0.0.4 rate limiting, captcha, more better auth, bug fixes

3 years ago · a3e56fa753
parent fdbf7217e9
commit a3e56fa753
19 changed files with 363 additions and 95 deletions
--- a/accounts.go
+++ b/accounts.go
@ -6,6 +6,8 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"net/url"
+	"os"
 	"regexp"
 	"strings"
 	"time"
@ -13,11 +15,15 @@ import (
 	"github.com/google/uuid"
 	"go.mongodb.org/mongo-driver/bson"
 	"go.mongodb.org/mongo-driver/bson/primitive"
+	"go.mongodb.org/mongo-driver/mongo"
 	"go.mongodb.org/mongo-driver/mongo/options"
 	"go.mongodb.org/mongo-driver/mongo/readpref"
 	"golang.org/x/crypto/bcrypt"
 )

+// Note: I would love to embed a lot of these structs to avoid
+//		duplicate fields, but it breaks json.(Un)marshal and I dont want to deal with that
+
 type Credentials struct {
 	Username string `json:"username" bson:"username"`
 	Password string `json:"password" bson:"password"`
@ -29,6 +35,13 @@ type Login struct {
 	RememberMe bool   `json:"remember"`
 }

+type CreateAccount struct {
+	Username   string `json:"username" bson:"username"`
+	Password   string `json:"password" bson:"password"`
+	RememberMe bool   `json:"remember"`
+	Token      string `json:"token"`
+}
+
 type Session struct {
 	Session string `json:"session" bson:"session"`
 }
@ -61,13 +74,55 @@ func createAccount(w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		DB = openDB()
 	}
-	userCollection := DB.Database("Users").Collection("Users")
+	var userCollection *mongo.Collection
+	if os.Getenv("ENVIRONMENT") == "production" {
+		userCollection = DB.Database("Users").Collection("Users")
+	} else {
+		userCollection = DB.Database("Development").Collection("Users")
+	}

 	// var v contains POST credentials
-	var v Login
+	var v CreateAccount
 	err = json.NewDecoder(r.Body).Decode(&v)
+	if err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		log.Println("* Create Account Refused: Bad form data")
+		return
+	}
+
+	var verify struct {
+		Secret   string
+		Response string
+	}
+	verify.Secret = os.Getenv("CAPTCHA_SECRET")
+	verify.Response = v.Token
+
+	//url := "https://www.google.com/recaptcha/api/siteverify?secret=" + url.QueryEscape(verify.Secret) + "?response=" + url.QueryEscape(verify.Response)
+	u := "https://www.google.com/recaptcha/api/siteverify"
+	d := url.Values{"secret": []string{verify.Secret}, "response": []string{verify.Response}}

-	if err != nil || len(v.Password) < 8 || len(v.Password) > 255 || !UsernameRegex.MatchString(v.Username) {
+	resp, err := http.PostForm(u, d)
+
+	var captchaResponse struct {
+		Success  bool                `json:"success"`
+		Time     primitive.Timestamp `json:"challenge_ts"`
+		Hostname string              `json:"hostname"`
+		Errors   []string            `json:"error-codes"`
+	}
+
+	json.NewDecoder(resp.Body).Decode(&captchaResponse)
+
+	if !captchaResponse.Success {
+		w.WriteHeader(http.StatusBadRequest)
+		log.Print("* Create Account Refused: Unsuccessful reCaptcha challenge\nErrors: ")
+		for _, e := range captchaResponse.Errors {
+			fmt.Print(e + " ")
+		}
+		fmt.Print("\n")
+		return
+	}
+
+	if len(v.Password) < 8 || len(v.Password) > 255 || !UsernameRegex.MatchString(v.Username) {
 		w.WriteHeader(http.StatusBadRequest)
 		fmt.Fprint(w, "{\"error\":\"there was a problem with your request. Please try again with different values\"}")
 		return
@ -148,7 +203,12 @@ func login(w http.ResponseWriter, r *http.Request) {
 		DB = openDB()
 	}
 	w.Header().Set("Content-Type", "application/json")
-	userCollection := DB.Database("Users").Collection("Users")
+	var userCollection *mongo.Collection
+	if os.Getenv("ENVIRONMENT") == "production" {
+		userCollection = DB.Database("Users").Collection("Users")
+	} else {
+		userCollection = DB.Database("Development").Collection("Users")
+	}

