commit 9ab4aadd454d831893399d60c0872ffefe42ddea · dunkirk.sh/thistle

+13

src/db/schema.ts

···

       76
       76
        
             ALTER TABLE transcriptions DROP COLUMN transcript;

     

       77
       77
        
           `,

     

       78
       78
        
       	},

     

       79
       79
       +
       	{

     

       80
       80
       +
       		version: 5,

     

       81
       81
       +
       		name: "Add rate limiting table",

     

       82
       82
       +
       		sql: `

     

       83
       83
       +
             CREATE TABLE IF NOT EXISTS rate_limit_attempts (

     

       84
       84
       +
               id INTEGER PRIMARY KEY AUTOINCREMENT,

     

       85
       85
       +
               key TEXT NOT NULL,

     

       86
       86
       +
               timestamp INTEGER NOT NULL

     

       87
       87
       +
             );

     

       88
       88
       +
       

     

       89
       89
       +
             CREATE INDEX IF NOT EXISTS idx_rate_limit_key_timestamp ON rate_limit_attempts(key, timestamp);

     

       90
       90
       +
           `,

     

       91
       91
       +
       	},

     

       79
       92
        
       ];

     

       80
       93
        
       

     

       81
       94
        
       function getCurrentVersion(): number {

+36

src/index.ts

···

       17
       17
        
       } from "./lib/auth";

     

       18
       18
        
       import { handleError, ValidationErrors } from "./lib/errors";

     

       19
       19
        
       import { requireAuth } from "./lib/middleware";

     

       20
       20
       +
       import { enforceRateLimit } from "./lib/rate-limit";

     

       20
       21
        
       import {

     

       21
       22
        
       	MAX_FILE_SIZE,

     

       22
       23
        
       	TranscriptionEventEmitter,

     
···

       86
       87
        
       		"/api/auth/register": {

     

       87
       88
        
       			POST: async (req) => {

     

       88
       89
        
       				try {

     

       90
       90
       +
       					// Rate limiting

     

       91
       91
       +
       					const rateLimitError = enforceRateLimit(req, "register", {

     

       92
       92
       +
       						ip: { max: 5, windowSeconds: 60 * 60 },

     

       93
       93
       +
       					});

     

       94
       94
       +
       					if (rateLimitError) return rateLimitError;

     

       95
       95
       +
       

     

       89
       96
        
       					const body = await req.json();

     

       90
       97
        
       					const { email, password, name } = body;

     

       91
       98
        
       					if (!email || !password) {

     
···

       142
       149
        
       							{ status: 400 },

     

       143
       150
        
       						);

     

       144
       151
        
       					}

     

       152
       152
       +
       

     

       153
       153
       +
       					// Rate limiting: Per IP and per account

     

       154
       154
       +
       					const rateLimitError = enforceRateLimit(req, "login", {

     

       155
       155
       +
       						ip: { max: 10, windowSeconds: 15 * 60 },

     

       156
       156
       +
       						account: { max: 5, windowSeconds: 15 * 60, email },

     

       157
       157
       +
       					});

     

       158
       158
       +
       					if (rateLimitError) return rateLimitError;

     

       159
       159
       +
       

     

       145
       160
        
       					// Password is client-side hashed (PBKDF2), should be 64 char hex

     

       146
       161
        
       					if (password.length !== 64 || !/^[0-9a-f]+$/.test(password)) {

     

       147
       162
        
       						return Response.json(

     
···

       267
       282
        
       				if (!user) {

     

       268
       283
        
       					return Response.json({ error: "Invalid session" }, { status: 401 });

     

       269
       284
        
       				}

     

       285
       285
       +
       

     

       286
       286
       +
       				// Rate limiting

     

       287
       287
       +
       				const rateLimitError = enforceRateLimit(req, "delete-user", {

     

       288
       288
       +
       					ip: { max: 3, windowSeconds: 60 * 60 },

     

       289
       289
       +
       				});

     

