feat: add public spaces with unauthenticated read endpoints

src/config.rs

@@ -21,6 +21,40 @@ pub struct Config {
     pub prometheus: Prometheus,
     pub cors: bool,
     pub keys: Keys,
+    #[serde(default)]
+    pub public_spaces: PublicSpacesConfig,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, Hash, PartialEq, Eq)]
+pub struct PublicSpacesConfig {
+    #[serde(default = "default_rate_limit_per_minute")]
+    pub rate_limit_per_minute: u32,
+    #[serde(default = "default_rate_limit_burst")]
+    pub rate_limit_burst: u32,
+    #[serde(default = "default_public_storage_limit")]
+    pub storage_limit: ByteUnit,
+}
+
+fn default_rate_limit_per_minute() -> u32 {
+    60
+}
+
+fn default_rate_limit_burst() -> u32 {
+    10
+}
+
+fn default_public_storage_limit() -> ByteUnit {
+    ByteUnit::Mebibyte(10)
+}
+
+impl Default for PublicSpacesConfig {
+    fn default() -> Self {
+        Self {
+            rate_limit_per_minute: default_rate_limit_per_minute(),
+            rate_limit_burst: default_rate_limit_burst(),
+            storage_limit: default_public_storage_limit(),
+        }
+    }
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone, Hash, PartialEq, Eq)]

src/lib.rs

@@ -18,7 +18,12 @@ pub mod storage;
 mod tracing;
 
 use config::{BlockStorage, Config, Keys, StagingStorage};
-use routes::{delegate, invoke, open_host_key, util_routes::*, version};
+use routes::{
+    delegate, invoke, open_host_key,
+    public::{public_kv_get, public_kv_head, public_kv_list, public_kv_options, RateLimiter},
+    util_routes::*,
+    version,
+};
 use storage::{
     file_system::{FileSystemConfig, FileSystemStore, TempFileSystemStage},
     s3::{S3BlockConfig, S3BlockStore},
@@ -78,7 +83,18 @@ pub async fn app(config: &Figment) -> Result<Rocket<Build>> {
 
     tracing::tracing_try_init(&tinycloud_config.log)?;
 
-    let routes = routes![healthcheck, cors, version, open_host_key, invoke, delegate,];
+    let routes = routes![
+        healthcheck,
+        cors,
+        version,
+        open_host_key,
+        invoke,
+        delegate,
+        public_kv_get,
+        public_kv_head,
+        public_kv_list,
+        public_kv_options,
+    ];
 
     let key_setup: StaticSecret = match tinycloud_config.keys {
         Keys::Static(s) => s.try_into()?,
@@ -99,6 +115,8 @@ pub async fn app(config: &Figment) -> Result<Rocket<Build>> {
         tinycloud_config.storage.sql.memory_threshold.as_u64(),
     );
 
+    let rate_limiter = RateLimiter::new(&tinycloud_config.public_spaces);
+
     let rocket = rocket::custom(config)
         .mount("/", routes)
         .attach(AdHoc::config::<Config>())
@@ -107,6 +125,7 @@ pub async fn app(config: &Figment) -> Result<Rocket<Build>> {
         })
         .manage(tinycloud)
         .manage(sql_service)
+        .manage(rate_limiter)
         .manage(tinycloud_config.storage.staging.open().await?);
 
     if tinycloud_config.cors {

src/routes/mod.rs

@@ -10,6 +10,7 @@ use crate::{
     auth_guards::{DataIn, DataOut, InvOut, ObjectHeaders},
     authorization::AuthHeaderGetter,
     config::Config,
+    routes::public::is_public_space,
     tracing::TracingSpan,
     BlockStage, BlockStores, TinyCloud,
 };
@@ -22,6 +23,7 @@ use tinycloud_core::{
     InvocationOutcome, TxError, TxStoreError,
 };
 
+pub mod public;
 pub mod util;
 use util::LimitedReader;
 
@@ -183,7 +185,14 @@ pub async fn invoke(
                     .map_err(|e| (Status::InternalServerError, e.to_string()))?;
                 let open_data = d.open(1u8.gigabytes()).compat();
 
-                if let Some(limit) = config.storage.limit {
+                // Use public space storage limit if applicable, otherwise regular limit
+                let effective_limit = if is_public_space(space) {
+                    Some(config.public_spaces.storage_limit)
+                } else {
+                    config.storage.limit
+                };
+
+                if let Some(limit) = effective_limit {
                     let current_size = tinycloud
                         .store_size(space)
                         .await