feat: abuse prevention hardening

[itsLeonB]

Summary

Security hardening to prevent automated abuse and information leakage.

Changes

Opaque search results (user enumeration prevention)

• Search endpoints return only minimal profile fields, preventing user ID enumeration

Rate limiter fixes & hardening

• Fix memory leak in value-based rate limiter (add TTL eviction)
• Make rate limit parameters configurable
• Harden per-IP and per-user rate limiting

CAPTCHA on password reset (Cloudflare Turnstile)

• Add CaptchaService interface with Turnstile server-side verification
• Noop bypass when AUTH_TURNSTILE_SECRET_KEY is empty (local dev)
• Verify captcha token before processing password reset requests
• Proper context propagation and 10s HTTP client timeout
• Unit tests with httptest server

Configuration

New env var: AUTH_TURNSTILE_SECRET_KEY (leave empty to disable in dev)

Testing

• All existing tests pass
• New unit tests for captcha service (noop, success, failure, network error)
• Rate limiter tests for eviction and allow/deny behavior

Summary by CodeRabbit

• New Features

  • Added rate limiting for authentication endpoints and protected profile endpoints
  • Implemented CAPTCHA verification for password reset requests

• Documentation

  • Updated API specifications to reflect new response formats for authentication endpoints and profile search results

• Tests

  • Added rate limiting integration and unit tests
  • Added CAPTCHA verification unit tests
  • Added profile search tests

[coderabbitai]

Warning

Review limit reached

@itsLeonB, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 42 minutes and 14 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1b932995-e5ba-4b04-a9ff-4bf00fb0300c

📥 Commits

Reviewing files that changed from the base of the PR and between 16d12b1 and 2622b67.

📒 Files selected for processing (6)

• docs/docs.go
• docs/swagger.json
• docs/swagger.yaml
• internal/adapters/http/handler/auth_handler.go
• internal/domain/service/captcha_service.go
• internal/domain/service/captcha_service_test.go

📝 Walkthrough

Walkthrough

This PR adds Cloudflare Turnstile CAPTCHA verification and per-email rate-limiting for password reset requests, updates the profile search endpoint to return minimal response fields (ID, Name, Avatar), and generates corresponding test infrastructure and API documentation updates.

Changes

CAPTCHA Verification, Rate-Limiting, and Profile Search API Update

Layer / File(s)	Summary
CAPTCHA Service Implementation and Configuration internal/core/config/auth_config.go, internal/domain/service/captcha_service.go, internal/domain/service/captcha_service_test.go, internal/provider/service_provider.go, .env.example, go.mod	Introduces CaptchaService interface with Turnstile implementation that posts to Cloudflare endpoint and gracefully returns no-op when secret is unconfigured. Adds TurnstileSecretKey configuration field, wires service into provider, updates dependency (golang.org/x/time and ungerr version bump).
Per-Key Rate-Limiting Middleware internal/adapters/http/middlewares/ratelimit.go, internal/adapters/http/middlewares/ratelimit_test.go, internal/adapters/http/middlewares/ratelimit_integration_test.go	New ValueLimiter provides per-key rate-limit buckets with mutex protection, TTL-based cleanup, and WithRateKey Gin middleware extracts context-derived rate keys into headers. Unit and integration tests verify per-IP and per-user rate-limiting behavior.
Auth Handler: CAPTCHA + Email Rate-Limiting for Password Reset internal/adapters/http/handler/auth_handler.go, internal/domain/dto/auth_dto.go, internal/adapters/http/handler/handlers.go	AuthHandler now accepts CaptchaService and ValueLimiter dependencies; HandleSendPasswordReset verifies CAPTCHA token and enforces per-email rate-limits (3 per hour). SendPasswordResetRequest DTO gains required CaptchaToken field. Handlers adds Shutdown() method to stop rate limiter.
HTTP Routes: Rate-Limiting Configuration for Auth and Profiles internal/adapters/http/routes/api_routes.go	Wires Sentinel rate-limiting to /api/v1/auth group (IP-keyed), password-reset endpoints (stricter limits), and authenticated /profiles routes (user-keyed via WithRateKey middleware).
HTTP Server and Routes Shutdown Sequence internal/adapters/http/register_routes.go, internal/adapters/http/server.go	RegisterRoutes now returns a shutdown handler that is captured and invoked before provider shutdown, ensuring the email rate-limiter is properly stopped.
Profile Search DTO and Service Implementation Changes internal/domain/dto/user_profile_dto.go, internal/domain/service/services.go, internal/domain/service/profile_service.go, internal/domain/service/profile_service_test.go	Introduces SearchProfileResponse with minimal fields (ID, Name, Avatar); ProfileService.Search interface and implementation updated to return this type, filters out caller's own profile from results. Comprehensive unit tests cover name-based and email-based search modes.
Profile Handler Swagger Annotation Update internal/adapters/http/handler/profile_handler.go	Updates HandleSearch Swagger annotation to document new []dto.SearchProfileResponse return type.
Generated API Documentation and Swagger Specs docs/docs.go, docs/swagger.json, docs/swagger.yaml	Auth endpoints (/auth/login, /auth/refresh, /auth/reset-password, /auth/verify-registration, /auth/{provider}/callback) now return response.JSONResponse-map_string_string instead of typed token responses. /auth/refresh request-body parameter removed. /profiles returns response.JSONResponse-array_dto_SearchProfileResponse. Definitions for RefreshTokenRequest and TokenResponse removed; SearchProfileResponse and map_string_string added.
Mockery Configuration and Generated Mocks .mockery.yaml, internal/mocks/mock_crud.go, internal/mocks/mock_crud_repository.go, internal/mocks/mock_repository.go, internal/mocks/mock_service.go	Updates mockery config to generate mocks for ProfileService, SubscriptionLimitService, ProfileRepository, FriendshipRepository, and Transactor. Generates comprehensive testify-based mock implementations with typed expecter and call-wrapper helpers.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• itsLeonB/cashback#53: Both PRs modify internal/adapters/http/handler/auth_handler.go constructor and wiring; this PR adds CAPTCHA and email rate-limiting while the related PR refactors for cookie/CSRF, so integration coordination needed.
• itsLeonB/cashback#16: Both PRs change the AuthHandler struct and NewAuthHandler constructor signature, requiring careful merge review.
• itsLeonB/cashback#4: The related PR depends on this PR's ProfileService.Search return type change ([]dto.SearchProfileResponse), affecting interface compatibility.

