From 5d145613d22ba3112a3d90411dcf90726f0a5351 Mon Sep 17 00:00:00 2001
From: Kharec <sandro@cazzaniga.fr>
Date: Wed, 6 May 2026 16:47:35 +0200
Subject: [PATCH] fix(middleware): add mutex for rapid-request counter

---
 internal/middleware/security_logging.go | 26 ++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/internal/middleware/security_logging.go b/internal/middleware/security_logging.go
index 29bdaf4..55c6766 100644
--- a/internal/middleware/security_logging.go
+++ b/internal/middleware/security_logging.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"os"
 	"strings"
+	"sync"
 	"time"
 )
 
@@ -220,18 +221,29 @@ func isSuspiciousUserAgent(userAgent string) bool {
 	return false
 }
 
-var requestCounts = make(map[string]int)
-var lastReset = time.Now()
+type rapidRequestTracker struct {
+	mu        sync.Mutex
+	counts    map[string]int
+	lastReset time.Time
+}
+
+var rapidRequests = rapidRequestTracker{
+	counts:    make(map[string]int),
+	lastReset: time.Now(),
+}
 
 func isRapidRequest(ip string) bool {
+	rapidRequests.mu.Lock()
+	defer rapidRequests.mu.Unlock()
+
 	now := time.Now()
 
-	if now.Sub(lastReset) > time.Minute {
-		requestCounts = make(map[string]int)
-		lastReset = now
+	if now.Sub(rapidRequests.lastReset) > time.Minute {
+		rapidRequests.counts = make(map[string]int)
+		rapidRequests.lastReset = now
 	}
 
-	requestCounts[ip]++
+	rapidRequests.counts[ip]++
 
-	return requestCounts[ip] > 100
+	return rapidRequests.counts[ip] > 100
 }