Fix concurrency errors, memory leaks, and add rate limiting (#1)

* Fix concurrency errors, memory leaks, and add rate limiting

- Added mutexes (sync.RWMutex/sync.Mutex) to protect global shared state (zone, measures, conditions, themes, current weather client).
- Fixed a memory leak in the rate limiter by adding a background cleanup goroutine for inactive IPs.
- Improved DoS protection by adding a global rate limiter (100 req/s) in addition to the per-IP limiter.
- Fixed an initialization bug in `loadConditions` using `sync.Once` and properly storing the error for subsequent calls.
- Resolved a shadowing bug in `getDataPoints` and corrected its error message.
- Configured SQLite with `MaxOpenConns(1)` to prevent database locking issues.
- Ensured thread-safe access to templates and themes in `getServeMux` using `sync.Once`.

Co-authored-by: birabittoh <26506860+birabittoh@users.noreply.github.com>

* Fix concurrency errors, memory leaks, and add IP-based rate limiting with LRU cache

- Implemented IP-based rate limiting using `github.com/hashicorp/golang-lru/v2` to bound memory usage and prevent leaks.
- Added a global rate limiter for overall server protection.
- Protected global shared state (zone, measures, conditions, themes, templates, current weather client) with mutexes and `sync.Once`.
- Configured SQLite with `MaxOpenConns(1)` to avoid locking issues.
- Fixed logical bugs in `getDataPoints` and `loadConditions`.
- Updated `go.mod` and `go.sum` with the new LRU cache dependency.

Co-authored-by: birabittoh <26506860+birabittoh@users.noreply.github.com>

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: birabittoh <26506860+birabittoh@users.noreply.github.com>

Author: birabittoh

go.mod

@@ -25,6 +25,7 @@ require (
 	github.com/glebarez/go-sqlite v1.22.0 // indirect
 	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect

go.sum

@@ -37,6 +37,8 @@ github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17k
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=

src/api.go

@@ -9,6 +9,7 @@ import (
 	"net/url"
 	"os"
 	"strconv"
+	"sync"
 	"time"
 
 	bh "github.com/birabittoh/bunnyhue"
@@ -30,6 +31,7 @@ const (
 
 var (
 	tmpl    map[string]*template.Template
+	tmplOnce sync.Once
 	funcMap = template.FuncMap{
 		"capitalize":       capitalize,
 		"getHex":           getHex,
@@ -44,7 +46,8 @@ var (
 		"":      &bh.Dark, // default
 		"light": &bh.Light,
 	}
-	themes []string
+	themes     []string
+	themesOnce sync.Once
 )
 
 type PageData struct {
@@ -108,8 +111,12 @@ func getPageData(q url.Values, p *bh.Palette) (*PageData, error) {
 
 	now := time.Now()
 
+	funcMu.RLock()
+	z := zone
+	funcMu.RUnlock()
+
 	return &PageData{
-		Zone:        zone,
+		Zone:        z,
 		Palette:     p,
 		FontFamily:  fontFamily,
 		OneWeekAgo:  now.Add(-week).Unix(),
@@ -157,9 +164,18 @@ func getAPILatest(w http.ResponseWriter, r *http.Request) {
 }
 
 func getAPIMeta(w http.ResponseWriter, r *http.Request) {
+	funcMu.RLock()
+	z := zone
+	funcMu.RUnlock()
+
+	dbMu.RLock()
+	m := make([]string, len(measures))
+	copy(m, measures)
+	dbMu.RUnlock()
+
 	respond(w, map[string]any{
-		"zone":     zone,
-		"measures": measures,
+		"zone":     z,
+		"measures": m,
 		"themes":   themes,
 	})
 }
@@ -286,7 +302,13 @@ func getPlot(w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 	}
-	pd.Measures = measures
+
+	dbMu.RLock()
+	m := make([]string, len(measures))
+	copy(m, measures)
+	dbMu.RUnlock()
+
+	pd.Measures = m
 	pd.Measure = r.PathValue("measure")
 
 	executeTemplateSafe(w, plotPath, pd)
@@ -298,15 +320,19 @@ func parseTemplate(path string) *template.Template {
 
 func getServeMux() *http.ServeMux {
 	// init templates
-	tmpl = make(map[string]*template.Template)
+	tmplOnce.Do(func() {
+		tmpl = make(map[string]*template.Template)
 