Poem

🐰 A captcha guards the password reset flow,
Rate limiters slow the spam's cruel blow,
Profile searches lean—just name and glow,
APIs documented, tests all in tow,
Clean abstractions in this PR show! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.13% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: abuse prevention hardening' directly reflects the main objective of this PR, which implements security hardening across multiple fronts including search result opacity, rate limiting, and CAPTCHA verification.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/swagger.json (1)

3382-3392: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

The generated Swagger artifacts are both stale for SendPasswordResetRequest.

Both specs still publish a password-reset request body with only email. The shared root cause is that the Swagger artifacts were not regenerated from the updated DTO/annotations after the CAPTCHA token field was introduced, so external clients cannot discover the new request contract.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/swagger.json` around lines 3382 - 3392, The Swagger spec is stale for
dto.SendPasswordResetRequest and still only documents the email field;
regenerate the OpenAPI artifacts from the updated DTO/annotations so the new
CAPTCHA token field is included (and marked required if the DTO/validation
requires it). Re-run the swagger generation/build step that produces
docs/swagger.json (and any other published spec), verify
dto.SendPasswordResetRequest now includes the captcha/token property with
correct type and validation, then commit the regenerated artifacts.

🧹 Nitpick comments (4)

internal/domain/service/captcha_service_test.go (1)

21-32: ⚡ Quick win

Consider adding test for non-200 HTTP status codes.

The current tests cover success, failure (success: false), and network errors, but don't verify behavior when Cloudflare returns a non-200 HTTP status code (e.g., 500, 503). This would help ensure the service handles Cloudflare service degradation gracefully.

🧪 Suggested test case

func TestTurnstileService_Verify_NonOKStatus(t *testing.T) {
	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		w.WriteHeader(http.StatusInternalServerError)
		w.Write([]byte("Service unavailable"))
	}))
	defer srv.Close()

	svc := service.NewTurnstileServiceWithURL("test-secret", srv.URL)
	err := svc.Verify(context.Background(), "token")
	assert.Error(t, err)
}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/domain/service/captcha_service_test.go` around lines 21 - 32, Add a
test that asserts Verify returns an error when the remote Turnstile endpoint
responds with a non-200 status: create a httptest.NewServer handler that returns
e.g. http.StatusInternalServerError and a body, instantiate the service with
service.NewTurnstileServiceWithURL("test-secret", srv.URL), call
svc.Verify(context.Background(), "token"), and assert an error is returned;
place the test alongside TestTurnstileService_Verify_Success and reuse the same
patterns (httptest server, defer srv.Close) so the Verify method behavior on
non-OK HTTP responses is validated.

internal/adapters/http/middlewares/ratelimit.go (1)

36-46: ⚡ Quick win

Document that Stop() must be called to prevent goroutine leak.

The constructor starts a background cleanup goroutine that runs indefinitely until Stop() is called. If the caller doesn't call Stop() during shutdown, the goroutine will leak.

Consider adding a comment documenting this requirement, or verify that the graceful shutdown sequence always calls Stop().

