gitcaddy-server/modules/web/middleware/rate_limit.go

// Copyright 2026 MarketAlly. All rights reserved.
// SPDX-License-Identifier: MIT

package middleware

import (
	"net/http"
	"strconv"
	"time"

	"code.gitcaddy.com/server/v3/modules/setting"
)

// RateLimitHeaders is the header names for rate limit information
const (
	RateLimitHeader          = "X-RateLimit-Limit"
	RateLimitRemainingHeader = "X-RateLimit-Remaining"
	RateLimitResetHeader     = "X-RateLimit-Reset"
)

// RateLimitInfo returns a middleware that sets rate limit headers.
// This is currently informational only - actual rate limiting enforcement
// can be added in the future based on the RateLimitEnabled setting.
func RateLimitInfo() func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
			// Set informational rate limit headers
			// These tell clients what to expect even if enforcement isn't active
			limit := setting.API.RateLimitPerHour

			// Calculate reset time (next hour boundary)
			now := time.Now()
			resetTime := now.Truncate(time.Hour).Add(time.Hour)

			w.Header().Set(RateLimitHeader, strconv.Itoa(limit))

			// When rate limiting is not enforced, remaining equals limit
			// Future: implement actual tracking per user/IP
			remaining := limit
			if setting.API.RateLimitEnabled {
				// TODO: Implement actual rate limit tracking
				// For now, just show full quota when enabled
				remaining = limit
			}

			w.Header().Set(RateLimitRemainingHeader, strconv.Itoa(remaining))
			w.Header().Set(RateLimitResetHeader, strconv.FormatInt(resetTime.Unix(), 10))

			next.ServeHTTP(w, req)
		})
	}
}