add v2 API routes for admin and bug report management with rate limiting

internal/routes/v1/admin.go

@@ -13,17 +13,24 @@ import (
 
 func registerAdmin(r chi.Router, db *sqlx.DB) {
 	r.Route("/admin", func(r chi.Router) {
-		r.Use(httprate.LimitByIP(30, time.Minute))
 
-		// Auth — public, handles its own credential checks
+		// Auth — public, handles its own credential checks.
+		// Only /login is rate-limited: it is the only endpoint vulnerable to
+		// brute-force. /validate and /logout require a 256-bit session token
+		// and are called frequently by authenticated clients, so no limit is
+		// applied there.
 		r.Route("/auth", func(r chi.Router) {
-			r.Post("/login", handlers.LoginUser(db))
+			r.Group(func(r chi.Router) {
+				r.Use(httprate.LimitByIP(30, time.Minute))
+				r.Post("/login", handlers.LoginUser(db))
+			})
 			r.Get("/validate", handlers.ValidateSession(db))
 			r.Post("/logout", handlers.LogoutSession(db))
 		})
 
 		// User management — protected via Admin Key
 		r.Route("/users", func(r chi.Router) {
+			r.Use(httprate.LimitByIP(30, time.Minute))
 			r.Use(apimw.AdminKeyAuth(db))
 
 			r.Get("/", handlers.ListUsers(db))
@@ -34,4 +41,4 @@ func registerAdmin(r chi.Router, db *sqlx.DB) {
 			r.Delete("/{id}", handlers.DeleteUser(db))
 		})
 	})
-}
+}

internal/routes/v1/v1.go

@@ -1,7 +1,9 @@
 package v1
 
 import (
+	emlyMiddleware "emly-api-go/internal/middleware"
 	"net/http"
+	"time"
 
 	"emly-api-go/internal/handlers"
 
@@ -15,6 +17,15 @@ import (
 func NewRouter(db *sqlx.DB) http.Handler {
 	r := chi.NewRouter()
 
+	rl := emlyMiddleware.NewRateLimiter(
+		5,              // 5 req/sec per IP
+		10,             // burst fino a 10
+		20,             // ban dopo 20 violazioni
+		15*time.Minute, // ban di 15 minuti
+	)
+
+	r.Use(rl.Handler)
+
 	r.Use(func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			w.Header().Set("X-Server", "emly-api-go")