📝 Suggested documentation

+// NewValueLimiter creates a new per-key rate limiter with the specified limit, burst, and TTL.
+// The limiter starts a background cleanup goroutine that evicts idle entries.
+// Call Stop() during shutdown to terminate the cleanup goroutine and prevent leaks.
 func NewValueLimiter(limit rate.Limit, burst int, ttl time.Duration) *ValueLimiter {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/adapters/http/middlewares/ratelimit.go` around lines 36 - 46,
NewValueLimiter starts a background goroutine via vl.cleanup() that runs until
ValueLimiter.Stop() is called, which can leak if Stop() isn't invoked; update
the code comments and public docs to state that callers must call
ValueLimiter.Stop() during shutdown (or ensure shutdown paths call Stop()), and
add a short note above NewValueLimiter and the ValueLimiter type mentioning the
background goroutine, the stop channel, and the requirement to call Stop() to
prevent goroutine leaks (referencing NewValueLimiter, ValueLimiter, cleanup(),
stop, and Stop()).

internal/adapters/http/routes/api_routes.go (2)

37-52: 💤 Low value

Layered rate limiting on password-reset endpoints is correct.

Both the group-level limiter (20 req/min) and the per-endpoint limiters (3 req/15min for POST, 5 req/15min for PATCH) apply independently. The stricter per-endpoint limits effectively govern these sensitive operations while allowing normal usage of other auth endpoints within the group quota.

💡 Optional: Add inline comment explaining the layered strategy

 authRoutes.GET("/verify-registration", handlers.Auth.HandleVerifyRegistration())
+// Layered IP-based limiter: 3 req/15min for password-reset (stricter than group limit)
 authRoutes.POST("/password-reset",

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/adapters/http/routes/api_routes.go` around lines 37 - 52, Add an
inline comment above the authRoutes.POST("/password-reset", ...) and
authRoutes.PATCH("/reset-password", ...) blocks explaining the layered
rate-limiting strategy: note that a group-level limiter (20 req/min) applies to
the authRoutes group and these endpoint-level
sentinelGin.RateLimit(httpserver.RateLimitConfig{...}) calls enforce stricter
per-endpoint quotas (3 req/15min for HandleSendPasswordReset and 5 req/15min for
HandleResetPassword), so both limiters apply and the per-endpoint limits will
effectively govern these sensitive operations.

---

25-29: 💤 Low value

Group-level IP rate limiting on auth routes looks correct.

The configuration allows 20 requests per 60 seconds (≈0.33 req/s) with a burst of 5 per IP across all /auth endpoints.

💡 Optional: Add inline comment for maintainability

 authRoutes := v1.Group("/auth")
+// IP-based rate limit: 20 req/min with burst of 5
 authRoutes.Use(sentinelGin.RateLimit(httpserver.RateLimitConfig{

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/adapters/http/routes/api_routes.go` around lines 25 - 29, Add an
inline comment above the authRoutes.Use(...) RateLimitConfig call explaining the
per-IP rate limit calculation and rationale (20 requests per 60 seconds ≈ 0.33
req/s, burst=5) so future maintainers understand the intended throttling;
reference the authRoutes.Use, sentinelGin.RateLimit, httpserver.RateLimitConfig
and httpserver.KeyFuncByIP symbols when adding the comment.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/adapters/http/handler/auth_handler.go`:
- Around line 213-219: The per-email rate limit uses the raw request.Email and
is checked after the CAPTCHA call; normalize the email (trim spaces and
lowercase, e.g., canonicalEmail :=
strings.ToLower(strings.TrimSpace(request.Email))) and use that canonicalEmail
as the key to ah.emailLimiter.Allow to harden against case/spacing variants, and
move the Allow check to run before calling ah.captchaService.Verify so throttled
requests are short-circuited locally; update any variable names (e.g.,
canonicalEmail) and references in auth_handler.go for ah.emailLimiter.Allow and
ah.captchaService.Verify accordingly.

In `@internal/adapters/http/handler/handlers.go`:
- Line 37: The email rate limiter is hardcoded where NewAuthHandler is wired
(middlewares.NewValueLimiter(3.0/3600, 3, time.Hour)); add configurable
rate-limit fields to the core config (e.g., create or extend an AuthConfig in
internal/core/config to include rateLimitRate, rateLimitBurst, rateLimitWindow)
and update the services/handler wiring to read those values instead of literals
and pass them into middlewares.NewValueLimiter; update NewAuthHandler
construction to accept the config-derived limiter parameters and adjust any
tests that construct the limiter directly to use the new config-based values.

In `@internal/domain/service/captcha_service_test.go`:
- Line 1: The test file declares package service_test but must use the same
package as the code under test; change the package line in
captcha_service_test.go from "package service_test" to "package service" and
update any references/imports accordingly (replace any stdlib testing-only
assertions with testify/assert imports and calls) so the tests run in the same
package context as the production code and use testify/assert for assertions.

