[feature] Rate limiting of API requests

[tsmethurst]

There's no rate-limiting for inbound requests currently, and this should be implemented to avoid the server being spammed/scraped by bad eggs.

There are a couple of middlewares available for Gin to do rate limiting:

• https://github.com/axiaoxin-com/ratelimiter
• https://github.com/yangxikun/gin-limit-by-key/blob/master/limit.go
• Probably some more that I didn't see yet.

These should be evaluated to see if they fit the needs of GoToSocial.

Ideally, whatever rate limiting implementation is used should have the following characteristics:

1. Use the same rate-limit response headers as Mastodon for compatibility with Mastodon applications.
2. Use the client IP as a rate-limiting key.
3. In-memory implementation (good-enough for now).
4. Sliding window limits (might be a bit complicated though -- fixed limits per minute would already be a fine start).

The rate limit implementation should be added to the security package here: https://github.com/superseriousbusiness/gotosocial/tree/main/internal/api/security

[u0nel]

I think this is the most popular library:

• github.com/ulule/limiter

It meets all your requirements. I could implement it, though I don't know which limits are appropriate. I found these for mastodons API https://docs.joinmastodon.org/api/rate-limits/ Though I would only go with two different rates, one for GET requests and one for POST requests.