 	// decode POST into v struct
 	var v Login
@ -234,7 +294,12 @@ func loginBySession(w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		DB = openDB()
 	}
-	userCollection := DB.Database("Users").Collection("Users")
+	var userCollection *mongo.Collection
+	if os.Getenv("ENVIRONMENT") == "production" {
+		userCollection = DB.Database("Users").Collection("Users")
+	} else {
+		userCollection = DB.Database("Development").Collection("Users")
+	}

 	var id Session
 	var account ReturnedAccount
@ -263,7 +328,12 @@ func logout(w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		DB = openDB()
 	}
-	userCollection := DB.Database("Users").Collection("Users")
+	var userCollection *mongo.Collection
+	if os.Getenv("ENVIRONMENT") == "production" {
+		userCollection = DB.Database("Users").Collection("Users")
+	} else {
+		userCollection = DB.Database("Development").Collection("Users")
+	}

 	var v Credentials

--- a/chat.go
+++ b/chat.go
@ -4,10 +4,12 @@ import (
 	"context"
 	"encoding/json"
 	"net/http"
+	"os"
 	"strings"

 	"go.mongodb.org/mongo-driver/bson"
 	"go.mongodb.org/mongo-driver/bson/primitive"
+	"go.mongodb.org/mongo-driver/mongo"
 	"go.mongodb.org/mongo-driver/mongo/options"
 	"go.mongodb.org/mongo-driver/mongo/readpref"
 )
@ -23,7 +25,12 @@ func chatColor(w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		DB = openDB()
 	}
-	userCollection := DB.Database("Users").Collection("Users")
+	var userCollection *mongo.Collection
+	if os.Getenv("ENVIRONMENT") == "production" {
+		userCollection = DB.Database("Users").Collection("Users")
+	} else {
+		userCollection = DB.Database("Development").Collection("Users")
+	}

 	// decode PUT into v struct
 	var v ColorRequest
--- a/client.go
+++ b/client.go
@ -47,6 +47,14 @@ type Client struct {
 	send chan []byte

 	username string
+
+	auth bool
+}
+
+type Auth struct {
+	Type     string `json:"type"`
+	Username string `json:"username"`
+	Key      string `json:"key"`
 }

 // readPump pumps messages from the websocket connection to the hub.
@ -70,18 +78,28 @@ func (c *Client) readPump() {
 			}
 			break
 		}
-		var v WsBetMessage
+		var v Auth
 		err = json.Unmarshal(message, &v)
 		if err == nil {
-			if v.Type == "bind" {
+			// check for authorization messages
+			if v.Type == "auth" {
+				// bind the WS client to the username (useful)
 				c.username = strings.ToLower(v.Username)
+				// if auth key matches session, they are authorized to bet/chat etc
+				if DBGetUserByUsername(c.username).Session == v.Key {
+					c.auth = true
+				}
+				// if the user has bet (and then reloaded the page) send them their state
 				if c.hub.allUsers[c.username] != "" {
-					c.send <- []byte("{\"type\":\"hasbet\",\"value\":true,\"bet\":\"" + c.hub.allUsers[c.username] + "\"}")
+					c.send <- []byte("{\"type\":\"state\",\"value\":true,\"bet\":\"" + c.hub.allUsers[c.username] + "\"}")
 				}
 				continue
 			}
 		}
-		c.hub.broadcast <- message
+		// only authorized clients are allowed to push to the Hub
+		if c.auth {
+			c.hub.broadcast <- message
+		}
 	}
 }

--- a/clock.go
+++ b/clock.go
@ -24,8 +24,7 @@ func (h *Hub) runGameClock() {
 			msg = "{\"type\":\"flip\",\"value\":\"tails\"}"
 		}
 		h.broadcast <- []byte(msg)
-		time.Sleep(4 * time.Second)
+		time.Sleep(5 * time.Second)
 		h.broadcastPoolUpdate()
-		time.Sleep(1 * time.Second)
 	}
 }
--- a/db.go
+++ b/db.go
@ -7,7 +7,6 @@ import (
 	"os"
 	"time"