       290
       290
       +
       				if (rateLimitError) return rateLimitError;

     

       291
       291
       +
       

     

       270
       292
        
       				deleteUser(user.id);

     

       271
       293
        
       				return Response.json(

     

       272
       294
        
       					{ success: true },

     
···

       289
       311
        
       				if (!user) {

     

       290
       312
        
       					return Response.json({ error: "Invalid session" }, { status: 401 });

     

       291
       313
        
       				}

     

       314
       314
       +
       

     

       315
       315
       +
       				// Rate limiting

     

       316
       316
       +
       				const rateLimitError = enforceRateLimit(req, "update-email", {

     

       317
       317
       +
       					ip: { max: 5, windowSeconds: 60 * 60 },

     

       318
       318
       +
       				});

     

       319
       319
       +
       				if (rateLimitError) return rateLimitError;

     

       320
       320
       +
       

     

       292
       321
        
       				const body = await req.json();

     

       293
       322
        
       				const { email } = body;

     

       294
       323
        
       				if (!email) {

     
···

       322
       351
        
       				if (!user) {

     

       323
       352
        
       					return Response.json({ error: "Invalid session" }, { status: 401 });

     

       324
       353
        
       				}

     

       354
       354
       +
       

     

       355
       355
       +
       				// Rate limiting

     

       356
       356
       +
       				const rateLimitError = enforceRateLimit(req, "update-password", {

     

       357
       357
       +
       					ip: { max: 5, windowSeconds: 60 * 60 },

     

       358
       358
       +
       				});

     

       359
       359
       +
       				if (rateLimitError) return rateLimitError;

     

       360
       360
       +
       

     

       325
       361
        
       				const body = await req.json();

     

       326
       362
        
       				const { password } = body;

     

       327
       363
        
       				if (!password) {

+110

src/lib/rate-limit.test.ts

···

       1
       1
       +
       import { expect, test } from "bun:test";

     

       2
       2
       +
       import { checkRateLimit, cleanupOldAttempts } from "./rate-limit";

     

       3
       3
       +
       import db from "../db/schema";

     

       4
       4
       +
       

     

       5
       5
       +
       // Clean up before tests

     

       6
       6
       +
       db.run("DELETE FROM rate_limit_attempts");

     

       7
       7
       +
       

     

       8
       8
       +
       test("allows requests under the limit", () => {

     

       9
       9
       +
       	const key = "test:allow";

     

       10
       10
       +
       

     

       11
       11
       +
       	const result1 = checkRateLimit(key, 5, 60);

     

       12
       12
       +
       	expect(result1.allowed).toBe(true);

     

       13
       13
       +
       

     

       14
       14
       +
       	const result2 = checkRateLimit(key, 5, 60);

     

       15
       15
       +
       	expect(result2.allowed).toBe(true);

     

       16
       16
       +
       

     

       17
       17
       +
       	const result3 = checkRateLimit(key, 5, 60);

     

       18
       18
       +
       	expect(result3.allowed).toBe(true);

     

       19
       19
       +
       });

     

       20
       20
       +
       

     

       21
       21
       +
       test("blocks requests over the limit", () => {

     

       22
       22
       +
       	const key = "test:block";

     

       23
       23
       +
       

     

       24
       24
       +
       	// Make 5 requests (limit)

     

       25
       25
       +
       	for (let i = 0; i < 5; i++) {

     

       26
       26
       +
       		const result = checkRateLimit(key, 5, 60);

     

       27
       27
       +
       		expect(result.allowed).toBe(true);

     

       28
       28
       +
       	}

     

       29
       29
       +
       

     

       30
       30
       +
       	// 6th request should be blocked

     

       31
       31
       +
       	const blocked = checkRateLimit(key, 5, 60);

     

       32
       32
       +
       	expect(blocked.allowed).toBe(false);

     

       33
       33
       +
       	expect(blocked.retryAfter).toBeGreaterThan(0);

     

       34
       34
       +
       });

     

       35
       35
       +
       

     

