Rate limit login stuff

oauth2server/server/authorize.go

@@ -11,6 +11,7 @@ import (
 )
 
 func (s *Server) authorize(w http.ResponseWriter, r *http.Request) {
+	s.limiter.Wait(r.Context())
 	if r.Method != "POST" {
 		http.NotFound(w, r)
 		return

oauth2server/server/server.go

@@ -4,6 +4,8 @@ import (
 	"local/oauth2/oauth2server/config"
 	"local/router"
 	"local/storage"
+
+	"golang.org/x/time/rate"
 )
 
 var wildcard = router.Wildcard
@@ -17,7 +19,8 @@ const (
 
 type Server struct {
 	*router.Router
-	store storage.DB
+	store   storage.DB
+	limiter *rate.Limiter
 }
 
 func New() *Server {
@@ -27,8 +30,9 @@ func New() *Server {
 	}
 	purgeIssuedCredentials(store)
 	return &Server{
-		Router: router.New(),
+		Router:  router.New(),
-		store:  store,
+		store:   store,
+		limiter: rate.NewLimiter(1, 3),
 	}
 }
 

oauth2server/server/users.go

@@ -13,6 +13,7 @@ import (
 )
 
 func (s *Server) usersLog(w http.ResponseWriter, r *http.Request) {
+	s.limiter.Wait(r.Context())
 	q := r.URL.Query()
 	fmt.Fprintln(w, `
       <html>
@@ -27,6 +28,7 @@ func (s *Server) usersLog(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *Server) usersRegister(w http.ResponseWriter, r *http.Request) {
+	s.limiter.Wait(r.Context())
 	fmt.Fprintln(w, `
       <html>
          <body>
@@ -40,6 +42,7 @@ func (s *Server) usersRegister(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *Server) usersSubmit(w http.ResponseWriter, r *http.Request) {
+	s.limiter.Wait(r.Context())
 	if r.Method != "POST" {
 		http.NotFound(w, r)
 		return