From 11f9c135804c396b45fd2e0a07ceb265a18ec3e2 Mon Sep 17 00:00:00 2001 From: Philip Gough Date: Wed, 14 Dec 2022 09:52:14 +0000 Subject: [PATCH] Ensure rate limiting middleware called before any paths are stripped (#421) --- main.go | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/main.go b/main.go index 0ca60381a..a8431c0bf 100644 --- a/main.go +++ b/main.go @@ -584,17 +584,21 @@ func main() { // Metrics. if cfg.metrics.enabled { - var metricsMiddlewares []func(http.Handler) http.Handler - tenantMiddlewares := authentication.WithTenantMiddlewares(pm.Middlewares) - tenantHeaderMiddleware := authentication.WithTenantHeader(cfg.metrics.tenantHeader, tenantIDs) - metricsMiddlewares = append(metricsMiddlewares, tenantMiddlewares, tenantHeaderMiddleware) + metricsMiddlewares := []func(http.Handler) http.Handler{ + authentication.WithTenantMiddlewares(pm.Middlewares), + authentication.WithTenantHeader(cfg.metrics.tenantHeader, tenantIDs), + } + + // rateLimitMiddleware should be appended early onto the router middleware stack + // prior to any path stripping or other middleware that may alter the request path + // in order to avoid unexpected path matching issues. rateLimitMiddleware := ratelimit.WithLocalRateLimiter(rateLimits...) if rateLimitClient != nil { rateLimitMiddleware = ratelimit.WithSharedRateLimiter(logger, rateLimitClient, rateLimits...) } - metricsMiddlewares = append(metricsMiddlewares, rateLimitMiddleware) r.Group(func(r chi.Router) { + r.Use(rateLimitMiddleware) r.Use(metricsMiddlewares...) r.HandleFunc("/{tenant}", func(w http.ResponseWriter, r *http.Request) { tenant, ok := authentication.GetTenant(r.Context()) @@ -608,6 +612,7 @@ func main() { }) r.Group(func(r chi.Router) { + r.Use(rateLimitMiddleware) r.Mount("/api/v1/{tenant}", metricslegacy.NewHandler( cfg.metrics.readEndpoint, metricsUpstreamCACert,