letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
312779c0c5d6a00eff428899e3a36a641b82c42a
pn-new-crm/src/lib/rate-limit.ts
Matt Ciaccio 312779c0c5 fix(security): tier-0 audit blockers (next CVE, role gate, perm traps, key validation, rate limits) 
Closes the five highest-risk findings from
docs/audit-comprehensive-2026-05-05.md so the platform is not exposed
while the rest of the audit backlog (1 CRIT + 18 HIGH + 32 MED + 23 LOW)
is worked through:

* CVE-2025-29927 — bump next 15.1.0 → 15.2.9; nginx strips
  X-Middleware-Subrequest at the edge as defense-in-depth.
* Cross-tenant role escalation — POST/PATCH/DELETE on /admin/roles now
  require super-admin (was: any holder of admin.manage_users).  Adds
  shared `requireSuperAdmin(ctx)` helper.
* Silent-403 traps — `documents.edit` and `files.edit` keys added to
  RolePermissions; seeded role values updated; migration 0041 backfills
  the new keys on every existing roles+port_role_overrides JSONB.  File
  routes remap the dead `create` action to `upload` / `manage_folders`.
* Berth-PDF / brochure register endpoints — reject body.storageKey
  unless it matches the namespace the matching presign endpoint issued
  (prevents repointing a tenant's PDF at foreign-port bytes).
* Portal auth rate limits — sign-in 5/15min/(ip,email),
  forgot-password 3/hr/IP, activate/reset/set-password 10/hr/IP.  Adds
  `enforcePublicRateLimit()` for non-`withAuth` routes.

Test status unchanged: 1168/1168 vitest, tsc clean.

Refs: docs/audit-comprehensive-2026-05-05.md (CRITICAL, HIGH §§1–4)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 18:33:13 +02:00

108 lines
4.5 KiB
TypeScript
Raw Blame History

import { redis } from '@/lib/redis';
export interface RateLimitConfig {
/** Duration of the sliding window in milliseconds. */
windowMs: number;
/** Maximum number of requests allowed per window. */
max: number;
/** Redis key prefix distinguishing different limit types. */
keyPrefix: string;
}
export interface RateLimitResult {
allowed: boolean;
limit: number;
remaining: number;
/** Unix timestamp (ms) at which the oldest entry in the window expires. */
resetAt: number;
}
/**
* Redis sliding-window rate limiter.
*
* Uses a sorted set per identifier where each member is a unique request
* timestamp. Old entries outside the window are pruned on each call.
*/
export async function checkRateLimit(
identifier: string,
config: RateLimitConfig,
): Promise<RateLimitResult> {
const key = `rl:${config.keyPrefix}:${identifier}`;
const now = Date.now();
const windowStart = now - config.windowMs;
const pipeline = redis.pipeline();
// Remove entries older than the window.
pipeline.zremrangebyscore(key, '-inf', windowStart);
// Record this request; score = timestamp, member adds randomness for uniqueness.
pipeline.zadd(key, now, `${now}:${Math.random().toString(36).slice(2)}`);
// Count entries currently in the window.
pipeline.zcard(key);
// Expire the key after one full window so Redis doesn't accumulate stale keys.
pipeline.pexpire(key, config.windowMs);
const results = await pipeline.exec();
const count = (results?.[2]?.[1] as number) ?? 0;
const remaining = Math.max(0, config.max - count);
return {
allowed: count <= config.max,
limit: config.max,
remaining,
resetAt: now + config.windowMs,
};
}
/**
* Returns standard rate-limit response headers from a RateLimitResult.
*/
export function rateLimitHeaders(result: RateLimitResult): Record<string, string> {
return {
'X-RateLimit-Limit': result.limit.toString(),
'X-RateLimit-Remaining': result.remaining.toString(),
'X-RateLimit-Reset': Math.ceil(result.resetAt / 1000).toString(),
};
}
/**
* Pre-configured rate limiters matching SECURITY-GUIDELINES.md §6.1.
*/
export const rateLimiters = {
/** Auth endpoints: 5 attempts per 15 minutes per identifier. */
auth: { windowMs: 15 * 60 * 1000, max: 5, keyPrefix: 'auth' },
/** Authenticated API: 120 requests per minute. */
api: { windowMs: 60 * 1000, max: 120, keyPrefix: 'api' },
/** File uploads: 10 per minute. */
upload: { windowMs: 60 * 1000, max: 10, keyPrefix: 'upload' },
/** Bulk operations: 5 per minute. */
bulk: { windowMs: 60 * 1000, max: 5, keyPrefix: 'bulk' },
/** Receipt scanner: 10 OCR runs per minute per user. */
ocr: { windowMs: 60 * 1000, max: 10, keyPrefix: 'ocr' },
/** Server-side AI calls (summary, embeddings, etc): 60 per minute per user. */
ai: { windowMs: 60 * 1000, max: 60, keyPrefix: 'ai' },
/** Data exports (GDPR bundle, PDF, CSV): 30 per hour per user. */
exports: { windowMs: 60 * 60 * 1000, max: 30, keyPrefix: 'export' },
/** Public unauthenticated form posts (interest, residential inquiry): 5 per hour per IP. */
publicForm: { windowMs: 60 * 60 * 1000, max: 5, keyPrefix: 'publicform' },
/** Server-to-server intake from the marketing website's dual-write helper.
* All traffic shares the website's egress IP, so the bucket has to
* accommodate every legitimate inquiry the site can produce in an hour
* without dropping data. The shared-secret header gates abuse; this
* limiter is just a defensive backstop in case the secret leaks. */
websiteIntake: { windowMs: 60 * 60 * 1000, max: 500, keyPrefix: 'websiteintake' },
/** Portal sign-in: 5 attempts per 15min per (ip,email) bucket. Defends
* against credential stuffing on /api/portal/auth/sign-in. */
portalSignIn: { windowMs: 15 * 60 * 1000, max: 5, keyPrefix: 'portal:signin' },
/** Portal forgot-password: 3/hour/IP. Tighter than sign-in because it
* triggers an outbound email and is the primary email-enumeration
* vector (timing differences between known/unknown). */
portalForgot: { windowMs: 60 * 60 * 1000, max: 3, keyPrefix: 'portal:forgot' },
/** Portal activate / reset / set-password: 10/hour/IP. Bounds brute-
* force against the 32-byte token (random walk math is in our favour
* but a tight ceiling keeps the search space practically infeasible). */
portalToken: { windowMs: 60 * 60 * 1000, max: 10, keyPrefix: 'portal:token' },
} as const satisfies Record<string, RateLimitConfig>;
export type RateLimiterName = keyof typeof rateLimiters;
Reference in New Issue View Git Blame Copy Permalink