https://gitlab.synchro.net/main/sbbs/-/commit/bd375c1e4077420ff7f9148e
Added Files:
src/sbbs3/ratelimit.hpp
Modified Files:
src/sbbs3/sbbs_ini.c websrvr.cpp websrvr.h
Log Message:
Add a basic and optional rate limiter, initially just for HTTP[S] requests

This is experimental - I'm a little uneasy about the threadsafety and may need to add some mutex protection, but testing will help to know.

I'm also a little uneasy about the memory usage. My original idea was to use
an array or vector with a element for every second in the rate limit period, each element would be an unordered_map with the IP address as the key and the count (of requests) in that second as the value. This would limit the memory usage to period * IPs. The process of trimming or wrapping array to automatically "throw out" seconds beyond the rate limit period wasn't clear
to me yet.

However, as I started to type the implementation, Co-pilot recommended this approach which simplier: it uses an unordered_map with the IP for the key, but the value is an array of times of each request from each client. So the
memory requirements are IPs * max_requests_per_period * period. It's still bounded, but a larger possible total amount of memory required. The cleanup operation is now clear though and Co-pilot implemented that for me as well.

Enable this feature by setting in the following keys in the [Web] section of ctrl/sbbs.ini:
- MaxRequestPerPeriod
- RequestRateLimitPeriod

e.g. setting MaxRequestPerPeriod to 1000 and RequestRateLimitPeriod to 600 would set the maximum request rate to 1000 requests per 10 minutes.

If this works well, we can use this same rate limiter for other actions
(e.g. connections) and servers and could have separate rate limits for authenticated versus unauthenticated users, apply whitelists, etc.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net