock() // limiters could be replaced!
defer v.mu.Unlock()
if v.authLimiter != nil {
v.authLimiter.Allow()
}
}
// AccountCreationAllowed returns true if a new account can be created
func (v *visitor) AccountCreationAllowed() bool {
v.mu.Lock() // limiters could be replaced!
defer v.mu.Unlock()
2023-02-08 21:20:44 +01:00
if v.accountLimiter == nil || (v.accountLimiter != nil && v.accountLimiter.Tokens() < 1) {
return false
}
return true
}
2023-02-08 21:20:44 +01:00
// AccountCreated decreases the account limiter. This is to be called after an account was created.
func (v *visitor) AccountCreated() {
v.mu.Lock() // limiters could be replaced!
defer v.mu.Unlock()
if v.accountLimiter != nil {
v.accountLimiter.Allow()
}
}
func (v *visitor) BandwidthAllowed(bytes int64) bool {
v.mu.Lock() // limiters could be replaced!
defer v.mu.Unlock()
return v.bandwidthLimiter.AllowN(bytes)
}
2021-11-01 20:21:38 +01:00
func (v *visitor) RemoveSubscription() {
v.mu.Lock()
defer v.mu.Unlock()
v.subscriptionLimiter.AllowN(-1)
2021-11-01 20:21:38 +01:00
}
func (v *visitor) Keepalive() {
v.mu.Lock()
defer v.mu.Unlock()
v.seen = time.Now()
}
2022-01-13 03:24:48 +01:00
func (v *visitor) BandwidthLimiter() util.Limiter {
v.mu.Lock() // limiters could be replaced!
defer v.mu.Unlock()
2022-12-19 15:59:32 +01:00
return v.bandwidthLimiter
2022-01-13 00:52:07 +01:00
}
2021-11-01 20:21:38 +01:00
func (v *visitor) Stale() bool {
v.mu.Lock()
defer v.mu.Unlock()
return time.Since(v.seen) > visitorExpungeAfter
}
2022-04-03 18:39:52 +02:00
2023-01-27 15:59:16 +01:00
func (v *visitor) Stats() *user.Stats {
v.mu.Lock() // limiters could be replaced!
2023-01-27 15:59:16 +01:00
defer v.mu.Unlock()
return &user.Stats{
2023-01-27 16:06:48 +01:00
Messages: v.messagesLimiter.Value(),
Emails: v.emailsLimiter.Value(),
}
2022-12-19 15:59:32 +01:00
}
2023-01-11 04:51:51 +01:00
func (v *visitor) ResetStats() {
v.mu.Lock() // limiters could be replaced!
2023-01-11 04:51:51 +01:00
defer v.mu.Unlock()
v.emailsLimiter.Reset()
2023-01-27 16:06:48 +01:00
v.messagesLimiter.Reset()
2023-01-11 04:51:51 +01:00
}
// User returns the visitor user, or nil if there is none
func (v *visitor) User() *user.User {
v.mu.Lock()
defer v.mu.Unlock()
return v.user // May be nil
}
2023-01-29 02:29:06 +01:00
// IP returns the visitor IP address
func (v *visitor) IP() netip.Addr {
v.mu.Lock()
defer v.mu.Unlock()
return v.ip
}
2023-01-28 05:10:59 +01:00
// Authenticated returns true if a user successfully authenticated
func (v *visitor) Authenticated() bool {
v.mu.Lock()
defer v.mu.Unlock()
return v.user != nil
}
// SetUser sets the visitors user to the given value
2023-01-23 04:21:30 +01:00
func (v *visitor) SetUser(u *user.User) {
v.mu.Lock()
defer v.mu.Unlock()
shouldResetLimiters := v.user.TierID() != u.TierID() // TierID works with nil receiver
2023-01-23 04:21:30 +01:00
v.user = u
if shouldResetLimiters {
2023-01-29 02:29:06 +01:00
v.resetLimitersNoLock(0, 0, true)
}
}
// MaybeUserID returns the user ID of the visitor (if any). If this is an anonymous visitor,
// an empty string is returned.