In `@internal/domain/service/captcha_service.go`:
- Around line 50-61: Before decoding the response from ts.httpClient.Do(req),
check resp.StatusCode (e.g., ensure it's 200); if it's not 200, read a small
snippet of resp.Body (or the full body if small) and return a wrapped error
indicating the unexpected HTTP status and include the body snippet for
diagnostics instead of attempting json.NewDecoder(resp.Body).Decode(&result);
update the error path in the captcha verification flow so that VerifyCaptcha
(the block using resp, ts.httpClient.Do and json.NewDecoder) returns a clear
error when resp.StatusCode != http.StatusOK.

---

Outside diff comments:
In `@docs/swagger.json`:
- Around line 3382-3392: The Swagger spec is stale for
dto.SendPasswordResetRequest and still only documents the email field;
regenerate the OpenAPI artifacts from the updated DTO/annotations so the new
CAPTCHA token field is included (and marked required if the DTO/validation
requires it). Re-run the swagger generation/build step that produces
docs/swagger.json (and any other published spec), verify
dto.SendPasswordResetRequest now includes the captcha/token property with
correct type and validation, then commit the regenerated artifacts.

---

Nitpick comments:
In `@internal/adapters/http/middlewares/ratelimit.go`:
- Around line 36-46: NewValueLimiter starts a background goroutine via
vl.cleanup() that runs until ValueLimiter.Stop() is called, which can leak if
Stop() isn't invoked; update the code comments and public docs to state that
callers must call ValueLimiter.Stop() during shutdown (or ensure shutdown paths
call Stop()), and add a short note above NewValueLimiter and the ValueLimiter
type mentioning the background goroutine, the stop channel, and the requirement
to call Stop() to prevent goroutine leaks (referencing NewValueLimiter,
ValueLimiter, cleanup(), stop, and Stop()).

In `@internal/adapters/http/routes/api_routes.go`:
- Around line 37-52: Add an inline comment above the
authRoutes.POST("/password-reset", ...) and authRoutes.PATCH("/reset-password",
...) blocks explaining the layered rate-limiting strategy: note that a
group-level limiter (20 req/min) applies to the authRoutes group and these
endpoint-level sentinelGin.RateLimit(httpserver.RateLimitConfig{...}) calls
enforce stricter per-endpoint quotas (3 req/15min for HandleSendPasswordReset
and 5 req/15min for HandleResetPassword), so both limiters apply and the
per-endpoint limits will effectively govern these sensitive operations.
- Around line 25-29: Add an inline comment above the authRoutes.Use(...)
RateLimitConfig call explaining the per-IP rate limit calculation and rationale
(20 requests per 60 seconds ≈ 0.33 req/s, burst=5) so future maintainers
understand the intended throttling; reference the authRoutes.Use,
sentinelGin.RateLimit, httpserver.RateLimitConfig and httpserver.KeyFuncByIP
symbols when adding the comment.

In `@internal/domain/service/captcha_service_test.go`:
- Around line 21-32: Add a test that asserts Verify returns an error when the
remote Turnstile endpoint responds with a non-200 status: create a
httptest.NewServer handler that returns e.g. http.StatusInternalServerError and
a body, instantiate the service with
service.NewTurnstileServiceWithURL("test-secret", srv.URL), call
svc.Verify(context.Background(), "token"), and assert an error is returned;
place the test alongside TestTurnstileService_Verify_Success and reuse the same
patterns (httptest server, defer srv.Close) so the Verify method behavior on
non-OK HTTP responses is validated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b99a5d70-cb6a-446d-a1ae-6659e0ba2ce4

📥 Commits

Reviewing files that changed from the base of the PR and between 06b7d1a and 16d12b1.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (28)

• .env.example
• .mockery.yaml
• docs/docs.go
• docs/swagger.json
• docs/swagger.yaml
• go.mod
• internal/adapters/http/handler/auth_handler.go
• internal/adapters/http/handler/handlers.go
• internal/adapters/http/handler/profile_handler.go
• internal/adapters/http/middlewares/ratelimit.go
• internal/adapters/http/middlewares/ratelimit_integration_test.go
• internal/adapters/http/middlewares/ratelimit_test.go
• internal/adapters/http/register_routes.go
• internal/adapters/http/routes/api_routes.go
• internal/adapters/http/server.go
• internal/core/config/auth_config.go
• internal/domain/dto/auth_dto.go
• internal/domain/dto/user_profile_dto.go
• internal/domain/service/captcha_service.go
• internal/domain/service/captcha_service_test.go
• internal/domain/service/profile_service.go
• internal/domain/service/profile_service_test.go
• internal/domain/service/services.go
• internal/mocks/mock_crud.go
• internal/mocks/mock_crud_repository.go
• internal/mocks/mock_repository.go
• internal/mocks/mock_service.go
• internal/provider/service_provider.go