tenseleyflow/shithub / fe289bb

+	"context"

+	"time"

+	"github.com/tenseleyFlow/shithub/internal/ratelimit"

+	// Limiter, when non-nil, gates /search per-(viewer or IP). Audit

+	// 2026-05-10 H4: search renders amplify FTS cost 5×–6× per

+	// request, so without a limiter a single client can hammer the

+	// DB. Optional in tests; required in production wiring.

+	Limiter *ratelimit.Limiter

+	d         Deps

+	tabsCache *tabsCache // nil-safe — Mount constructs it

+	return &Handlers{d: d, tabsCache: newTabsCache()}, nil

+// SearchRateLimitPolicy is the per-(viewer or IP) limit applied to

+// /search and /search/quick. 60/min is generous for human use

+// (typical browse rate is well under this) but cheap to defeat any

+// query-rotation attack that bypasses the tab-count cache (audit

+// 2026-05-10 H4+H5). Surfaced as a var so tests can tighten it.

+var SearchRateLimitPolicy = ratelimit.Policy{

+	Scope:  "search",

+	Max:    60,

+	Window: 1 * time.Minute,

+}

+

+// Mount registers /search and /search/quick. When d.Limiter is set,

+// both routes go through the rate-limit middleware before reaching

+// the handlers — protects the FTS path from query-rotation attacks

+// that the tab-counts cache alone can't absorb.

+	if h.d.Limiter != nil {

+		r.Group(func(r chi.Router) {

+			r.Use(h.d.Limiter.Middleware(SearchRateLimitPolicy, searchRateLimitKey))

+			r.Get("/search", h.results)

+			r.Get("/search/quick", h.quick)

+		})

+		return

+	}

+// searchRateLimitKey picks the per-request key. Authed users key

+// on user_id (so an attacker can't bypass by hopping accounts they

+// don't have); anonymous users key on the trusted client IP. We

+// trust X-Forwarded-For only when middleware.RealIP has already

+// vetted it, which it does at the global stack level.

+func searchRateLimitKey(r *http.Request) string {

+	viewer := middleware.CurrentUserFromContext(r.Context())

+	if !viewer.IsAnonymous() {

+		return "u:" + intString(int(viewer.ID))

+	}

+	if ip, ok := ratelimit.ClientIP(r, true); ok {

+		return "ip:" + ip.String()

+	}

+	return ""

+}

+

+	// Counts are cached per-(query, viewer) for tabsCacheTTL. The

+	// active-tab's actual result rows are NOT cached here — only the

+	// 5 count-only badge calls that pre-fix were the dominant cost

+	// (audit 2026-05-10 H5). Single-flighted via lru.Group so a

+	// thundering-herd on the same key doesn't spawn N waves.

+	key := tabsCacheKey{q: canonicalizeQuery(parsed), userID: actorUserID(actor)}

+	cached, err := h.tabsCache.g.Do(r.Context(), key, func(ctx context.Context) ([]searchTab, error) {

+		return h.computeTabCounts(ctx, actor, parsed), nil

+	})

+	if err != nil {

+		// Group.Do never caches errors and our fetch returns nil; this

+		// path is unreachable today but kept for defensiveness.

+		h.d.Logger.ErrorContext(r.Context(), "search tabs cache", "error", err)

+		cached = h.computeTabCounts(r.Context(), actor, parsed)

+	}

+	// Merge cached counts into the freshly-built (Selected/Href-aware)

+	// tabs slice. The cached value carries Counts and the same Key

+	// ordering; everything else is per-request and not cached.

+		for j := range cached {

+			if cached[j].Key == tabs[i].Key {

+				tabs[i].Count = cached[j].Count

+				break

+			}

+		}

+	}

+	return tabs

+}

+

+// computeTabCounts is the cache miss path: 5 FTS count-only queries.

+// Returned slice carries (Key, Count) only — Selected/Href/Label/

+// Icon are per-request and applied by the caller.

+func (h *Handlers) computeTabCounts(ctx context.Context, actor policy.Actor, parsed srch.ParsedQuery) []searchTab {

+	deps := h.deps()

+	out := []searchTab{

+		{Key: "code"},

+		{Key: "repositories"},

+		{Key: "issues"},

+		{Key: "pullrequests"},

+		{Key: "users"},

+	}

+	for i := range out {

+		switch out[i].Key {

+			_, total, err = srch.SearchRepos(ctx, deps, actor, parsed, 0, 0)

+			_, total, err = srch.SearchCode(ctx, deps, actor, parsed, 0, 0)

+			_, total, err = srch.SearchIssues(ctx, deps, actor, parsed, "issue", 0, 0)

+			_, total, err = srch.SearchIssues(ctx, deps, actor, parsed, "pr", 0, 0)

+			_, total, err = srch.SearchUsers(ctx, deps, parsed, 0, 0)

+			h.d.Logger.ErrorContext(ctx, "search tab count", "tab", out[i].Key, "error", err)

+		out[i].Count = total

+	return out

+}

+

+// actorUserID returns 0 for anonymous, the user_id otherwise. Used

+// as the (anon vs each-authed-user) discriminant in the tabs cache

+// key — anonymous viewers all see the same public-only result set

+// so they share a slot; authed viewers see private results based

+// on their collab roles, so each gets their own.