func (v *visitor) MaybeUserID() string {
v.mu.Lock()
defer v.mu.Unlock()
if v.user != nil {
return v.user.ID
}
return ""
}
2023-01-29 02:29:06 +01:00
func (v *visitor) resetLimitersNoLock(messages, emails int64, enqueueUpdate bool) {
2023-01-27 04:57:18 +01:00
limits := v.limitsNoLock()
v.requestLimiter = rate.NewLimiter(limits.RequestLimitReplenish, limits.RequestLimitBurst)
2023-01-27 16:06:48 +01:00
v.messagesLimiter = util.NewFixedLimiterWithValue(limits.MessageLimit, messages)
v.emailsLimiter = util.NewRateLimiterWithValue(limits.EmailLimitReplenish, limits.EmailLimitBurst, emails)
2023-01-27 04:57:18 +01:00
v.bandwidthLimiter = util.NewBytesLimiter(int(limits.AttachmentBandwidthLimit), oneDay)
if v.user == nil {
v.accountLimiter = rate.NewLimiter(rate.Every(v.config.VisitorAccountCreationLimitReplenish), v.config.VisitorAccountCreationLimitBurst)
2023-02-08 21:20:44 +01:00
v.authLimiter = rate.NewLimiter(rate.Every(v.config.VisitorAuthFailureLimitReplenish), v.config.VisitorAuthFailureLimitBurst)
2023-01-27 04:57:18 +01:00
} else {
v.accountLimiter = nil // Users cannot create accounts when logged in
2023-02-08 21:20:44 +01:00
v.authLimiter = nil // Users are already logged in, no need to limit requests
2023-01-27 04:57:18 +01:00
}
if enqueueUpdate && v.user != nil {
go v.userManager.EnqueueStats(v.user.ID, &user.Stats{
Messages: messages,
Emails: emails,
})
}
2023-02-07 22:20:49 +01:00
log.Fields(v.contextNoLock()).Debug("Rate limiters reset for visitor") // Must be after function, because contextNoLock() describes rate limiters
2023-01-27 04:57:18 +01:00
}
2023-01-09 21:40:46 +01:00
func (v *visitor) Limits() *visitorLimits {
2023-01-19 20:03:39 +01:00
v.mu.Lock()
defer v.mu.Unlock()
2023-01-27 04:57:18 +01:00
return v.limitsNoLock()
}
func (v *visitor) limitsNoLock() *visitorLimits {
2023-01-09 21:40:46 +01:00
if v.user != nil && v.user.Tier != nil {
2023-01-27 04:57:18 +01:00
return tierBasedVisitorLimits(v.config, v.user.Tier)
}
return configBasedVisitorLimits(v.config)
}
func tierBasedVisitorLimits(conf *Config, tier *user.Tier) *visitorLimits {
return &visitorLimits{
Basis: visitorLimitBasisTier,
RequestLimitBurst: util.MinMax(int(float64(tier.MessageLimit)*visitorMessageToRequestLimitBurstRate), conf.VisitorRequestLimitBurst, visitorMessageToRequestLimitBurstMax),
2023-02-07 22:20:49 +01:00
RequestLimitReplenish: util.Max(rate.Every(conf.VisitorRequestLimitReplenish), dailyLimitToRate(tier.MessageLimit*visitorMessageToRequestLimitReplenishFactor)),
2023-01-27 04:57:18 +01:00
MessageLimit: tier.MessageLimit,
MessageExpiryDuration: tier.MessageExpiryDuration,
EmailLimit: tier.EmailLimit,
EmailLimitBurst: util.MinMax(int(float64(tier.EmailLimit)*visitorEmailLimitBurstRate), conf.VisitorEmailLimitBurst, visitorEmailLimitBurstMax),
EmailLimitReplenish: dailyLimitToRate(tier.EmailLimit),
ReservationsLimit: tier.ReservationLimit,
AttachmentTotalSizeLimit: tier.AttachmentTotalSizeLimit,
AttachmentFileSizeLimit: tier.AttachmentFileSizeLimit,
AttachmentExpiryDuration: tier.AttachmentExpiryDuration,
AttachmentBandwidthLimit: tier.AttachmentBandwidthLimit,
}
}
func configBasedVisitorLimits(conf *Config) *visitorLimits {
messagesLimit := replenishDurationToDailyLimit(conf.VisitorRequestLimitReplenish) // Approximation!
if conf.VisitorMessageDailyLimit > 0 {
messagesLimit = int64(conf.VisitorMessageDailyLimit)
}
return &visitorLimits{
Basis: visitorLimitBasisIP,
RequestLimitBurst: conf.VisitorRequestLimitBurst,
RequestLimitReplenish: rate.Every(conf.VisitorRequestLimitReplenish),
MessageLimit: messagesLimit,
MessageExpiryDuration: conf.CacheDuration,
EmailLimit: replenishDurationToDailyLimit(conf.VisitorEmailLimitReplenish), // Approximation!
