Protecting a Go API from Abuse and Brute Force

Problem Description

A Go REST API is being targeted by bots. Automated scanners are hammering general endpoints and credential-stuffing attacks are hitting the login and registration endpoints hundreds of times per minute from single IP addresses. The engineering team needs to add IP-based traffic controls to slow down abusive clients without blocking legitimate users.

The service has two categories of endpoints: general API routes for reading data, and authentication routes (/api/auth/login and /api/auth/register) that should be significantly harder to spam than the general ones.

Output Specification

Build a Go HTTP server in the ./server/ directory that implements rate limiting. Include the following endpoints:

• POST /api/auth/login — responds with {"token":"dummy"} (no real auth needed)
• POST /api/auth/register — responds with {"id":1} (no real registration needed)
• GET /api/profile — responds with {"name":"alice"}
• GET /api/feed — responds with []

The server should be runnable with go run ./server/ and listen on port 8080.

Write a test_rate_limits.sh script that uses curl in a loop to demonstrate the rate limiting in action: fire 25 rapid requests at /api/feed and 25 rapid requests at /api/auth/login, capturing the HTTP status codes to a file called rate_limit_results.txt.