implement backend limits on project creation

Author: aecsocket

.cargo/config.toml

@@ -1,10 +1,3 @@
-# Enable Cranelift for debug builds, improving iterative compile times
-[unstable]
-codegen-backend = true
-
-[profile.dev]
-codegen-backend = "cranelift"
-
 [build]
 rustflags = ["--cfg", "tokio_unstable"]
 

CLAUDE.md

@@ -0,0 +1,21 @@
+# Architecture
+
+## Labrinth
+
+Labrinth is the backend API service for Modrinth.
+
+### Testing
+
+Before a pull request can be opened, run `cargo clippy -p labrinth --all-targets` and make sure there are ZERO warnings, otherwise CI will fail.
+
+Use `cargo test -p labrinth --all-targets` to test your changes. All tests must pass, otherwise CI will fail.
+
+Read the root `docker-compose.yml` to see what running services are available while developing. Use `docker exec` to access these services.
+
+### Clickhouse
+
+Use `docker exec labrinth-clickhouse clickhouse-client` to access the Clickhouse instance. We use the `staging_ariadne` database to store data in testing.
+
+### Postgres
+
+Use `docker exec labrinth-postgres psql -U postgres` to access the PostgreSQL instance.

apps/labrinth/migrations/20250927120742_user_limits.sql

@@ -0,0 +1,4 @@
+ALTER TABLE users
+ADD COLUMN max_projects BIGINT,
+ADD COLUMN max_organizations BIGINT,
+ADD COLUMN max_collections BIGINT;

apps/labrinth/src/database/models/mod.rs

@@ -30,6 +30,7 @@ pub mod shared_instance_item;
 pub mod team_item;
 pub mod thread_item;
 pub mod user_item;
+pub mod user_limits;
 pub mod user_subscription_item;
 pub mod users_compliance;
 pub mod users_notifications_preferences_item;

apps/labrinth/src/database/models/user_item.rs

@@ -51,6 +51,10 @@ pub struct DBUser {
     pub allow_friend_requests: bool,
 
     pub is_subscribed_to_newsletter: bool,
+
+    pub max_projects: Option<u64>,
+    pub max_organizations: Option<u64>,
+    pub max_collections: Option<u64>,
 }
 
 impl DBUser {
@@ -65,13 +69,15 @@ impl DBUser {
                 avatar_url, raw_avatar_url, bio, created,
                 github_id, discord_id, gitlab_id, google_id, steam_id, microsoft_id,
                 email_verified, password, paypal_id, paypal_country, paypal_email,
-                venmo_handle, stripe_customer_id, allow_friend_requests, is_subscribed_to_newsletter
+                venmo_handle, stripe_customer_id, allow_friend_requests, is_subscribed_to_newsletter,
+                max_projects, max_organizations, max_collections
             )
             VALUES (
                 $1, $2, $3, $4, $5,
                 $6, $7,
                 $8, $9, $10, $11, $12, $13,
-                $14, $15, $16, $17, $18, $19, $20, $21, $22
+                $14, $15, $16, $17, $18, $19, $20, $21, $22,
+                $23, $24, $25
             )
             ",
             self.id as DBUserId,
@@ -96,6 +102,9 @@ impl DBUser {
             self.stripe_customer_id,
             self.allow_friend_requests,
             self.is_subscribed_to_newsletter,
+            self.max_projects.map(|x| x as i64),
+            self.max_organizations.map(|x| x as i64),
+            self.max_collections.map(|x| x as i64),
         )
         .execute(&mut **transaction)
         .await?;
@@ -181,7 +190,8 @@ impl DBUser {
                         created, role, badges,
                         github_id, discord_id, gitlab_id, google_id, steam_id, microsoft_id,
                         email_verified, password, totp_secret, paypal_id, paypal_country, paypal_email,
-                        venmo_handle, stripe_customer_id, allow_friend_requests, is_subscribed_to_newsletter
+                        venmo_handle, stripe_customer_id, allow_friend_requests, is_subscribed_to_newsletter,
+                        max_projects, max_organizations, max_collections
                     FROM users
                     WHERE id = ANY($1) OR LOWER(username) = ANY($2)
                     ",
@@ -216,6 +226,9 @@ impl DBUser {
                             totp_secret: u.totp_secret,
                             allow_friend_requests: u.allow_friend_requests,
                             is_subscribed_to_newsletter: u.is_subscribed_to_newsletter,
+                            max_projects: u.max_projects.map(|x| x as u64),
+                            max_organizations: u.max_organizations.map(|x| x as u64),
+                            max_collections: u.max_collections.map(|x| x as u64),
                         };
 