-	"github.com/joho/godotenv"
 	"go.mongodb.org/mongo-driver/bson"
 	"go.mongodb.org/mongo-driver/bson/primitive"
 	"go.mongodb.org/mongo-driver/mongo"
@ -15,26 +14,21 @@ import (
 	"go.mongodb.org/mongo-driver/mongo/readpref"
 )

-var DB = openDB()
+var DB *mongo.Client

 func openDB() *mongo.Client {
-	err := godotenv.Load()
-	if err != nil {
-		log.Fatal("Unable to load database. Shutting down...")
-	}
 	dbUsername := os.Getenv("DB_USERNAME")
 	dbPassword := os.Getenv("DB_PASSWORD")

 	serverAPIOptions := options.ServerAPI(options.ServerAPIVersion1)
 	clientOptions := options.Client().
-		ApplyURI("mongodb+srv://" + dbUsername + ":" + dbPassword + "@cluster0.tqrat.mongodb.net/myFirstDatabase?retryWrites=true&w=majority").
+		ApplyURI("mongodb+srv://" + dbUsername + ":" + dbPassword + "@cluster0.tqrat.mongodb.net/?retryWrites=true&w=majority").
 		SetServerAPIOptions(serverAPIOptions)
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
 	client, err := mongo.Connect(ctx, clientOptions)
-	err = client.Ping(ctx, readpref.Primary())
 	if err != nil {
-		log.Fatal("DB Error: " + err.Error())
+		log.Fatal(err)
 	}
 	return client
 }
@ -44,7 +38,13 @@ func DBSubtractPoints(user string, p int) error {
 	if err != nil {
 		DB = openDB()
 	}
-	userCollection := DB.Database("Users").Collection("Users")
+	var userCollection *mongo.Collection
+	if os.Getenv("ENVIRONMENT") == "production" {
+		userCollection = DB.Database("Users").Collection("Users")
+	} else {
+		userCollection = DB.Database("Development").Collection("Users")
+	}
+
 	var v ExistingAccount
 	err = userCollection.FindOne(context.Background(), bson.D{primitive.E{Key: "username", Value: user}}).Decode(&v)

@ -67,7 +67,12 @@ func DBAddPoints(user string, p int) error {
 	if err != nil {
 		DB = openDB()
 	}
-	userCollection := DB.Database("Users").Collection("Users")
+	var userCollection *mongo.Collection
+	if os.Getenv("ENVIRONMENT") == "production" {
+		userCollection = DB.Database("Users").Collection("Users")
+	} else {
+		userCollection = DB.Database("Development").Collection("Users")
+	}
 	var v ExistingAccount
 	err = userCollection.FindOne(context.Background(), bson.D{primitive.E{Key: "username", Value: user}}).Decode(&v)

@ -92,7 +97,12 @@ func DBGetUserByUsername(user string) ExistingAccount {
 	if err != nil {
 		DB = openDB()
 	}
-	userCollection := DB.Database("Users").Collection("Users")
+	var userCollection *mongo.Collection
+	if os.Getenv("ENVIRONMENT") == "production" {
+		userCollection = DB.Database("Users").Collection("Users")
+	} else {
+		userCollection = DB.Database("Development").Collection("Users")
+	}
 	var v ExistingAccount
 	err = userCollection.FindOne(context.Background(), bson.D{primitive.E{Key: "username", Value: user}}).Decode(&v)