EmailLimitBurst: conf.VisitorEmailLimitBurst,
EmailLimitReplenish: rate.Every(conf.VisitorEmailLimitReplenish),
ReservationsLimit: visitorDefaultReservationsLimit,
AttachmentTotalSizeLimit: conf.VisitorAttachmentTotalSizeLimit,
AttachmentFileSizeLimit: conf.AttachmentFileSizeLimit,
AttachmentExpiryDuration: conf.AttachmentExpiryDuration,
AttachmentBandwidthLimit: conf.VisitorAttachmentDailyBandwidthLimit,
2023-01-09 21:40:46 +01:00
}
}
2022-12-28 04:14:14 +01:00
func (v *visitor) Info() (*visitorInfo, error) {
2022-12-19 15:59:32 +01:00
v.mu.Lock()
2023-02-07 22:20:49 +01:00
info := v.infoLightNoLock()
2022-12-20 03:42:36 +01:00
v.mu.Unlock()
2023-02-07 22:20:49 +01:00
// Attachment stats from database
2023-01-09 21:40:46 +01:00
var attachmentsBytesUsed int64
2022-12-20 03:42:36 +01:00
var err error
u := v.User()
if u != nil {
attachmentsBytesUsed, err = v.messageCache.AttachmentBytesUsedByUser(u.ID)
2022-12-20 03:42:36 +01:00
} else {
2023-01-29 02:29:06 +01:00
attachmentsBytesUsed, err = v.messageCache.AttachmentBytesUsedBySender(v.IP().String())
2022-12-20 03:42:36 +01:00
}
if err != nil {
return nil, err
}
2023-02-07 22:20:49 +01:00
info.Stats.AttachmentTotalSize = attachmentsBytesUsed
info.Stats.AttachmentTotalSizeRemaining = zeroIfNegative(info.Limits.AttachmentTotalSizeLimit - attachmentsBytesUsed)
// Reservation stats from database
var reservations int64
if v.userManager != nil && u != nil {
reservations, err = v.userManager.ReservationsCount(u.Name)
2023-01-03 02:08:37 +01:00
if err != nil {
return nil, err
2023-01-02 02:42:33 +01:00
}
}
2023-02-07 22:20:49 +01:00
info.Stats.Reservations = reservations
info.Stats.ReservationsRemaining = zeroIfNegative(info.Limits.ReservationsLimit - reservations)
return info, nil
}
func (v *visitor) infoLightNoLock() *visitorInfo {
messages := v.messagesLimiter.Value()
emails := v.emailsLimiter.Value()
limits := v.limitsNoLock()
2023-01-09 21:40:46 +01:00
stats := &visitorStats{
2023-02-07 22:20:49 +01:00
Messages: messages,
MessagesRemaining: zeroIfNegative(limits.MessageLimit - messages),
Emails: emails,
EmailsRemaining: zeroIfNegative(limits.EmailLimit - emails),
2023-01-09 21:40:46 +01:00
}
return &visitorInfo{
Limits: limits,
Stats: stats,
2023-02-07 22:20:49 +01:00
}
2022-12-19 22:22:13 +01:00
}
func zeroIfNegative(value int64) int64 {
if value < 0 {
return 0
}
return value
}
func replenishDurationToDailyLimit(duration time.Duration) int64 {
2023-01-27 04:57:18 +01:00
return int64(oneDay / duration)
2022-12-19 22:22:13 +01:00
}
func dailyLimitToRate(limit int64) rate.Limit {
2023-01-27 04:57:18 +01:00
return rate.Limit(limit) * rate.Every(oneDay)
2022-04-03 18:39:52 +02:00
}
2023-01-18 01:40:03 +01:00
2023-01-27 04:57:18 +01:00
func visitorID(ip netip.Addr, u *user.User) string {
if u != nil && u.Tier != nil {
return fmt.Sprintf("user:%s", u.ID)
2023-01-18 01:40:03 +01:00
}
2023-01-27 04:57:18 +01:00
return fmt.Sprintf("ip:%s", ip.String())
2023-01-18 01:40:03 +01:00
}