feat(security): add rate limiting and CORS middleware

- Add rate limiting to login endpoint (5 requests/minute per IP) - Configure CORS middleware with environment-based origin control - Expose rate limit headers in CORS for client visibility - Update hono to 4.11.3 for rate limiter peer dependency 🤖 Generated with [Claude Code](https://claude.ai/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
author: nsfisis <nsfisis@gmail.com> 2025-12-30 22:08:47 +0900
committer: nsfisis <nsfisis@gmail.com> 2025-12-30 22:08:47 +0900
commit: c2eb7513834eeb5adfa53fff897f585de87e4821 (patch)
tree: 9e914051ca67e2f9e1fa301119bdec398ec9e55f /src
parent: b839cae49efd4b9d35c2868a4137101a4d71bd7f (diff)
download: kioku-c2eb7513834eeb5adfa53fff897f585de87e4821.tar.gz
kioku-c2eb7513834eeb5adfa53fff897f585de87e4821.tar.zst
kioku-c2eb7513834eeb5adfa53fff897f585de87e4821.zip
7 files changed, 346 insertions, 54 deletions
diff --git a/src/server/index.ts b/src/server/index.ts
index a2a3a77..ad7f48a 100644
--- a/src/server/index.ts
+++ b/src/server/index.ts
@@ -1,12 +1,13 @@
 import { serve } from "@hono/node-server";
 import { Hono } from "hono";
 import { logger } from "hono/logger";
-import { errorHandler } from "./middleware/index.js";
+import { createCorsMiddleware, errorHandler } from "./middleware/index.js";
 import { auth, cards, decks, study, sync } from "./routes/index.js";
 
 const app = new Hono();
 
 app.use("*", logger());
+app.use("/api/*", createCorsMiddleware());
 app.onError(errorHandler);
 
