samsa

penal-colony/samsa

Fork 0

Commit graph

Author	SHA1	Message	Date
Franz Kafka	a316763aca	fix(test): update CORS preflight test for deny-all default Some checks failed Build and Push Docker Image / build-and-push (push) Failing after 7s Details Mirror to GitHub / mirror (push) Failing after 3s Details Tests / test (push) Successful in 24s Details Empty CORSConfig now means no CORS headers, matching the security fix. Test explicitly configures an origin to test preflight behavior.	2026-03-22 16:38:03 +00:00
Franz Kafka	ebeaeeef21	feat: add CORS and rate limiting middleware CORS: - Configurable allowed origins (wildcard "*" or specific domains) - Handles OPTIONS preflight with configurable methods, headers, max-age - Exposed headers support for browser API access - Env override: CORS_ALLOWED_ORIGINS Rate Limiting: - In-memory per-IP sliding window counter - Configurable request limit and time window - Background goroutine cleans up stale IP entries - HTTP 429 with Retry-After header when exceeded - Extracts real IP from X-Forwarded-For and X-Real-IP (proxy-aware) - Env overrides: RATE_LIMIT_REQUESTS, RATE_LIMIT_WINDOW, RATE_LIMIT_CLEANUP_INTERVAL - Set requests=0 in config to disable Both wired into main.go as middleware chain: rate_limit → cors → handler. Config example updated with [cors] and [rate_limit] sections. Full test coverage for both middleware packages.	2026-03-21 15:54:52 +00:00

Author

SHA1

Message

Date

Franz Kafka

a316763aca

fix(test): update CORS preflight test for deny-all default

Build and Push Docker Image / build-and-push (push) Failing after 7s

Details

Mirror to GitHub / mirror (push) Failing after 3s

Details

Tests / test (push) Successful in 24s

Details

Empty CORSConfig now means no CORS headers, matching the security fix.
Test explicitly configures an origin to test preflight behavior.

2026-03-22 16:38:03 +00:00

Franz Kafka

ebeaeeef21

feat: add CORS and rate limiting middleware

CORS:
- Configurable allowed origins (wildcard "*" or specific domains)
- Handles OPTIONS preflight with configurable methods, headers, max-age
- Exposed headers support for browser API access
- Env override: CORS_ALLOWED_ORIGINS

Rate Limiting:
- In-memory per-IP sliding window counter
- Configurable request limit and time window
- Background goroutine cleans up stale IP entries
- HTTP 429 with Retry-After header when exceeded
- Extracts real IP from X-Forwarded-For and X-Real-IP (proxy-aware)
- Env overrides: RATE_LIMIT_REQUESTS, RATE_LIMIT_WINDOW, RATE_LIMIT_CLEANUP_INTERVAL
- Set requests=0 in config to disable

Both wired into main.go as middleware chain: rate_limit → cors → handler.
Config example updated with [cors] and [rate_limit] sections.
Full test coverage for both middleware packages.

2026-03-21 15:54:52 +00:00

2 commits