                         acc.insert(u.id, (Some(u.username), user));

apps/labrinth/src/database/models/user_limits.rs

@@ -0,0 +1,67 @@
+use serde::{Deserialize, Serialize};
+use sqlx::PgPool;
+
+use crate::{database::models::DBUserId, models::users::User};
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct UserLimits {
+    pub current: UserLimitCount,
+    pub max: UserLimitCount,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct UserLimitCount {
+    pub projects: u64,
+    pub organizations: u64,
+    pub collections: u64,
+}
+
+impl UserLimits {
+    pub async fn get(user: &User, pool: &PgPool) -> Result<Self, sqlx::Error> {
+        let current = sqlx::query!(
+            "SELECT
+                (SELECT COUNT(*) FROM mods m
+                 JOIN teams t ON m.team_id = t.id
+                 JOIN team_members tm ON t.id = tm.team_id
+                 WHERE tm.user_id = $1) as projects,
+
+                (SELECT COUNT(*) FROM organizations o
+                 JOIN teams t ON o.team_id = t.id
+                 JOIN team_members tm ON t.id = tm.team_id
+                 WHERE tm.user_id = $1) as organizations,
+
+                (SELECT COUNT(*) FROM collections
+                 WHERE user_id = $1) as collections",
+            DBUserId::from(user.id) as DBUserId,
+        )
+        .fetch_one(&*pool)
+        .await?;
+
+        let current = UserLimitCount {
+            projects: current.projects.map(|x| x as u64).unwrap_or(0),
+            organizations: current.organizations.map(|x| x as u64).unwrap_or(0),
+            collections: current.collections.map(|x| x as u64).unwrap_or(0),
+        };
+
+        if user.role.is_admin() {
+            Ok(Self {
+                current,
+                max: UserLimitCount {
+                    projects: u64::MAX,
+                    organizations: u64::MAX,
+                    collections: u64::MAX,
+                },
+            })
+        } else {
+            // TODO: global config for max
+            Ok(Self {
+                current,
+                max: UserLimitCount {
+                    projects: user.max_projects.unwrap_or(256),
+                    organizations: user.max_organizations.unwrap_or(16),
+                    collections: user.max_collections.unwrap_or(64),
+                },
+            })
+        }
+    }
+}

apps/labrinth/src/models/v3/users.rs

@@ -50,6 +50,10 @@ pub struct User {
 
     // DEPRECATED. Always returns None
     pub github_id: Option<u64>,
+
+    pub max_projects: Option<u64>,
+    pub max_organizations: Option<u64>,
+    pub max_collections: Option<u64>,
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug)]
@@ -81,6 +85,9 @@ impl From<DBUser> for User {
             github_id: None,
             stripe_customer_id: None,
             allow_friend_requests: None,
+            max_projects: data.max_projects,
+            max_organizations: data.max_organizations,
+            max_collections: data.max_collections,
         }
     }
 }
@@ -133,6 +140,9 @@ impl User {
             }),
             stripe_customer_id: db_user.stripe_customer_id,
             allow_friend_requests: Some(db_user.allow_friend_requests),
+            max_projects: db_user.max_projects,
+            max_organizations: db_user.max_organizations,
+            max_collections: db_user.max_collections,
         }
     }
 }

apps/labrinth/src/routes/internal/flows.rs

@@ -237,6 +237,9 @@ impl TempUser {
                 badges: Badges::default(),
                 allow_friend_requests: true,
                 is_subscribed_to_newsletter: false,
+                max_projects: None,
+                max_organizations: None,
+                max_collections: None,
             }
             .insert(transaction)
             .await?;
@@ -1425,6 +1428,9 @@ pub async fn create_account_with_password(
         is_subscribed_to_newsletter: new_account
             .sign_up_newsletter
             .unwrap_or(false),
+        max_projects: None,
+        max_organizations: None,
+        max_collections: None,
     }
     .insert(&mut transaction)
     .await?;