--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@ -1,18 +1,19 @@
 {
  "name": "massflip",
-  "version": "0.0.3",
+  "version": "0.0.4",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "massflip",
-      "version": "0.0.3",
+      "version": "0.0.4",
      "dependencies": {
        "core-js": "^3.8.3",
        "dotenv": "^16.0.1",
        "pinia": "^2.0.0-rc.10",
        "vue": "^3.2.13",
-        "vue-gtag": "^2.0.1"
+        "vue-gtag": "^2.0.1",
+        "vue-recaptcha-v3": "^2.0.1"
      },
      "devDependencies": {
        "@babel/core": "^7.12.16",
@ -9264,6 +9265,11 @@
        "node": ">=8.10.0"
      }
    },
+    "node_modules/recaptcha-v3": {
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/recaptcha-v3/-/recaptcha-v3-1.10.0.tgz",
+      "integrity": "sha512-aGTxYSk3FFNKnXeKDbLpgRDRyIHRZNBF5HyaXXAN1Aj4TSyyZvmoAn9CylvpqLV3pYpIQavwc+2rzhNFn5SsLQ=="
+    },
    "node_modules/regenerate": {
      "version": "1.4.2",
      "resolved": "https://registry.npmjs.org/regenerate/-/regenerate-1.4.2.tgz",
@ -10788,6 +10794,17 @@
        "node": ">=8"
      }
    },
+    "node_modules/vue-recaptcha-v3": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/vue-recaptcha-v3/-/vue-recaptcha-v3-2.0.1.tgz",
+      "integrity": "sha512-isEDtOfHU4wWRrZZuxciAELtQmPOeEEdicPNa0f1AOyLPy3sCcBEcpFt+FOcO3RQv5unJ3Yn5NlsWtXv9rXqjg==",
+      "dependencies": {
+        "recaptcha-v3": "^1.8.0"
+      },
+      "peerDependencies": {
+        "vue": "^3.0.11"
+      }
+    },
    "node_modules/vue-style-loader": {
      "version": "4.1.3",
      "resolved": "https://registry.npmjs.org/vue-style-loader/-/vue-style-loader-4.1.3.tgz",
@ -18387,6 +18404,11 @@
        "picomatch": "^2.2.1"
      }
    },
+    "recaptcha-v3": {
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/recaptcha-v3/-/recaptcha-v3-1.10.0.tgz",
+      "integrity": "sha512-aGTxYSk3FFNKnXeKDbLpgRDRyIHRZNBF5HyaXXAN1Aj4TSyyZvmoAn9CylvpqLV3pYpIQavwc+2rzhNFn5SsLQ=="
+    },
    "regenerate": {
      "version": "1.4.2",
      "resolved": "https://registry.npmjs.org/regenerate/-/regenerate-1.4.2.tgz",
@ -19558,6 +19580,14 @@
        }
      }
    },
+    "vue-recaptcha-v3": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/vue-recaptcha-v3/-/vue-recaptcha-v3-2.0.1.tgz",
+      "integrity": "sha512-isEDtOfHU4wWRrZZuxciAELtQmPOeEEdicPNa0f1AOyLPy3sCcBEcpFt+FOcO3RQv5unJ3Yn5NlsWtXv9rXqjg==",
+      "requires": {
+        "recaptcha-v3": "^1.8.0"
+      }
+    },
    "vue-style-loader": {
      "version": "4.1.3",
      "resolved": "https://registry.npmjs.org/vue-style-loader/-/vue-style-loader-4.1.3.tgz",
--- a/frontend/package.json
+++ b/frontend/package.json
@ -1,6 +1,6 @@
 {
  "name": "massflip",
-  "version": "0.0.2",
+  "version": "0.0.4",
  "private": true,
  "scripts": {
    "serve": "vue-cli-service serve",
@ -12,7 +12,8 @@
    "dotenv": "^16.0.1",
    "pinia": "^2.0.0-rc.10",
    "vue": "^3.2.13",
-    "vue-gtag": "^2.0.1"
+    "vue-gtag": "^2.0.1",
+    "vue-recaptcha-v3": "^2.0.1"
  },
  "devDependencies": {
    "@babel/core": "^7.12.16",
--- a/frontend/src/App.vue
+++ b/frontend/src/App.vue
@ -28,7 +28,7 @@ onMounted(() => {
    let id = jar["session"]
    // handle logged in user
    let req = new XMLHttpRequest
-    req.open("POST", "/api/login/bysession")
+    req.open('POST', '/api/login/bysession')
    req.send(JSON.stringify({
      session: id
    }))
@ -36,14 +36,16 @@ onMounted(() => {
        if (req.readyState == XMLHttpRequest.DONE) {
            let usr = JSON.parse(req.responseText)
            if ("error" in usr) {
-              document.cookie = "session=; Max-Age=-99999999"
-              console.log(usr["error"])
+              document.cookie = 'session=; Max-Age=-99999999'
+              console.log(usr['error'])
              return
            }
            userStore().updateUser(usr)
+            let jar = cookiesToObj(cookieStr)
            let msg = JSON.stringify({
-              type: "bind",
-              username: usr.username
+              type: "auth",
+              username: usr.username,
+              key: jar['session']
            })
            WSSend(msg)
        }
--- a/frontend/src/components/BetBox.vue
+++ b/frontend/src/components/BetBox.vue
@ -69,6 +69,7 @@ onMounted(() => {
        if (isNaN(hP)) {
            headsPercent.value = 0
            headsStyle['--p'] = 50
+            
        } else {
            headsPercent.value = hP
            headsStyle['--p'] = headsPercent.value
@ -83,26 +84,30 @@ onMounted(() => {
        tailsPool.value = wsMsg.tailspool
    }
    WS.addEventListener("message",  function (evt) {
-        let wsMsg = JSON.parse(evt.data)
-        if (wsMsg.type == "pool") {
-            updatePool(wsMsg)
-        } else if (wsMsg.type == "win") {
-            userStore().addPoints(wsMsg.value)
-        } else if (wsMsg.type == "tick") {
-            let time = wsMsg.clock
-            let timeString = (Math.floor(time/60)).toString() + ":" + ((time%60)>9?"":"0") + (time%60).toString() + "s"
-            clock.value = timeString
-            until.value = 'until next flip'
-            updatePool(wsMsg)
-        } else if (wsMsg.type == "flip") {
-            clock.value = wsMsg.value
-            until.value = ''
-            userStore().setBet("")
-        } else if (wsMsg.type == "hasbet") {
-            if (wsMsg.value == true) {
-                userStore().bet = wsMsg.bet
+        let MSGs = evt.data.split('\n')
+            MSGs.forEach((i) => {
+                let wsMsg = JSON.parse(i)
+            if (wsMsg.type == "pool") {
+                updatePool(wsMsg)
+            } else if (wsMsg.type == "win") {
+                userStore().addPoints(wsMsg.value)
+            } else if (wsMsg.type == "tick") {
+                let time = wsMsg.clock
+                let timeString = (Math.floor(time/60)).toString() + ":" + ((time%60)>9?"":"0") + (time%60).toString() + "s"
+                clock.value = timeString
+                until.value = 'until next flip'
+                updatePool(wsMsg)
+            } else if (wsMsg.type == "flip") {
+                clock.value = wsMsg.value
+                until.value = ''
+                userStore().setBet("")
+            } else if (wsMsg.type == "state") {
+                if (wsMsg.value == true) {
+                    userStore().bet = wsMsg.bet
+                }
            }
-        }
+        })
+        
    })
 })

