arcly-http 0.4.0

Enterprise-grade NestJS-inspired web framework on axum: zero-lock DI, declarative controllers, multi-tenant data routing, transactional outbox, ABAC, and a self-documenting OpenAPI surface
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

//! Lock-free fixed-window rate limiter.
//!
//! Lives under `resilience` (not `auth/guards`) because rate limiting is a
//! load-shedding concern, independent of who the caller is. It still
//! implements [`Guard`] so it composes with auth guards at handler level:
//!
//! ```ignore
//! static PUBLIC_RATE: RateLimit = RateLimit::new(200, 60);
//! PUBLIC_RATE.check(&ctx)?;
//! ```

use std::sync::atomic::{AtomicU64, Ordering::Relaxed};
use std::time::{SystemTime, UNIX_EPOCH};

use crate::auth::guards::Guard;
use crate::web::{Error, RequestContext};

/// Per-instance fixed-window limiter. Zero locks: a `(window_start, count)` pair
/// is packed into a single `AtomicU64` and updated via CAS.
pub struct RateLimit {
    state: AtomicU64, // high 32 bits = window-start seconds, low 32 = count
    window_secs: u32,
    max_per_window: u32,
}

impl RateLimit {
    pub const fn new(max_per_window: u32, window_secs: u32) -> Self {
        Self {
            state: AtomicU64::new(0),
            window_secs,
            max_per_window,
        }
    }

    fn now_secs() -> u32 {
        SystemTime::now()
            .duration_since(UNIX_EPOCH)
            .map(|d| d.as_secs() as u32)
            .unwrap_or(0)
    }
}

impl RateLimit {
    /// CAS admission core, parameterised by the clock for testability.
    /// `true` = admitted, `false` = over the window limit.
    fn admit_at(&self, now: u32) -> bool {
        loop {
            let cur = self.state.load(Relaxed);
            let (start, count) = ((cur >> 32) as u32, cur as u32);
            let (new_start, new_count) = if now.saturating_sub(start) >= self.window_secs {
                (now, 1)
            } else {
                (start, count.saturating_add(1))
            };
            if new_count > self.max_per_window {
                return false;
            }
            let next = ((new_start as u64) << 32) | (new_count as u64);
            if self
                .state
                .compare_exchange(cur, next, Relaxed, Relaxed)
                .is_ok()
            {
                return true;
            }
        }
    }
}

impl Guard for RateLimit {
    fn check(&self, _ctx: &RequestContext) -> Result<(), Error> {
        if self.admit_at(Self::now_secs()) {
            Ok(())
        } else {
            metrics::counter!("rate_limited_total").increment(1);
            Err(Error::TooManyRequests)
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn enforces_limit_and_resets_on_window_roll() {
        let rl = RateLimit::new(2, 60);
        assert!(rl.admit_at(1_000));
        assert!(rl.admit_at(1_000));
        assert!(!rl.admit_at(1_030), "third hit in the window is rejected");
        // Window rolls: counter resets.
        assert!(rl.admit_at(1_060));
        assert!(rl.admit_at(1_061));
        assert!(!rl.admit_at(1_062));
    }
}