test(middleware): lock rapid-request tracker reset in TestIsRapidRequest

internal/middleware/csrf.go

@@ -71,7 +71,7 @@ func CSRFMiddleware() func(http.Handler) http.Handler {
 				return
 			}
 
-			if strings.HasPrefix(r.URL.Path, "/api/") {
+			if strings.HasPrefix(r.URL.Path, "/api/") && hasBearerToken(r) {
 				next.ServeHTTP(w, r)
 				return
 			}
@@ -86,6 +86,11 @@ func CSRFMiddleware() func(http.Handler) http.Handler {
 	}
 }
 
+func hasBearerToken(r *http.Request) bool {
+	auth := strings.TrimSpace(r.Header.Get("Authorization"))
+	return strings.HasPrefix(auth, "Bearer ")
+}
+
 func IsHTTPS(r *http.Request) bool {
 	if r.TLS != nil {
 		return true

internal/middleware/csrf_test.go

@@ -186,8 +186,9 @@ func TestCSRFMiddlewareAllowsValidToken(t *testing.T) {
 	}
 }
 
-func TestCSRFMiddlewareSkipsAPI(t *testing.T) {
+func TestCSRFMiddlewareSkipsAPIWithBearerToken(t *testing.T) {
 	request := httptest.NewRequest("POST", "/api/test", nil)
+	request.Header.Set("Authorization", "Bearer valid-token")
 	recorder := httptest.NewRecorder()
 
 	handler := CSRFMiddleware()(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -197,7 +198,22 @@ func TestCSRFMiddlewareSkipsAPI(t *testing.T) {
 	handler.ServeHTTP(recorder, request)
 
 	if recorder.Code != http.StatusOK {
-		t.Errorf("API requests should skip CSRF validation, got status %d", recorder.Code)
+		t.Errorf("API requests with Bearer token should skip CSRF validation, got status %d", recorder.Code)
+	}
+}
+
+func TestCSRFMiddlewareBlocksAPIWithoutBearerToken(t *testing.T) {
+	request := httptest.NewRequest("POST", "/api/test", nil)
+	recorder := httptest.NewRecorder()
+
+	handler := CSRFMiddleware()(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	handler.ServeHTTP(recorder, request)
+
+	if recorder.Code != http.StatusForbidden {
+		t.Errorf("API requests without Bearer token should require CSRF validation, got status %d", recorder.Code)
 	}
 }
 

internal/middleware/security_logging.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"os"
 	"strings"
+	"sync"
 	"time"
 )
 
@@ -220,18 +221,29 @@ func isSuspiciousUserAgent(userAgent string) bool {
 	return false
 }
 
-var requestCounts = make(map[string]int)
+type rapidRequestTracker struct {
-var lastReset = time.Now()
+	mu        sync.Mutex
+	counts    map[string]int
+	lastReset time.Time
+}
+
+var rapidRequests = rapidRequestTracker{
+	counts:    make(map[string]int),
+	lastReset: time.Now(),
+}
 
 func isRapidRequest(ip string) bool {
+	rapidRequests.mu.Lock()
+	defer rapidRequests.mu.Unlock()
+
 	now := time.Now()
 
-	if now.Sub(lastReset) > time.Minute {
+	if now.Sub(rapidRequests.lastReset) > time.Minute {
-		requestCounts = make(map[string]int)
+		rapidRequests.counts = make(map[string]int)
-		lastReset = now
+		rapidRequests.lastReset = now
 	}
 
-	requestCounts[ip]++
+	rapidRequests.counts[ip]++
 
-	return requestCounts[ip] > 100
+	return rapidRequests.counts[ip] > 100
 }

internal/middleware/security_logging_test.go

@@ -453,8 +453,10 @@ func TestIsSuspiciousUserAgent(t *testing.T) {
 
 func TestIsRapidRequest(t *testing.T) {
 
-	requestCounts = make(map[string]int)
+	rapidRequests.mu.Lock()
-	lastReset = time.Now()
+	rapidRequests.counts = make(map[string]int)
+	rapidRequests.lastReset = time.Now()
+	rapidRequests.mu.Unlock()
 
 	ip := "192.168.1.1"