-	tmpl[indexPath] = parseTemplate(indexPath)
-	tmpl[recordsPath] = parseTemplate(recordsPath)
-	tmpl[plotPath] = parseTemplate(plotPath)
+		tmpl[indexPath] = parseTemplate(indexPath)
+		tmpl[recordsPath] = parseTemplate(recordsPath)
+		tmpl[plotPath] = parseTemplate(plotPath)
+	})
 
-	for k := range palettes {
-		themes = append(themes, k)
-	}
+	themesOnce.Do(func() {
+		for k := range palettes {
+			themes = append(themes, k)
+		}
+	})
 
 	// init conditions
 	var err error

src/conditions.go

@@ -5,10 +5,16 @@ import (
 	"log"
 	"os"
 	"strings"
+	"sync"
 	"time"
 )
 
-var conditions map[string]Condition
+var (
+	conditions map[string]Condition
+	condOnce   sync.Once
+	condMu     sync.RWMutex
+	condErr    error
+)
 
 type Condition struct {
 	Name        string `json:"name"`
@@ -17,18 +23,22 @@ type Condition struct {
 }
 
 func loadConditions() (map[string]Condition, error) {
-	file, err := os.Open("conditions.json")
-	if err != nil {
-		return nil, err
-	}
-	defer file.Close()
+	condOnce.Do(func() {
+		file, err := os.Open("conditions.json")
+		if err != nil {
+			condErr = err
+			return
+		}
+		defer file.Close()
 
-	err = json.NewDecoder(file).Decode(&conditions)
-	if err != nil {
-		return nil, err
-	}
+		condMu.Lock()
+		condErr = json.NewDecoder(file).Decode(&conditions)
+		condMu.Unlock()
+	})
 
-	return conditions, nil
+	condMu.RLock()
+	defer condMu.RUnlock()
+	return conditions, condErr
 }
 
 func (record *Record) parseConditions() {
@@ -38,6 +48,8 @@ func (record *Record) parseConditions() {
 
 	weatherIDs := strings.Split(record.Weather, ",")
 
+	condMu.RLock()
+	defer condMu.RUnlock()
 	for _, w := range weatherIDs {
 		c, ok := conditions[w]
 		if !ok {

src/db.go

@@ -24,6 +24,7 @@ const (
 var (
 	db       *gorm.DB
 	measures []string
+	dbMu     sync.RWMutex
 
 	recordsCache = myks.New[[]Record](30 * time.Minute)
 	dpCache      = myks.New[[]DataPoint](31 * time.Minute)
@@ -129,20 +130,23 @@ func getLatestRecord() (record Record, err error) {
 	return
 }
 
-func getDataPoints(measures []string, f, t *int64) (dp []DataPoint, err error) {
-	for _, measure := range measures {
+func getDataPoints(requestedMeasures []string, f, t *int64) (dp []DataPoint, err error) {
+	dbMu.RLock()
+	for _, measure := range requestedMeasures {
 		if !slices.Contains(measures, measure) {
-			err = errors.New("la misura richiesta non esiste")
+			dbMu.RUnlock()
+			err = errors.New("la misura richiesta non esiste: " + measure)
 			return
 		}
 	}
+	dbMu.RUnlock()
 
-	if len(measures) > 5 {
-		err = errors.New("sono supportate al massimo 3 misure")
+	if len(requestedMeasures) > 5 {
+		err = errors.New("sono supportate al massimo 5 misure")
 		return
 	}
 
-	key := getKey(measures, f, t)
+	key := getKey(requestedMeasures, f, t)
 
 	value, err := dpCache.Get(key)
 	if err == nil {
@@ -151,7 +155,7 @@ func getDataPoints(measures []string, f, t *int64) (dp []DataPoint, err error) {
 	}
 
 	selectText := "dt"
-	for i, measure := range measures {
+	for i, measure := range requestedMeasures {
 		selectText += ", " + measure + " as value" + strconv.Itoa(i)
 	}
 
@@ -185,22 +189,33 @@ func initDB() (err error) {
 		return errors.New("Errore nella migrazione del database: " + err.Error())
 	}
 