@ -192,6 +197,9 @@ onMounted(() => {
  background:var(--c);
  transform:rotate(calc(var(--p)*3.6deg - 90deg)) translate(calc(var(--w)/2 - 50%));
 }
+@-moz-keyframes p{
+  from{--p:0}
+}
@keyframes p{
  from{--p:0}
 }
--- a/frontend/src/components/BetInput.vue
+++ b/frontend/src/components/BetInput.vue
@ -22,10 +22,14 @@ function submitBet(HorT){
    if (userStore().bet != '') {
        return
    }
-    if (bet.value <= 0) {
+    if (bet.value <= 0 || isNaN(bet.value)) {
        hasError.value = true
        error.value = "Error: bet must be greater than 0"
        return
+    } else if (bet.value % 1 != 0) {
+        hasError.value = true
+        error.value = "Error: bet must be a whole number"
+        return
    }
    if (userStore().points - bet.value < 0) {
        hasError.value = true
--- a/frontend/src/components/ChatBox.vue
+++ b/frontend/src/components/ChatBox.vue
@ -31,10 +31,11 @@ const ChatColors = {
    green: "limegreen",
    yellow: "gold",
    cyan: "cyan",
-    red: "firebrick",
+    red: "crimson",
    pink: "fuchsia",
    violet: "violet",
    orange: "orange",
+    blue: "cornflowerblue"
 }