       36
       36
       +
       test("rolling window allows requests after time passes", async () => {

     

       37
       37
       +
       	const key = "test:rolling";

     

       38
       38
       +
       

     

       39
       39
       +
       	// Make 3 requests

     

       40
       40
       +
       	for (let i = 0; i < 3; i++) {

     

       41
       41
       +
       		checkRateLimit(key, 3, 2); // 3 per 2 seconds

     

       42
       42
       +
       	}

     

       43
       43
       +
       

     

       44
       44
       +
       	// 4th should be blocked

     

       45
       45
       +
       	let result = checkRateLimit(key, 3, 2);

     

       46
       46
       +
       	expect(result.allowed).toBe(false);

     

       47
       47
       +
       

     

       48
       48
       +
       	// Wait for window to pass

     

       49
       49
       +
       	await new Promise((resolve) => setTimeout(resolve, 2100));

     

       50
       50
       +
       

     

       51
       51
       +
       	// Should now be allowed (old attempts outside window)

     

       52
       52
       +
       	result = checkRateLimit(key, 3, 2);

     

       53
       53
       +
       	expect(result.allowed).toBe(true);

     

       54
       54
       +
       });

     

       55
       55
       +
       

     

       56
       56
       +
       test("different keys are tracked separately", () => {

     

       57
       57
       +
       	const key1 = "test:separate1";

     

       58
       58
       +
       	const key2 = "test:separate2";

     

       59
       59
       +
       

     

       60
       60
       +
       	// Exhaust limit for key1

     

       61
       61
       +
       	for (let i = 0; i < 5; i++) {

     

       62
       62
       +
       		checkRateLimit(key1, 5, 60);

     

       63
       63
       +
       	}

     

       64
       64
       +
       

     

       65
       65
       +
       	const blocked = checkRateLimit(key1, 5, 60);

     

       66
       66
       +
       	expect(blocked.allowed).toBe(false);

     

       67
       67
       +
       

     

       68
       68
       +
       	// key2 should still be allowed

     

       69
       69
       +
       	const allowed = checkRateLimit(key2, 5, 60);

     

       70
       70
       +
       	expect(allowed.allowed).toBe(true);

     

       71
       71
       +
       });

     

       72
       72
       +
       

     

       73
       73
       +
       test("cleanup removes old attempts", () => {

     

       74
       74
       +
       	const key = "test:cleanup";

     

       75
       75
       +
       

     

       76
       76
       +
       	// Create some attempts

     

       77
       77
       +
       	checkRateLimit(key, 10, 60);

     

       78
       78
       +
       	checkRateLimit(key, 10, 60);

     

       79
       79
       +
       

     

       80
       80
       +
       	// Manually insert an old attempt (25 hours ago)

     

       81
       81
       +
       	const oldTimestamp = Math.floor(Date.now() / 1000) - 25 * 60 * 60;

     

       82
       82
       +
       	db.run("INSERT INTO rate_limit_attempts (key, timestamp) VALUES (?, ?)", [

     

       83
       83
       +
       		"test:old",

     

       84
       84
       +
       		oldTimestamp,

     

       85
       85
       +
       	]);

     

       86
       86
       +
       

     

       87
       87
       +
       	// Run cleanup (default: removes attempts older than 24 hours)

     

       88
       88
       +
       	cleanupOldAttempts();

     

       89
       89
       +
       

     

       90
       90
       +
       	// Old attempt should be gone

     

       91
       91
       +
       	const count = db

     

       92
       92
       +
       		.query<{ count: number }, []>(

     

       93
       93
       +
       			"SELECT COUNT(*) as count FROM rate_limit_attempts WHERE key = 'test:old'",

     

       94
       94
       +
       		)

     

       95
       95
       +
       		.get();

     

       96
       96
       +
       

     

       97
       97
       +
       	expect(count?.count).toBe(0);

     

       98
       98
       +
       

     

       99
       99
       +
       	// Recent attempts should still exist

     