 // Chain routes for RPC type inference
diff --git a/src/server/middleware/cors.test.ts b/src/server/middleware/cors.test.ts
new file mode 100644
index 0000000..6f413a5
--- /dev/null
+++ b/src/server/middleware/cors.test.ts
@@ -0,0 +1,169 @@
+import { Hono } from "hono";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { createCorsMiddleware } from "./cors.js";
+
+describe("createCorsMiddleware", () => {
+	const originalEnv = process.env.CORS_ORIGIN;
+
+	afterEach(() => {
+		if (originalEnv === undefined) {
+			delete process.env.CORS_ORIGIN;
+		} else {
+			process.env.CORS_ORIGIN = originalEnv;
+		}
+	});
+
+	describe("when CORS_ORIGIN is not set", () => {
+		beforeEach(() => {
+			delete process.env.CORS_ORIGIN;
+		});
+
+		it("does not add CORS headers", async () => {
+			const app = new Hono();
+			app.use("*", createCorsMiddleware());
+			app.get("/test", (c) => c.json({ ok: true }));
+
+			const res = await app.request("/test", {
+				headers: { Origin: "https://attacker.com" },
+			});
+
+			expect(res.status).toBe(200);
+			expect(res.headers.get("Access-Control-Allow-Origin")).toBeNull();
+		});
+
+		it("does not allow preflight requests", async () => {
+			const app = new Hono();
+			app.use("*", createCorsMiddleware());
+			app.get("/test", (c) => c.json({ ok: true }));
+
+			const res = await app.request("/test", {
+				method: "OPTIONS",
+				headers: {
+					Origin: "https://attacker.com",
+					"Access-Control-Request-Method": "POST",
+				},
+			});
+
+			expect(res.headers.get("Access-Control-Allow-Origin")).toBeNull();
+		});
+	});
+
+	describe("when CORS_ORIGIN is set to single origin", () => {
+		beforeEach(() => {
+			process.env.CORS_ORIGIN = "https://allowed.example.com";
+		});
+
+		it("allows requests from the configured origin", async () => {
+			const app = new Hono();
+			app.use("*", createCorsMiddleware());
+			app.get("/test", (c) => c.json({ ok: true }));
+
+			const res = await app.request("/test", {
+				headers: { Origin: "https://allowed.example.com" },
+			});
+
+			expect(res.status).toBe(200);
+			expect(res.headers.get("Access-Control-Allow-Origin")).toBe(
+				"https://allowed.example.com",
+			);
+		});
+
+		it("does not allow requests from other origins", async () => {
+			const app = new Hono();
+			app.use("*", createCorsMiddleware());
+			app.get("/test", (c) => c.json({ ok: true }));
+
+			const res = await app.request("/test", {
+				headers: { Origin: "https://attacker.com" },
+			});
+
+			expect(res.status).toBe(200);
+			expect(res.headers.get("Access-Control-Allow-Origin")).toBeNull();
+		});
+
+		it("handles preflight requests correctly", async () => {
+			const app = new Hono();
+			app.use("*", createCorsMiddleware());
+			app.post("/test", (c) => c.json({ ok: true }));
+
+			const res = await app.request("/test", {
+				method: "OPTIONS",
+				headers: {
+					Origin: "https://allowed.example.com",
+					"Access-Control-Request-Method": "POST",
+				},
+			});
+
+			expect(res.headers.get("Access-Control-Allow-Origin")).toBe(
+				"https://allowed.example.com",
+			);
+			expect(res.headers.get("Access-Control-Allow-Methods")).toContain("POST");
+		});
+
+		it("exposes rate limit headers", async () => {
+			const app = new Hono();
+			app.use("*", createCorsMiddleware());
+			app.get("/test", (c) => c.json({ ok: true }));
+
+			const res = await app.request("/test", {
+				method: "OPTIONS",
+				headers: {
+					Origin: "https://allowed.example.com",
+					"Access-Control-Request-Method": "GET",
+				},
+			});
+
+			const exposeHeaders = res.headers.get("Access-Control-Expose-Headers");
+			expect(exposeHeaders).toContain("RateLimit-Limit");
+			expect(exposeHeaders).toContain("RateLimit-Remaining");
+			expect(exposeHeaders).toContain("RateLimit-Reset");
+		});
+	});
+
+	describe("when CORS_ORIGIN is set to multiple origins", () => {
+		beforeEach(() => {
+			process.env.CORS_ORIGIN =
+				"https://app.example.com, https://admin.example.com";
+		});
+
+		it("allows requests from first configured origin", async () => {
+			const app = new Hono();
+			app.use("*", createCorsMiddleware());
+			app.get("/test", (c) => c.json({ ok: true }));
+
+			const res = await app.request("/test", {
+				headers: { Origin: "https://app.example.com" },
+			});
+
+			expect(res.headers.get("Access-Control-Allow-Origin")).toBe(
+				"https://app.example.com",
+			);
+		});
+
+		it("allows requests from second configured origin", async () => {
+			const app = new Hono();
+			app.use("*", createCorsMiddleware());
+			app.get("/test", (c) => c.json({ ok: true }));
+
+			const res = await app.request("/test", {
+				headers: { Origin: "https://admin.example.com" },
+			});
+
+			expect(res.headers.get("Access-Control-Allow-Origin")).toBe(
+				"https://admin.example.com",
+			);
+		});
+
+		it("does not allow requests from unlisted origins", async () => {
+			const app = new Hono();
+			app.use("*", createCorsMiddleware());
+			app.get("/test", (c) => c.json({ ok: true }));
+
+			const res = await app.request("/test", {
+				headers: { Origin: "https://other.example.com" },
+			});
+
+			expect(res.headers.get("Access-Control-Allow-Origin")).toBeNull();
+		});
+	});
+});
diff --git a/src/server/middleware/cors.ts b/src/server/middleware/cors.ts
new file mode 100644
index 0000000..ce097ac
--- /dev/null
+++ b/src/server/middleware/cors.ts
@@ -0,0 +1,42 @@
+import { cors } from "hono/cors";
+
+/**
+ * CORS middleware configuration.
+ * Uses CORS_ORIGIN environment variable to configure allowed origins.
+ * If not set, defaults to same-origin only (no CORS headers).
+ *
+ * Examples:
+ * - CORS_ORIGIN=https://kioku.example.com (single origin)
+ * - CORS_ORIGIN=https://example.com,https://app.example.com (multiple origins)
+ */
+function getAllowedOrigins(): string[] {
+	const origins = process.env.CORS_ORIGIN;
+	if (!origins) {
+		return [];
+	}
+	return origins.split(",").map((o) => o.trim());
+}
+
+export function createCorsMiddleware() {
+	const allowedOrigins = getAllowedOrigins();
+
+	// If no origins configured, don't add CORS headers
+	if (allowedOrigins.length === 0) {
+		return cors({
+			origin: () => "",
+		});
+	}
+
+	return cors({
+		origin: allowedOrigins,
+		allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+		allowHeaders: ["Content-Type", "Authorization"],
+		exposeHeaders: [
+			"RateLimit-Limit",
+			"RateLimit-Remaining",
+			"RateLimit-Reset",
+		],
+		maxAge: 86400, // 24 hours
+		credentials: true,
+	});
+}
diff --git a/src/server/middleware/index.ts b/src/server/middleware/index.ts
index e894a42..449e484 100644
--- a/src/server/middleware/index.ts
+++ b/src/server/middleware/index.ts
@@ -1,2 +1,4 @@
 export { type AuthUser, authMiddleware, getAuthUser } from "./auth.js";
+export { createCorsMiddleware } from "./cors.js";
 export { AppError, Errors, errorHandler } from "./error-handler.js";
+export { loginRateLimiter } from "./rate-limiter.js";
diff --git a/src/server/middleware/rate-limiter.ts b/src/server/middleware/rate-limiter.ts
new file mode 100644
index 0000000..d2bf7d1
--- /dev/null
+++ b/src/server/middleware/rate-limiter.ts
@@ -0,0 +1,18 @@
+import { rateLimiter } from "hono-rate-limiter";
+
+/**
+ * Rate limiter for login endpoint to prevent brute force attacks.
+ * Limits to 5 login attempts per minute per IP address.
+ */
+export const loginRateLimiter = rateLimiter({
+	windowMs: 60 * 1000, // 1 minute
+	limit: 5, // 5 requests per window
+	keyGenerator: (c) =>
+		c.req.header("x-forwarded-for") ?? c.req.header("x-real-ip") ?? "unknown",
+	message: {
+		error: {
+			message: "Too many login attempts, please try again later",
+			code: "RATE_LIMIT_EXCEEDED",
+		},
+	},
+});
diff --git a/src/server/routes/auth.test.ts b/src/server/routes/auth.test.ts
index 5bf9f86..c3b0158 100644
--- a/src/server/routes/auth.test.ts
+++ b/src/server/routes/auth.test.ts
@@ -62,6 +62,56 @@ describe("POST /login", () => {
 		app.route("/api/auth", auth);
 	});
 