 const _CHAT_MAX_HISTORY = 75;
@ -49,28 +50,31 @@ onMounted(() => {
        }
    }
    WS.addEventListener("message",  function (evt) {
-        let wsMsg = JSON.parse(evt.data)
-        if (wsMsg.type == "chat") {
-            chatQueue.enqueue(wsMsg)
-            if (chatQueue.length  >= _CHAT_MAX_HISTORY) {
-                chatQueue.dequeue()
+        let MSGs = evt.data.split('\n')
+            MSGs.forEach((i) => {
+                let wsMsg = JSON.parse(i)
+            if (wsMsg.type == "chat") {
+                chatQueue.enqueue(wsMsg)
+                if (chatQueue.length  >= _CHAT_MAX_HISTORY) {
+                    chatQueue.dequeue()
+                }
+                log.innerHTML = ""
+                for (let message of Object.values(chatQueue.elements)) {
+                    var item = document.createElement("div")
+                    let fromUser = document.createElement("span")
+                    fromUser.style = `color: ${message.color};`
+                    fromUser.innerText = message.username
+                    item.appendChild(fromUser)
+                    let chatScore = document.createElement("span")
+                    chatScore.innerText = `(${message.points})`
+                    chatScore.style = `color: ${message.color};font-family: 'Helvetica';font-size: 12px;`
+                    item.appendChild(chatScore)
+                    let chatMsg = document.createTextNode(`: ${message.message}`)
+                    item.appendChild(chatMsg)
+                    appendLog(item)
+                }
            }
-            log.innerHTML = ""
-            for (let message of Object.values(chatQueue.elements)) {
-                var item = document.createElement("div")
-                let fromUser = document.createElement("span")
-                fromUser.style = `color: ${message.color};`
-                fromUser.innerText = message.username
-                item.appendChild(fromUser)
-                let chatScore = document.createElement("span")
-                chatScore.innerText = `(${message.points})`
-                chatScore.style = `color: ${message.color};font-family: 'Helvetica';font-size: 12px;`
-                item.appendChild(chatScore)
-                let chatMsg = document.createTextNode(`: ${message.message}`)
-                item.appendChild(chatMsg)
-                appendLog(item)
-            }
-        }
+        })
    })
 })

--- a/frontend/src/components/LoginForm.vue
+++ b/frontend/src/components/LoginForm.vue
@ -16,8 +16,9 @@
                </div>
                <div id="noAcc" @click="toggleCreate">Don't have an account?</div>
            </div>
-            <button class="submit" v-show="!tCreate" @click="login">Login</button>
-            <button class="submit" v-show="tCreate" @click="createAccount">Create</button>
+            <button class="submit" v-if="!tCreate" @click="login">Login</button>
+
+            <button class="submit" v-if="tCreate" @click="createAccount">Create</button>
        </form>
        <p id="serverResponse"> {{ serverResponse }}</p>
    </div>
@ -26,6 +27,8 @@

