Backport: Ratelimit APIs that publish to the nuts network (#3542)

* Ratelimit APIs that publish to the nuts network

* release notes v6.0.1

Author: gerardsn

docs/pages/release_notes.rst

@@ -2,9 +2,20 @@
 Release notes
 #############
 
-*******************
+***************
+Peanut (v6.0.1)
+***************
+
+Release date: 2024-11-06
+
+- disable rate limiting on APIs when supported DID methods does not include 'nuts'
+- add rate limiting to VDR v2 APIs
+
+**Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v6.0.0...v6.0.1
+
+***************
 Peanut (v6.0.0)
-*******************
+***************
 
 Release date: 2024-10-25
 
@@ -103,19 +114,19 @@ The following features have been deprecated:
 - Network v1 API, to be removed
 - VDR v1 API, replaced by VDR v2
 
-************************
+*************************
 Hazelnut update (v5.4.11)
-************************
+*************************
 
 Release date: 2024-09-24
 
 - Fixed an issue where the deactivated status of a DID document could be resolved incorrectly
 
 **Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v5.4.10...v5.4.11
 
-************************
+*************************
 Hazelnut update (v5.4.10)
-************************
+*************************
 
 Release date: 2024-09-13
 

http/engine.go

@@ -22,19 +22,21 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"github.com/nuts-foundation/nuts-node/http/client"
 	"net"
 	"net/http"
 	"os"
+	"slices"
 	"strings"
 	"time"
 
 	"github.com/labstack/echo/v4"
 	"github.com/labstack/echo/v4/middleware"
 	"github.com/nuts-foundation/nuts-node/core"
 	cryptoEngine "github.com/nuts-foundation/nuts-node/crypto"
+	"github.com/nuts-foundation/nuts-node/http/client"
 	"github.com/nuts-foundation/nuts-node/http/log"
 	"github.com/nuts-foundation/nuts-node/http/tokenV2"
+	"github.com/nuts-foundation/nuts-node/vdr/didnuts"
 )
 
 const moduleName = "HTTP"
@@ -180,15 +182,19 @@ func matchesPath(requestURI string, path string) bool {
 }
 
 func (h Engine) applyRateLimiterMiddleware(echoServer core.EchoRouter, serverConfig core.ServerConfig) {
-	// Always enabled in strict mode
-	if serverConfig.Strictmode || serverConfig.InternalRateLimiter {
+	// Always enabled in strict mode, but only if did:nuts is enabled on the node
+	if (serverConfig.Strictmode || serverConfig.InternalRateLimiter) && slices.Contains(serverConfig.DIDMethods, didnuts.MethodName) {
 		echoServer.Use(newInternalRateLimiter(map[string][]string{
 			http.MethodPost: {
-				"/internal/vcr/v2/issuer/vc",                   // issuing new VCs
-				"/internal/vdr/v1/did",                         // creating new DIDs
-				"/internal/vdr/v1/did/:did/verificationmethod", // add VM to DID
-				"/internal/didman/v1/did/:did/endpoint",        // add endpoint to DID
-				"/internal/didman/v1/did/:did/compoundservice", // add compound service to DID
+				"/internal/vcr/v2/issuer/vc",                      // issuing new VCs
+				"/internal/vdr/v1/did",                            // creating new DIDs
+				"/internal/vdr/v1/did/:did/verificationmethod",    // add VM to DID
+				"/internal/didman/v1/did/:did/endpoint",           // add endpoint to DID
+				"/internal/didman/v1/did/:did/compoundservice",    // add compound service to DID
+				"/internal/vdr/v2/subject",                        // create new subject
+				"/internal/vdr/v2/subject/:id/service",            // add service to subject
+				"/internal/vdr/v2/subject/:id/service/:serviceId", // update service for a subject
+				"/internal/vdr/v2/subject/:id/verificationmethod", // create new verification method for subject
 			},
 			http.MethodPut: {
 				"/internal/vdr/v1/did/:did",                // updating DIDs