       100
       100
       +
       	const recentCount = db

     

       101
       101
       +
       		.query<{ count: number }, [string]>(

     

       102
       102
       +
       			"SELECT COUNT(*) as count FROM rate_limit_attempts WHERE key = ?",

     

       103
       103
       +
       		)

     

       104
       104
       +
       		.get(key);

     

       105
       105
       +
       

     

       106
       106
       +
       	expect(recentCount?.count).toBe(2);

     

       107
       107
       +
       });

     

       108
       108
       +
       

     

       109
       109
       +
       // Cleanup after tests

     

       110
       110
       +
       db.run("DELETE FROM rate_limit_attempts");

+125

src/lib/rate-limit.ts

···

       1
       1
       +
       import db from "../db/schema";

     

       2
       2
       +
       

     

       3
       3
       +
       export interface RateLimitResult {

     

       4
       4
       +
       	allowed: boolean;

     

       5
       5
       +
       	retryAfter?: number;

     

       6
       6
       +
       }

     

       7
       7
       +
       

     

       8
       8
       +
       export interface RateLimitConfig {

     

       9
       9
       +
       	ip?: { max: number; windowSeconds: number };

     

       10
       10
       +
       	account?: { max: number; windowSeconds: number; email: string };

     

       11
       11
       +
       }

     

       12
       12
       +
       

     

       13
       13
       +
       export function checkRateLimit(

     

       14
       14
       +
       	key: string,

     

       15
       15
       +
       	maxAttempts: number,

     

       16
       16
       +
       	windowSeconds: number,

     

       17
       17
       +
       ): RateLimitResult {

     

       18
       18
       +
       	const now = Math.floor(Date.now() / 1000);

     

       19
       19
       +
       	const windowStart = now - windowSeconds;

     

       20
       20
       +
       

     

       21
       21
       +
       	// Count attempts in rolling window

     

       22
       22
       +
       	const count = db

     

       23
       23
       +
       		.query<{ count: number }, [string, number]>(

     

       24
       24
       +
       			"SELECT COUNT(*) as count FROM rate_limit_attempts WHERE key = ? AND timestamp > ?",

     

       25
       25
       +
       		)

     

       26
       26
       +
       		.get(key, windowStart);

     

       27
       27
       +
       

     

       28
       28
       +
       	const attemptCount = count?.count ?? 0;

     

       29
       29
       +
       

     

       30
       30
       +
       	if (attemptCount >= maxAttempts) {

     

       31
       31
       +
       		// Find oldest attempt in window to calculate retry time

     

       32
       32
       +
       		const oldest = db

     

       33
       33
       +
       			.query<{ timestamp: number }, [string, number]>(

     

       34
       34
       +
       				"SELECT timestamp FROM rate_limit_attempts WHERE key = ? AND timestamp > ? ORDER BY timestamp ASC LIMIT 1",

     

       35
       35
       +
       			)

     

       36
       36
       +
       			.get(key, windowStart);

     

       37
       37
       +
       

     

       38
       38
       +
       		const retryAfter = oldest

     

       39
       39
       +
       			? oldest.timestamp + windowSeconds - now

     

       40
       40
       +
       			: windowSeconds;

     

       41
       41
       +
       

     

       42
       42
       +
       		return {

     

       43
       43
       +
       			allowed: false,

     

       44
       44
       +
       			retryAfter: Math.max(retryAfter, 1),

     

       45
       45
       +
       		};

     

       46
       46
       +
       	}

     

       47
       47
       +
       

     

       48
       48
       +
       	// Record this attempt

     

       49
       49
       +
       	db.run("INSERT INTO rate_limit_attempts (key, timestamp) VALUES (?, ?)", [

     

       50
       50
       +
       		key,

     

       51
       51
       +
       		now,

     

       52
       52
       +
       	]);

     

       53
       53
       +
       

     

       54
       54
       +
       	return { allowed: true };

     

       55
       55
       +
       }

     

       56
       56
       +
       

     

       57
       57
       +
       export function enforceRateLimit(

     

       58
       58
       +
       	req: Request,

     

       59
       59
       +
       	endpoint: string,

     

       60
       60
       +
       	config: RateLimitConfig,

     

       61
       61
       +
       ): Response | null {

     

       62
       62
       +
       	const ipAddress =

     

       63
       63
       +
       		req.headers.get("x-forwarded-for") ??