 <script setup>
 import { defineEmits, ref, reactive } from 'vue'
+import { useReCaptcha } from 'vue-recaptcha-v3'
+const { executeRecaptcha, recaptchaLoaded } = useReCaptcha()
 defineEmits(['display'])
 const form = reactive({
    username: '',
@ -39,6 +42,11 @@ const pHasError = ref(false)
 const serverResponse = ref('')
 function toggleCreate() {
    tCreate.value = !tCreate.value
+    if (tCreate.value) {
+        document.getElementById("noAcc").innerText = "Already have an account?"
+    } else {
+        document.getElementById("noAcc").innerText = "Don't have an account?"
+    }
 }
 function loginFieldsReady() {
    let ret = true
@ -73,13 +81,17 @@ async function createAccount(e) {
        serverResponse.value = "passwords do not match"
        return
    }
+    serverResponse.value = ""
+    await recaptchaLoaded()
+    const token = await executeRecaptcha('login')
    let req = new XMLHttpRequest()
    req.open("POST", "/api/createaccount")
    req.withCredentials = true
    req.send(JSON.stringify({
        username: form.username,
        password: form.password,
-        remember: form.remember
+        remember: form.remember,
+        token: token
    }))
    req.onreadystatechange = () => {
        if (req.readyState == XMLHttpRequest.DONE) {
@ -104,7 +116,7 @@ function login(e) {
    req.send(JSON.stringify({
        username: form.username,
        password: form.password,
-        remember: form.remember
+        remember: form.remember,
    }))
    req.onreadystatechange = () => {
        if (req.readyState == XMLHttpRequest.DONE) {
--- a/frontend/src/components/PageFooter.vue
+++ b/frontend/src/components/PageFooter.vue
@ -1,5 +1,5 @@
 <template>
-    <p>Massflip v0.0.3 - Copyright 2022 MNRVA</p>
+    <p>Massflip v0.0.4 - Copyright 2022 MNRVA</p>
 </template>

 <script setup>
--- a/frontend/src/main.js
+++ b/frontend/src/main.js
@ -2,10 +2,11 @@ import { createApp } from 'vue'
 import { createPinia } from 'pinia'
 import App from './App.vue'
 import VueGtag from "vue-gtag";
+import { VueReCaptcha } from 'vue-recaptcha-v3';

 // switch these in production
 export const WS = new WebSocket("wss://" + "massflip.mnrva.dev" + "/ws")
-//export const WS = new WebSocket("ws://" + "127.0.0.1:8000" + "/ws")
+//export const WS = new WebSocket("ws://" + "localhost:8000" + "/ws")

 WS.onclose = function() {
  alert("WebSocket connection closed.")
@ -65,5 +66,8 @@ const pinia = createPinia()
 var app = createApp(App)
 app.use(pinia)
 app.use(VueGtag, {config: { id: "G-C3WQH98SZB" }})
+app.use(VueReCaptcha, { siteKey: '6LeDtKUgAAAAAH0OVNYPyxE8-k9EtjeSDW5jamle' }) // prod
+//app.use(VueReCaptcha, { siteKey: '6LfD6qUgAAAAAHCKSiEW1fuyuCJiZrAPya26Ro8Z' }) // dev
+
 app.mount('#app')

--- a/frontend/vue.config.js
+++ b/frontend/vue.config.js
@ -6,11 +6,11 @@ module.exports = defineConfig({
 module.exports = {
  devServer: {
    host: "localhost",
+    port: 8000,
    proxy: {
      "/": {
        target: "http://localhost:8000",
-        secure: false,
-        ws: true
+        secure: false
      }
    }
  }
--- a/go.mod
+++ b/go.mod
@ -6,20 +6,24 @@ require github.com/go-chi/chi/v5 v5.0.7 // direct