+	it("returns rate limit headers on login request", async () => {
+		vi.mocked(mockUserRepo.findByUsername).mockResolvedValue(undefined);
+
+		const res = await app.request("/api/auth/login", {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/json",
+				"X-Forwarded-For": "192.168.1.1",
+			},
+			body: JSON.stringify({
+				username: "testuser",
+				password: "somepassword",
+			}),
+		});
+
+		expect(res.headers.get("RateLimit-Limit")).toBe("5");
+		expect(res.headers.get("RateLimit-Remaining")).toBeDefined();
+	});
+
+	it("returns 429 after exceeding rate limit", async () => {
+		vi.mocked(mockUserRepo.findByUsername).mockResolvedValue(undefined);
+
+		const makeRequest = () =>
+			app.request("/api/auth/login", {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/json",
+					"X-Forwarded-For": "10.0.0.1",
+				},
+				body: JSON.stringify({
+					username: "testuser",
+					password: "wrongpassword",
+				}),
+			});
+
+		// Make 5 requests (the limit)
+		for (let i = 0; i < 5; i++) {
+			const res = await makeRequest();
+			expect(res.status).toBe(401);
+		}
+
+		// 6th request should be rate limited
+		const rateLimitedRes = await makeRequest();
+		expect(rateLimitedRes.status).toBe(429);
+		const body = (await rateLimitedRes.json()) as {
+			error?: { code: string; message: string };
+		};
+		expect(body.error?.code).toBe("RATE_LIMIT_EXCEEDED");
+	});
+
 	it("returns access token for valid credentials", async () => {
 		vi.mocked(mockUserRepo.findByUsername).mockResolvedValue({
 			id: "user-uuid-123",
diff --git a/src/server/routes/auth.ts b/src/server/routes/auth.ts
index 06c88a6..73deb83 100644
--- a/src/server/routes/auth.ts
+++ b/src/server/routes/auth.ts
@@ -3,7 +3,7 @@ import { zValidator } from "@hono/zod-validator";
 import * as argon2 from "argon2";
 import { Hono } from "hono";
 import { sign } from "hono/jwt";
-import { Errors } from "../middleware/index.js";
+import { Errors, loginRateLimiter } from "../middleware/index.js";
 import {
 	type RefreshTokenRepository,
 	refreshTokenRepository,
@@ -39,63 +39,73 @@ export function createAuthRouter(deps: AuthDependencies) {
 	const { userRepo, refreshTokenRepo } = deps;
 