+func actorUserID(a policy.Actor) int64 {

+	if a.IsAnonymous {

+		return 0

+	}

+	return a.UserID

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package search

+

+import (

+	"fmt"

+	"strings"

+	"time"

+

+	"github.com/tenseleyFlow/shithub/internal/cache/lru"

+	srch "github.com/tenseleyFlow/shithub/internal/search"

+)

+

+// tabsCacheKey is the (canonical-query, viewer-id, anon) tuple every

+// distinct count slice maps to. Anonymous viewers share one cache

+// slot per query (their visibility is the same: public-only). Authed

+// viewers each get their own bucket because what they can read

+// differs (private repos they collaborate on, etc.) and the tab

+// counts must reflect that — sharing the slice across viewers would

+// leak the existence of private results.

+//

+// We canonicalize the query with strings.ToLower + collapse-spaces

+// so q="foo" and q="FOO " hit the same slot. Operators (repo:, is:,

+// state:, author:) are folded into the canonical form by

+// canonicalizeQuery's ParsedQuery round-trip — same parsed shape

+// produces the same cache key.

+type tabsCacheKey struct {

+	q      string // canonical query string

+	userID int64  // 0 for anonymous

+}

+

+// tabsCacheTTL is short enough that stale counts can't mislead an

+// operator triaging a recent push, long enough to absorb the

+// dashboard-style "user types in search box, browser auto-fires

+// repeatedly" pattern.

+const (

+	tabsCacheTTL  = 30 * time.Second

+	tabsCacheSize = 1024

+)

+

+// tabsCache wraps a small LRU around the per-(query, viewer) tab-

+// count slice the searchTabs renderer needs. Pre-fix the renderer

+// fired 5 FTS counts on EVERY GET /search render — six queries per

+// page since the active tab also runs its own search. With this

+// cache, the steady-state cost of a hot query is a single lookup

+// (assuming the active tab still runs since its result list is

+// not cached, only the 5 count-only calls are).

+//

+// Single-flighted via lru.Group so a thundering-herd on the same

+// (q, viewer) coalesces into one upstream wave.

+type tabsCache struct {

+	g *lru.Group[tabsCacheKey, []searchTab]

+}

+

+func newTabsCache() *tabsCache {

+	c := lru.NewWithTTL[tabsCacheKey, []searchTab](tabsCacheSize, tabsCacheTTL)

+	g := lru.NewGroup(c, func(k tabsCacheKey) string {

+		return fmt.Sprintf("%d|%s", k.userID, k.q)

+	})

+	return &tabsCache{g: g}

+}

+

+// canonicalizeQuery returns a stable string key for ParsedQuery.

+// Two raw queries that parse identically produce the same key.

+func canonicalizeQuery(p srch.ParsedQuery) string {

+	var b strings.Builder

+	b.WriteString("t=")

+	b.WriteString(strings.ToLower(strings.Join(strings.Fields(p.Text), " ")))

+	if p.Phrase != "" {

+		b.WriteString("|p=")

+		b.WriteString(strings.ToLower(p.Phrase))

+	}

+	if p.RepoFilter != nil {

+		b.WriteString("|r=")

+		b.WriteString(strings.ToLower(p.RepoFilter.Owner))

+		b.WriteString("/")

+		b.WriteString(strings.ToLower(p.RepoFilter.Name))

+	}

+	if p.StateFilter != "" {

+		b.WriteString("|s=")

+		b.WriteString(strings.ToLower(p.StateFilter))

+	}

+	if p.AuthorFilter != "" {

+		b.WriteString("|a=")

+		b.WriteString(strings.ToLower(p.AuthorFilter))

+	}

+	return b.String()

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package search

+

+import (

+	"context"

+	"testing"

+

+	srch "github.com/tenseleyFlow/shithub/internal/search"

+)

+

+// TestCanonicalizeQuery_StableAcrossWhitespaceAndCase pins the cache

+// key contract: equivalent ParsedQuery values produce equal cache

+// keys regardless of original whitespace or letter case. Without

+// this, the cache hit-rate would collapse on common query variants.