apps/labrinth/src/routes/v3/limits.rs

@@ -0,0 +1,34 @@
+use crate::{
+    auth::get_user_from_headers,
+    database::models::{User, user_limits::UserLimits},
+    models::pats::Scopes,
+    routes::ApiError,
+};
+use actix_web::{HttpRequest, HttpResponse, web};
+use futures::TryStreamExt;
+use serde::{Deserialize, Serialize};
+use sqlx::PgPool;
+
+pub fn config(cfg: &mut web::ServiceConfig) {
+    cfg.service(get_limits);
+}
+
+#[get("limits")]
+async fn get_limits(
+    req: HttpRequest,
+    pool: web::Data<PgPool>,
+    redis: web::Data<RedisPool>,
+    session_queue: web::Data<AuthQueue>,
+) -> Result<web::Json<UserLimits>, ApiError> {
+    let (_, user) = get_user_from_headers(
+        &req,
+        &**pool,
+        &redis,
+        &session_queue,
+        Scopes::empty(),
+    )
+    .await?;
+
+    let limits = UserLimits::get(&user, &pool).await?;
+    Ok(web::Json(limits))
+}

apps/labrinth/src/routes/v3/project_creation.rs

@@ -4,6 +4,7 @@ use crate::database::models::loader_fields::{
     Loader, LoaderField, LoaderFieldEnumValue,
 };
 use crate::database::models::thread_item::ThreadBuilder;
+use crate::database::models::user_limits::UserLimits;
 use crate::database::models::{self, DBUser, image_item};
 use crate::database::redis::RedisPool;
 use crate::file_hosting::{FileHost, FileHostPublicity, FileHostingError};
@@ -86,6 +87,8 @@ pub enum CreateError {
     CustomAuthenticationError(String),
     #[error("Image Parsing Error: {0}")]
     ImageError(#[from] ImageError),
+    #[error("Project limit reached")]
+    LimitReached,
 }
 
 impl actix_web::ResponseError for CreateError {
@@ -117,6 +120,7 @@ impl actix_web::ResponseError for CreateError {
             CreateError::ValidationError(..) => StatusCode::BAD_REQUEST,
             CreateError::FileValidationError(..) => StatusCode::BAD_REQUEST,
             CreateError::ImageError(..) => StatusCode::BAD_REQUEST,
+            CreateError::LimitReached => StatusCode::BAD_REQUEST,
         }
     }
 
@@ -143,6 +147,7 @@ impl actix_web::ResponseError for CreateError {
                 CreateError::ValidationError(..) => "invalid_input",
                 CreateError::FileValidationError(..) => "invalid_input",
                 CreateError::ImageError(..) => "invalid_image",
+                CreateError::LimitReached => "limit_reached",
             },
             description: self.to_string(),
         })
@@ -294,9 +299,11 @@ pub async fn project_create(
 /*
 
 Project Creation Steps:
-Get logged in user
+- Get logged in user
     Must match the author in the version creation
 
+- Check they have not exceeded their project limit
+
 1. Data
     - Gets "data" field from multipart form; must be first
     - Verification: string lengths
@@ -336,15 +343,19 @@ async fn project_create_inner(
     let cdn_url = dotenvy::var("CDN_URL")?;
 
     // The currently logged in user
-    let current_user = get_user_from_headers(
+    let (_, current_user) = get_user_from_headers(
         &req,
         pool,
         redis,
         session_queue,
         Scopes::PROJECT_CREATE,
     )
-    .await?
-    .1;
+    .await?;
+
+    let limits = UserLimits::get(&current_user, &pool).await?;
+    if limits.current.projects + 1 >= limits.max.projects {
+        return Err(CreateError::LimitReached);
+    }
 
     let project_id: ProjectId =
         models::generate_project_id(transaction).await?.into();