 	return new Hono()
-		.post("/login", zValidator("json", loginSchema), async (c) => {
-			const { username, password } = c.req.valid("json");
-
-			// Find user by username
-			const user = await userRepo.findByUsername(username);
-
-			if (!user) {
-				throw Errors.unauthorized(
-					"Invalid username or password",
-					"INVALID_CREDENTIALS",
+		.post(
+			"/login",
+			loginRateLimiter,
+			zValidator("json", loginSchema),
+			async (c) => {
+				const { username, password } = c.req.valid("json");
+
+				// Find user by username
+				const user = await userRepo.findByUsername(username);
+
+				if (!user) {
+					throw Errors.unauthorized(
+						"Invalid username or password",
+						"INVALID_CREDENTIALS",
+					);
+				}
+
+				// Verify password
+				const isPasswordValid = await argon2.verify(
+					user.passwordHash,
+					password,
 				);
-			}
-
-			// Verify password
-			const isPasswordValid = await argon2.verify(user.passwordHash, password);
-			if (!isPasswordValid) {
-				throw Errors.unauthorized(
-					"Invalid username or password",
-					"INVALID_CREDENTIALS",
+				if (!isPasswordValid) {
+					throw Errors.unauthorized(
+						"Invalid username or password",
+						"INVALID_CREDENTIALS",
+					);
+				}
+
+				// Generate JWT access token
+				const now = Math.floor(Date.now() / 1000);
+				const accessToken = await sign(
+					{
+						sub: user.id,
+						iat: now,
+						exp: now + ACCESS_TOKEN_EXPIRES_IN,
+					},
+					getJwtSecret(),
 				);
-			}
-
-			// Generate JWT access token
-			const now = Math.floor(Date.now() / 1000);
-			const accessToken = await sign(
-				{
-					sub: user.id,
-					iat: now,
-					exp: now + ACCESS_TOKEN_EXPIRES_IN,
-				},
-				getJwtSecret(),
-			);
 
-			// Generate refresh token
-			const refreshToken = generateRefreshToken();
-			const tokenHash = hashToken(refreshToken);
-			const expiresAt = new Date(Date.now() + REFRESH_TOKEN_EXPIRES_IN * 1000);
-
-			// Store refresh token in database
-			await refreshTokenRepo.create({
-				userId: user.id,
-				tokenHash,
-				expiresAt,
-			});
+				// Generate refresh token
+				const refreshToken = generateRefreshToken();
+				const tokenHash = hashToken(refreshToken);
+				const expiresAt = new Date(
+					Date.now() + REFRESH_TOKEN_EXPIRES_IN * 1000,
+				);
 
-			return c.json(
-				{
-					accessToken,
-					refreshToken,
-					user: {
-						id: user.id,
-						username: user.username,
+				// Store refresh token in database
+				await refreshTokenRepo.create({
+					userId: user.id,
+					tokenHash,
+					expiresAt,
+				});
+
+				return c.json(
+					{
+						accessToken,
+						refreshToken,
+						user: {
+							id: user.id,
+							username: user.username,
+						},
 					},
-				},
-				200,
-			);
-		})
+					200,
+				);
+			},
+		)
 		.post("/refresh", zValidator("json", refreshTokenSchema), async (c) => {
 			const { refreshToken } = c.req.valid("json");
 			const tokenHash = hashToken(refreshToken);
author	nsfisis <nsfisis@gmail.com>	2025-12-30 22:08:47 +0900
committer	nsfisis <nsfisis@gmail.com>	2025-12-30 22:08:47 +0900
commit	c2eb7513834eeb5adfa53fff897f585de87e4821 (patch)
tree	9e914051ca67e2f9e1fa301119bdec398ec9e55f /src
parent	b839cae49efd4b9d35c2868a4137101a4d71bd7f (diff)
download	kioku-c2eb7513834eeb5adfa53fff897f585de87e4821.tar.gz kioku-c2eb7513834eeb5adfa53fff897f585de87e4821.tar.zst kioku-c2eb7513834eeb5adfa53fff897f585de87e4821.zip