feat: Add rate-limits to the API (#848)

Closes #285.

coderd/httpmw/ratelimit.go

@@ -0,0 +1,35 @@
+package httpmw
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/go-chi/httprate"
+	"github.com/go-chi/render"
+
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/httpapi"
+)
+
+// RateLimitPerMinute returns a handler that limits requests per-minute based
+// on IP, endpoint, and user ID (if available).
+func RateLimitPerMinute(count int) func(http.Handler) http.Handler {
+	return httprate.Limit(
+		count,
+		1*time.Minute,
+		httprate.WithKeyFuncs(func(r *http.Request) (string, error) {
+			// Prioritize by user, but fallback to IP.
+			apiKey, ok := r.Context().Value(apiKeyContextKey{}).(database.APIKey)
+			if ok {
+				return apiKey.UserID.String(), nil
+			}
+			return httprate.KeyByIP(r)
+		}, httprate.KeyByEndpoint),
+		httprate.WithLimitHandler(func(w http.ResponseWriter, r *http.Request) {
+			render.Status(r, http.StatusTooManyRequests)
+			render.JSON(w, r, httpapi.Response{
+				Message: "You've been rate limited for sending too many requests!",
+			})
+		}),
+	)
+}

coderd/httpmw/ratelimit_test.go

@@ -0,0 +1,32 @@
+package httpmw_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/coderd/httpmw"
+)
+
+func TestRateLimit(t *testing.T) {
+	t.Parallel()
+	t.Run("NoUser", func(t *testing.T) {
+		t.Parallel()
+		rtr := chi.NewRouter()
+		rtr.Use(httpmw.RateLimitPerMinute(5))
+		rtr.Get("/", func(rw http.ResponseWriter, r *http.Request) {
+			rw.WriteHeader(http.StatusOK)
+		})
+
+		require.Eventually(t, func() bool {
+			req := httptest.NewRequest("GET", "/", nil)
+			rec := httptest.NewRecorder()
+			rtr.ServeHTTP(rec, req)
+			return rec.Result().StatusCode == http.StatusTooManyRequests
+		}, 5*time.Second, time.Millisecond)
+	})
+}