From 32d8292b17de5fcd2b3c8782b951f0f8d16df982 Mon Sep 17 00:00:00 2001
From: yusing <yusing@6uo.me>
Date: Wed, 28 May 2025 22:12:41 +0800
Subject: [PATCH] fix(oidc): apply rate limit to fix oocasional oauth state
 error due to race condition

---
 internal/auth/oidc.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/internal/auth/oidc.go b/internal/auth/oidc.go
index 7f9d4ed..e340781 100644
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@@ -18,6 +18,7 @@ import (
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/utils"
 	"golang.org/x/oauth2"
+	"golang.org/x/time/rate"
 )
 
 type (
@@ -162,6 +163,8 @@ func (auth *OIDCProvider) HandleAuth(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+var rateLimit = rate.NewLimiter(rate.Every(time.Second), 1)
+
 func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
 	// check for session token
 	sessionToken, err := r.Cookie(CookieOauthSessionToken)
@@ -182,6 +185,11 @@ func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !rateLimit.Allow() {
+		http.Error(w, "auth rate limit exceeded", http.StatusTooManyRequests)
+		return
+	}
+
 	state := generateState()
 	SetTokenCookie(w, r, CookieOauthState, state, 300*time.Second)
 	// redirect user to Idp