     

       64
       64
       +
       		req.headers.get("x-real-ip") ??

     

       65
       65
       +
       		"unknown";

     

       66
       66
       +
       

     

       67
       67
       +
       	// Check IP-based rate limit

     

       68
       68
       +
       	if (config.ip) {

     

       69
       69
       +
       		const ipLimit = checkRateLimit(

     

       70
       70
       +
       			`${endpoint}:ip:${ipAddress}`,

     

       71
       71
       +
       			config.ip.max,

     

       72
       72
       +
       			config.ip.windowSeconds,

     

       73
       73
       +
       		);

     

       74
       74
       +
       

     

       75
       75
       +
       		if (!ipLimit.allowed) {

     

       76
       76
       +
       			return Response.json(

     

       77
       77
       +
       				{

     

       78
       78
       +
       					error: `Too many requests. Try again in ${ipLimit.retryAfter} seconds.`,

     

       79
       79
       +
       				},

     

       80
       80
       +
       				{

     

       81
       81
       +
       					status: 429,

     

       82
       82
       +
       					headers: { "Retry-After": String(ipLimit.retryAfter) },

     

       83
       83
       +
       				},

     

       84
       84
       +
       			);

     

       85
       85
       +
       		}

     

       86
       86
       +
       	}

     

       87
       87
       +
       

     

       88
       88
       +
       	// Check account-based rate limit

     

       89
       89
       +
       	if (config.account) {

     

       90
       90
       +
       		const accountLimit = checkRateLimit(

     

       91
       91
       +
       			`${endpoint}:account:${config.account.email.toLowerCase()}`,

     

       92
       92
       +
       			config.account.max,

     

       93
       93
       +
       			config.account.windowSeconds,

     

       94
       94
       +
       		);

     

       95
       95
       +
       

     

       96
       96
       +
       		if (!accountLimit.allowed) {

     

       97
       97
       +
       			return Response.json(

     

       98
       98
       +
       				{

     

       99
       99
       +
       					error: `Too many attempts for this account. Try again in ${accountLimit.retryAfter} seconds.`,

     

       100
       100
       +
       				},

     

       101
       101
       +
       				{

     

       102
       102
       +
       					status: 429,

     

       103
       103
       +
       					headers: { "Retry-After": String(accountLimit.retryAfter) },

     

       104
       104
       +
       				},

     

       105
       105
       +
       			);

     

       106
       106
       +
       		}

     

       107
       107
       +
       	}

     

       108
       108
       +
       

     

       109
       109
       +
       	return null; // Allowed

     

       110
       110
       +
       }

     

       111
       111
       +
       

     

       112
       112
       +
       export function cleanupOldAttempts(olderThanSeconds = 86400) {

     

       113
       113
       +
       	// Clean up attempts older than specified time (default: 24 hours)

     

       114
       114
       +
       	const cutoff = Math.floor(Date.now() / 1000) - olderThanSeconds;

     

       115
       115
       +
       	db.run("DELETE FROM rate_limit_attempts WHERE timestamp < ?", [cutoff]);

     

       116
       116
       +
       }

     

       117
       117
       +
       

     

       118
       118
       +
       // Run cleanup on module load and periodically

     

       119
       119
       +
       cleanupOldAttempts();

     

       120
       120
       +
       setInterval(

     

       121
       121
       +
       	() => {

     

       122
       122
       +
       		cleanupOldAttempts();

     

       123
       123
       +
       	},

     

       124
       124
       +
       	60 * 60 * 1000,

     

       125
       125
       +
       ); // Every hour