+	// Limitazione delle connessioni per SQLite
+	sqlDB, err := db.DB()
+	if err == nil {
+		sqlDB.SetMaxOpenConns(1)
+	}
+
 	// Inizializzazione delle colonne
 	s, err := schema.Parse(&Record{}, &sync.Map{}, schema.NamingStrategy{})
 	if err != nil {
 		return errors.New("Errore nel parsing dello schema: " + err.Error())
 	}
+	dbMu.Lock()
+	measures = nil // Reset in case initDB is called multiple times
 	for _, field := range s.Fields {
 		if field.DBName == "" || field.DBName == "weather" || field.DBName == "dt" {
 			continue
 		}
 		measures = append(measures, field.DBName)
 	}
+	dbMu.Unlock()
 
 	// Inizializzazione della zona
 	zoneBytes, zErr := os.ReadFile(zonePath)
 	if zErr == nil {
+		funcMu.Lock()
 		zone = string(zoneBytes)
+		funcMu.Unlock()
 	}
 
 	return

src/func.go

@@ -7,6 +7,7 @@ import (
 	"os"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/briandowns/openweathermap"
@@ -18,6 +19,7 @@ var (
 	directions  = []string{"↑", "↗", "→", "↘", "↓", "↙", "←", "↖"}
 	percentages = []string{"○", "◔", "◑", "◕", "●"}
 	current     *openweathermap.CurrentWeatherData
+	funcMu      sync.RWMutex
 )
 
 // ------------------------
@@ -61,6 +63,9 @@ func getKey(m []string, from, to *int64) string {
 
 // fetchAndSaveWeather effettua la chiamata all'API, mappa i dati nei modelli e li salva nel database.
 func fetchAndSaveWeather(db *gorm.DB, coords *openweathermap.Coordinates) {
+	funcMu.Lock()
+	defer funcMu.Unlock()
+
 	// Chiamata all'API usando le coordinate specificate
 	err := current.CurrentByCoordinates(coords)
 	if err != nil {
@@ -105,6 +110,10 @@ func fetchAndSaveWeather(db *gorm.DB, coords *openweathermap.Coordinates) {
 	}
 
 	zone = current.Name
+	dbMu.Lock()
+	recordsCache.Delete("latest")
+	dbMu.Unlock()
+
 	if _, err := os.Stat(zonePath); os.IsNotExist(err) {
 		err = os.WriteFile(zonePath, []byte(zone), 0644)
 		if err != nil {
@@ -114,7 +123,6 @@ func fetchAndSaveWeather(db *gorm.DB, coords *openweathermap.Coordinates) {
 		log.Println("File " + zonePath + " creato con successo")
 	}
 
-	recordsCache.Delete("latest")
 	log.Println("Record salvato")
 }
 

src/limiter.go

@@ -1,32 +1,49 @@
 package src
 
 import (
+	"log"
 	"net"
 	"net/http"
 	"sync"
 
+	lru "github.com/hashicorp/golang-lru/v2"
 	"golang.org/x/time/rate"
 )
 
+var (
+	limiterCache *lru.Cache[string, *rate.Limiter]
+	limiterOnce  sync.Once
+	// globalLimiter protects the server from overall high load.
+	globalLimiter = rate.NewLimiter(rate.Limit(100), 200)
+)
+
 func rateLimiterMiddleware(next http.Handler) http.Handler {
-	// Mappa degli IP con il rispettivo rate limiter
-	limiters := make(map[string]*rate.Limiter)
-	var limiterMutex = &sync.Mutex{}
+	limiterOnce.Do(func() {
+		var err error
+		limiterCache, err = lru.New[string, *rate.Limiter](1000)
+		if err != nil {
+			log.Fatalf("Errore nella creazione dell'LRU cache: %v", err)
+		}
+	})
 
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Global rate limit
+		if !globalLimiter.Allow() {
+			http.Error(w, "Server busy", http.StatusServiceUnavailable)
+			return
+		}
+
 		ip, _, err := net.SplitHostPort(r.RemoteAddr)
 		if err != nil {
 			http.Error(w, "Can't find IP address", http.StatusInternalServerError)
 			return
 		}
 
-		limiterMutex.Lock()
-		limiter, exists := limiters[ip]
-		if !exists {
+		limiter, ok := limiterCache.Get(ip)
+		if !ok {
 			limiter = rate.NewLimiter(3, 30) // 3 richieste al secondo, burst massimo di 30
-			limiters[ip] = limiter
+			limiterCache.Add(ip, limiter)
 		}
-		limiterMutex.Unlock()
 
 		if !limiter.Allow() {
 			http.Error(w, "Too many requests", http.StatusTooManyRequests)