[BACK-2719] Implement rate limiting and add useful middleware

Cargo.toml

@@ -44,6 +44,13 @@ futures-util = "0.3"
 mini-moka = "0.10.3"
 axum = "0.7.5"
 reqwest = "0.12.3"
+url = "2.5.0"
+futures = "0.3.30"
+sha256 = "1.5.0"
+tower = { version = "0.4.13", features = ["full"] }
+tower_governor = { version = "0.3.2", features = ["axum"] }
+governor = { version = "0.6.0" }
+tower-http = { version = "0.5.2", features = ["cors", "compression-full", "trace"] }
 alloy = { git = "https://github.com/alloy-rs/alloy", rev = "17633df", features = [
     "sol-types",
     "network",
@@ -71,10 +78,6 @@ alloy-core = { git = "https://github.com/alloy-rs/core", rev = "7574bfc" }
 alloy-sol-types = { git = "https://github.com/alloy-rs/core", rev = "7574bfc", features = ["eip712-serde"] }
 alloy-primitives = { git = "https://github.com/alloy-rs/core", rev = "7574bfc", features = ["serde"] }
 alloy-sol-macro = { git = "https://github.com/alloy-rs/core", rev = "7574bfc", features = ["json"] }
-url = "2.5.0"
-futures = "0.3.30"
-sha256 = "1.5.0"
-tower = "0.4.13"
 
 
 [patch.crates-io]

examples/extra_rules_and_routes.rs

@@ -30,12 +30,12 @@ async fn main() -> eyre::Result<()> {
     let ctl = mintpool::run::start_p2p_services(&config, rules).await?;
 
     // Add some custom routes in addition to the defaults. You could also add middleware or anything else you can do with axum.
-    let mut router = mintpool::api::router_with_defaults();
+    let mut router = mintpool::api::router_with_defaults(&config);
     router = router
         .route("/simple", get(my_simple_route))
         .route("/count", get(query_route));
 
-    start_api(&config, ctl.clone(), router).await?;
+    start_api(&config, ctl.clone(), router, true).await?;
 
     let mut sigint = signal(SignalKind::interrupt())?;
     let mut sigterm = signal(SignalKind::terminate())?;

src/api.rs

@@ -3,14 +3,19 @@ use crate::controller::{ControllerCommands, ControllerInterface, DBQuery};
 use crate::rules::Results;
 use crate::storage;
 use crate::types::PremintTypes;
+use axum::error_handling::HandleErrorLayer;
 use axum::extract::State;
 use axum::http::StatusCode;
 use axum::middleware::from_fn_with_state;
 use axum::routing::{get, post};
 use axum::{Json, Router};
 use serde::Serialize;
 use sqlx::SqlitePool;
+use std::time::Duration;
 use tokio::net::TcpListener;
+use tower::{BoxError, ServiceBuilder};
+use tower_governor::governor::GovernorConfigBuilder;
+use tower_governor::GovernorLayer;
 
 #[derive(Clone)]
 pub struct AppState {
@@ -35,17 +40,52 @@ impl AppState {
     }
 }
 
-pub fn router_with_defaults() -> Router<AppState> {
+pub fn router_with_defaults(config: &Config) -> Router<AppState> {
+    let governor_conf = Box::new(
+        GovernorConfigBuilder::default()
+            .per_second(1)
+            .burst_size(config.rate_limit_rps)
+            .finish()
+            .unwrap(),
+    );
+    // rate limiter annoyingly needs a process to clean up the state
+    // a separate background task to clean up
+    let governor_limiter = governor_conf.limiter().clone();
+    tokio::spawn(async move {
+        loop {
+            tokio::time::sleep(Duration::from_secs(60)).await;
+            governor_limiter.retain_recent();
+        }
+    });
+
     Router::new()
         .route("/health", get(health))
         .route("/list-all", get(list_all))
         .route("/submit-premint", post(submit_premint))
+        .layer(
+            ServiceBuilder::new()
+                .layer(HandleErrorLayer::new(|error: BoxError| async move {
+                    (
+                        StatusCode::INTERNAL_SERVER_ERROR,
+                        format!("Unhandled error: {:?}", error),
+                    )
+                }))
+                .layer(tower_http::trace::TraceLayer::new_for_http())
+                .layer(tower::timeout::TimeoutLayer::new(Duration::from_secs(10)))
+                .layer(tower_http::cors::CorsLayer::new().allow_origin(tower_http::cors::Any))
+                .layer(tower_http::compression::CompressionLayer::new().gzip(true)),
+        )
+        .layer(GovernorLayer {
+            config: Box::leak(governor_conf),
+        })
 }
 
 fn with_admin_routes(state: AppState, router: Router<AppState>) -> Router<AppState> {
     let admin = Router::new()
         .route("/admin/node", get(admin::node_info))
         .route("/admin/add-peer", post(admin::add_peer))
+        // admin submit premint route is not rate limited (allows for operator to send high volume of premints)
+        .route("/admin/submit-premint", post(submit_premint))
         .layer(from_fn_with_state(state, admin::auth_middleware));
 
     router.merge(admin)

src/config.rs

@@ -66,6 +66,9 @@ pub struct Config {
     // secret key used to access admin api routes
     #[envconfig(from = "ADMIN_API_SECRET")]
     pub admin_api_secret: Option<String>,
+
+    #[envconfig(from = "RATE_LIMIT_RPS", default = "2")]
+    pub rate_limit_rps: u32,
 }
 
 impl Config {
@@ -89,6 +92,7 @@ impl Config {
             interactive: false,
             enable_rpc: true,
             admin_api_secret: None,
+            rate_limit_rps: 1,
         }
     }
 }
@@ -189,6 +193,8 @@ mod test {
             external_address: None,
             interactive: false,
             enable_rpc: true,
+            admin_api_secret: None,
+            rate_limit_rps: 1,
         };
 
         let names = config.premint_names();
@@ -213,6 +219,8 @@ mod test {
             external_address: None,
             interactive: false,
             enable_rpc: true,
+            admin_api_secret: None,
+            rate_limit_rps: 1,
         };
 
         let names = config.premint_names();

src/main.rs

@@ -25,7 +25,7 @@ async fn main() -> eyre::Result<()> {
     rules.add_default_rules();
     let ctl = start_p2p_services(&config, rules).await?;
 
-    let router = api::router_with_defaults();
+    let router = api::router_with_defaults(&config);
     api::start_api(&config, ctl.clone(), router, true).await?;
 
     start_watch_chain::<ZoraPremintV2>(&config, ctl.clone()).await;

tests/common/mod.rs

@@ -43,6 +43,8 @@ pub mod mintpool_build {
             peer_port: port,
             interactive: false,
             enable_rpc: true,
+            admin_api_secret: None,
+            rate_limit_rps: 1,
         }
     }
 

tests/e2e_test.rs

@@ -62,6 +62,8 @@ async fn test_zora_premint_v2_e2e() {
         external_address: None,
         interactive: false,
         enable_rpc: true,
+        admin_api_secret: None,
+        rate_limit_rps: 1,
     };
 
     // set this so CHAINS will use the anvil rpc rather than the one in chains.json