+func TestCanonicalizeQuery_StableAcrossWhitespaceAndCase(t *testing.T) {

+	t.Parallel()

+

+	cases := []struct {

+		name string

+		a, b srch.ParsedQuery

+	}{

+		{

+			"casing",

+			srch.ParsedQuery{Text: "FooBar"},

+			srch.ParsedQuery{Text: "foobar"},

+		},

+		{

+			"whitespace",

+			srch.ParsedQuery{Text: "foo  bar"},

+			srch.ParsedQuery{Text: " foo bar "},

+		},

+		{

+			"phrase casing",

+			srch.ParsedQuery{Text: "x", Phrase: "Hello World"},

+			srch.ParsedQuery{Text: "x", Phrase: "hello world"},

+		},

+		{

+			"repo filter casing",

+			srch.ParsedQuery{Text: "x", RepoFilter: &srch.RepoFilter{Owner: "Alice", Name: "Repo"}},

+			srch.ParsedQuery{Text: "x", RepoFilter: &srch.RepoFilter{Owner: "alice", Name: "repo"}},

+		},

+		{

+			"state casing",

+			srch.ParsedQuery{Text: "x", StateFilter: "OPEN"},

+			srch.ParsedQuery{Text: "x", StateFilter: "open"},

+		},

+	}

+	for _, tc := range cases {

+		t.Run(tc.name, func(t *testing.T) {

+			t.Parallel()

+			ka := canonicalizeQuery(tc.a)

+			kb := canonicalizeQuery(tc.b)

+			if ka != kb {

+				t.Fatalf("canonicalizeQuery diverged:\n a=%q\n b=%q", ka, kb)

+			}

+		})

+	}

+}

+

+// TestCanonicalizeQuery_DistinctFiltersDistinct pins that DIFFERENT

+// queries don't collide. Same Text but different filters MUST produce

+// different keys — otherwise a viewer with no access to a private

+// `repo:secret` could see its result count via cache pollution from

+// a separate query.

+func TestCanonicalizeQuery_DistinctFiltersDistinct(t *testing.T) {

+	t.Parallel()

+

+	base := srch.ParsedQuery{Text: "foo"}

+	variants := []srch.ParsedQuery{

+		{Text: "foo", Phrase: "exact"},

+		{Text: "foo", RepoFilter: &srch.RepoFilter{Owner: "a", Name: "b"}},

+		{Text: "foo", StateFilter: "open"},

+		{Text: "foo", AuthorFilter: "alice"},

+	}

+	baseKey := canonicalizeQuery(base)

+	for i, v := range variants {

+		got := canonicalizeQuery(v)

+		if got == baseKey {

+			t.Errorf("variant %d collides with base: %q", i, got)

+		}

+	}

+}

+

+// TestTabsCache_HitOnSameKey pins the cache contract:

+// repeated lookups for the same (query, viewer) within the TTL hit

+// the cache and the fetcher runs at most once.

+func TestTabsCache_HitOnSameKey(t *testing.T) {

+	t.Parallel()

+

+	cache := newTabsCache()

+	key := tabsCacheKey{q: "t=foo", userID: 7}

+

+	calls := 0

+	want := []searchTab{{Key: "code", Count: 42}}

+	for i := 0; i < 5; i++ {

+		got, err := cache.g.Do(context.Background(), key, func(_ context.Context) ([]searchTab, error) {

+			calls++

+			return want, nil

+		})

+		if err != nil {

+			t.Fatalf("Do: %v", err)

+		}

+		if len(got) != 1 || got[0].Count != 42 {

+			t.Fatalf("got = %+v", got)

+		}

+	}

+	if calls != 1 {

+		t.Fatalf("fetcher invoked %d times; want 1", calls)

+	}

+}

+

+// TestTabsCache_DistinctKeysIsolated pins the per-viewer isolation

+// invariant: Alice's count must not leak to Bob's render even when

+// the canonicalized query matches.

+func TestTabsCache_DistinctKeysIsolated(t *testing.T) {

+	t.Parallel()

+

+	cache := newTabsCache()

+	alice := tabsCacheKey{q: "t=foo", userID: 1}

+	bob := tabsCacheKey{q: "t=foo", userID: 2}

+

+	a, _ := cache.g.Do(context.Background(), alice, func(_ context.Context) ([]searchTab, error) {

+		return []searchTab{{Key: "repositories", Count: 10}}, nil

+	})

+	b, _ := cache.g.Do(context.Background(), bob, func(_ context.Context) ([]searchTab, error) {

+		return []searchTab{{Key: "repositories", Count: 99}}, nil

+	})

+	if a[0].Count == b[0].Count {

+		t.Fatalf("alice and bob got the same count — visibility leak")

+	}

+}