[management] add pat rate limiting (#4741)

management/server/http/handler.go

@@ -4,9 +4,13 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"os"
+	"strconv"
+	"time"
 
 	"github.com/gorilla/mux"
 	"github.com/rs/cors"
+	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/management-integrations/integrations"
 
@@ -38,7 +42,12 @@ import (
 	"github.com/netbirdio/netbird/management/server/telemetry"
 )
 
-const apiPrefix = "/api"
+const (
+	apiPrefix              = "/api"
+	rateLimitingEnabledKey = "NB_API_RATE_LIMITING_ENABLED"
+	rateLimitingBurstKey   = "NB_API_RATE_LIMITING_BURST"
+	rateLimitingRPMKey     = "NB_API_RATE_LIMITING_RPM"
+)
 
 // NewAPIHandler creates the Management service HTTP API handler registering all the available endpoints.
 func NewAPIHandler(
@@ -58,11 +67,42 @@ func NewAPIHandler(
 	settingsManager settings.Manager,
 ) (http.Handler, error) {
 
+	var rateLimitingConfig *middleware.RateLimiterConfig
+	if os.Getenv(rateLimitingEnabledKey) == "true" {
+		rpm := 6
+		if v := os.Getenv(rateLimitingRPMKey); v != "" {
+			value, err := strconv.Atoi(v)
+			if err != nil {
+				log.Warnf("parsing %s env var: %v, using default %d", rateLimitingRPMKey, err, rpm)
+			} else {
+				rpm = value
+			}
+		}
+
+		burst := 500
+		if v := os.Getenv(rateLimitingBurstKey); v != "" {
+			value, err := strconv.Atoi(v)
+			if err != nil {
+				log.Warnf("parsing %s env var: %v, using default %d", rateLimitingBurstKey, err, burst)
+			} else {
+				burst = value
+			}
+		}
+
+		rateLimitingConfig = &middleware.RateLimiterConfig{
+			RequestsPerMinute: float64(rpm),
+			Burst:             burst,
+			CleanupInterval:   6 * time.Hour,
+			LimiterTTL:        24 * time.Hour,
+		}
+	}
+
 	authMiddleware := middleware.NewAuthMiddleware(
 		authManager,
 		accountManager.GetAccountIDFromUserAuth,
 		accountManager.SyncUserJWTGroups,
 		accountManager.GetUserFromUserAuth,
+		rateLimitingConfig,
 	)
 
 	corsMiddleware := cors.AllowAll()