 require github.com/gorilla/websocket v1.5.0 // direct

+require (
+	github.com/google/uuid v1.3.0
+	github.com/joho/godotenv v1.4.0
+	go.mongodb.org/mongo-driver v1.8.4
+	golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f
+	golang.org/x/time v0.0.0-20220609170525-579cf78fd858
+)
+
 require (
 	github.com/go-chi/cors v1.2.0 // indirect
 	github.com/go-stack/stack v1.8.0 // indirect
 	github.com/golang/snappy v0.0.1 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/joho/godotenv v1.4.0 // indirect
 	github.com/klauspost/compress v1.13.6 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
 	github.com/xdg-go/scram v1.0.2 // indirect
 	github.com/xdg-go/stringprep v1.0.2 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect
-	go.mongodb.org/mongo-driver v1.8.4 // indirect
-	golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f // indirect
 	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e // indirect
 	golang.org/x/text v0.3.5 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -51,6 +51,8 @@ golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXR
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.5 h1:i6eZZ+zk0SOf0xgBpEpPD18qWcJda6q1sxt3S0kzyUQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/time v0.0.0-20220609170525-579cf78fd858 h1:Dpdu/EMxGMFgq0CeYMh4fazTD2vtlZRYE7wyynxJb9U=
+golang.org/x/time v0.0.0-20220609170525-579cf78fd858/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190531172133-b3315ee88b7d/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/limits.go
+++ b/limits.go
@ -0,0 +1,80 @@
+package main
+
+import (
+	"net"
+	"net/http"
+	"sync"
+
+	"golang.org/x/time/rate"
+)
+
+// IP limiter code taken from
+// https://medium.com/@pliutau/rate-limiting-http-requests-in-go-based-on-ip-address-4e66d1bea4cf
+
+var limiter = NewIPRateLimiter(1, 10)
+
+// IPRateLimiter
+type IPRateLimiter struct {
+	ips map[string]*rate.Limiter
+	mu  *sync.RWMutex
+	r   rate.Limit
+	b   int
+}
+
+// NewIPRateLimiter
+func NewIPRateLimiter(r rate.Limit, b int) *IPRateLimiter {
+	i := &IPRateLimiter{
+		ips: make(map[string]*rate.Limiter),
+		mu:  &sync.RWMutex{},
+		r:   r,
+		b:   b,
+	}
+
+	return i
+}
+
+// AddIP creates a new rate limiter and adds it to the ips map,
+// using the IP address as the key
+func (i *IPRateLimiter) AddIP(ip string) *rate.Limiter {
+	i.mu.Lock()
+	defer i.mu.Unlock()
+
+	limiter := rate.NewLimiter(i.r, i.b)
+
+	i.ips[ip] = limiter
+
+	return limiter
+}
+
+// GetLimiter returns the rate limiter for the provided IP address if it exists.
+// Otherwise calls AddIP to add IP address to the map
+func (i *IPRateLimiter) GetLimiter(ip string) *rate.Limiter {
+	i.mu.Lock()
+	limiter, exists := i.ips[ip]
+
+	if !exists {
+		i.mu.Unlock()
+		return i.AddIP(ip)
+	}
+
+	i.mu.Unlock()
+
+	return limiter
+}
+
+func limitMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ip, _, err := net.SplitHostPort(r.RemoteAddr)
+		if err != nil {
+			w.WriteHeader(http.StatusBadRequest)
+			return
+		}
+		limiter := limiter.GetLimiter(ip)
+		if !limiter.Allow() {
+			http.Error(w, http.StatusText(http.StatusTooManyRequests), http.StatusTooManyRequests)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
--- a/main.go
+++ b/main.go
@ -7,16 +7,27 @@ import (
 	"net/http"

 	"github.com/go-chi/chi/v5"
+	"github.com/joho/godotenv"
 )

 /*
-*	TODO:
-	  Later:
-		- user pages
-		- figure out an actual goal for the game
-*
+	0.0.4
+		- added rate limiting
+		- added captcha for account creation
+		- added WebSocket authentication
+		- fixed BetInput bugs (NaN, decimals)
+		- seperated development and production environment
+		- frontend bug fixes
 */

+func init() {
+	err := godotenv.Load()
+	if err != nil {
+		fmt.Println("* No .env file found")
+	}
+	DB = openDB()
+}
+
 func main() {

 	// prepare router
@ -30,6 +41,8 @@ func main() {
 	// disconnect to DB on application exit
 	defer DB.Disconnect(context.Background())

+	// rate limiting middleware
+	r.Use(limitMiddleware)
 	// handlers
 	r.Handle("/*", http.FileServer(http.Dir("./frontend/dist")))
 	r.Get("/ws", func(w http.ResponseWriter, r *http.Request) {
@ -42,6 +55,6 @@ func main() {
 	r.Put("/api/chatcolor", chatColor)

 	// run server
-	fmt.Println("* Listening on localhost:8000")
+	log.Println("* Listening on localhost:8000")
 	log.Fatal(http.ListenAndServe(":8000", r))
 }