feat: enhance authentication with rate limiting and improve admin view styling

Author: JulianFun123

packages/backend/package.json

@@ -5,7 +5,7 @@
   "type": "module",
   "main": "index.js",
   "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1",
+    "test": "node --import tsx --test src/**/*.test.ts",
     "start": "tsx src/index.ts",
     "dev": "tsx src/index.ts",
     "db:migrate": "tsx src/meta/migrate.ts",

packages/backend/src/auth/cors.test.ts

@@ -0,0 +1,66 @@
+import test from 'node:test'
+import assert from 'node:assert/strict'
+import type { AppConfig } from '../config/app-config.ts'
+import { createCorsOptions } from './cors.ts'
+
+function createConfig(overrides: Partial<AppConfig> = {}): AppConfig {
+  return {
+    port: 3000,
+    host: '127.0.0.1',
+    publicUrl: undefined,
+    corsAllowedOrigins: [],
+    serverName: 'Hosted Server',
+    mode: 'hosted',
+    requestBodyLimit: '10mb',
+    auth: {
+      enabled: true,
+      sessionTtlHours: 720,
+      apiKeyTtlDays: 365,
+      rateLimitWindowMs: 600000,
+      rateLimitMaxAttempts: 10,
+      oidcStateTtlMinutes: 15,
+    },
+    metaStore: {
+      driver: 'sqlite',
+      sqlitePath: '/tmp/starquery-auth-cors-test.sqlite',
+      mysql: {
+        host: '127.0.0.1',
+        port: 3306,
+        user: 'starquery',
+        password: 'starquery',
+        database: 'starquery',
+      },
+    },
+    ...overrides,
+  }
+}
+
+async function evaluateOrigin(config: AppConfig, origin?: string) {
+  const options = createCorsOptions(config)
+  if (typeof options.origin !== 'function') {
+    return options.origin
+  }
+
+  return await new Promise<boolean>((resolve, reject) => {
+    options.origin!(origin, (error, allowed) => {
+      if (error) {
+        reject(error)
+        return
+      }
+
+      resolve(Boolean(allowed))
+    })
+  })
+}
+
+test('hosted CORS allows the configured public origin', async () => {
+  const config = createConfig({ publicUrl: 'https://app.example.com/' })
+  assert.equal(await evaluateOrigin(config, 'https://app.example.com'), true)
+  assert.equal(await evaluateOrigin(config, 'https://evil.example.com'), false)
+})
+
+test('local mode keeps broad CORS for the desktop app flow', () => {
+  const config = createConfig({ mode: 'local' })
+  const options = createCorsOptions(config)
+  assert.equal(options.origin, true)
+})

packages/backend/src/auth/cors.ts

@@ -0,0 +1,37 @@
+import type { CorsOptions } from 'cors'
+import type { AppConfig } from '../config/app-config.ts'
+
+function normalizeOrigin(value: string) {
+  try {
+    return new URL(value).origin
+  } catch {
+    return null
+  }
+}
+
+export function createCorsOptions(config: AppConfig): CorsOptions {
+  if (config.mode === 'local') {
+    return {
+      origin: true,
+    }
+  }
+
+  const allowedOrigins = new Set(
+    [
+      ...config.corsAllowedOrigins.map((origin) => normalizeOrigin(origin)).filter((origin): origin is string => Boolean(origin)),
+      ...(config.publicUrl ? [normalizeOrigin(config.publicUrl)] : []),
+    ].filter((origin): origin is string => Boolean(origin)),
+  )
+
+  return {
+    origin(origin, callback) {
+      if (!origin) {
+        callback(null, true)
+        return
+      }
+
+      const normalizedOrigin = normalizeOrigin(origin)
+      callback(null, Boolean(normalizedOrigin && allowedOrigins.has(normalizedOrigin)))
+    },
+  }
+}

packages/backend/src/auth/middleware.test.ts

@@ -0,0 +1,107 @@
+import test from 'node:test'
+import assert from 'node:assert/strict'
+import type { AppContext } from '../app-context.ts'
+import type { AuthenticatedRequest } from './request.ts'
+import { authenticateRequest } from './middleware.ts'
+import { hashAuthToken } from './tokens.ts'
+
+function createContext(overrides: Partial<AppContext['config']> = {}, metaStoreOverrides: Partial<AppContext['metaStore']> = {}) {
+  return {
+    config: {
+      port: 3000,
+      host: '127.0.0.1',
+      publicUrl: undefined,
+      serverName: 'Hosted Server',
+      mode: 'hosted',
+      requestBodyLimit: '10mb',
+      auth: {
+        enabled: true,
+        sessionTtlHours: 720,
+        apiKeyTtlDays: 365,
+        rateLimitWindowMs: 600000,
+        rateLimitMaxAttempts: 10,
+        oidcStateTtlMinutes: 15,
+      },
+      metaStore: {
+        driver: 'sqlite',
+        sqlitePath: '/tmp/test.sqlite',
+        mysql: {
+          host: '127.0.0.1',
+          port: 3306,
+          user: 'starquery',
+          password: 'starquery',
+          database: 'starquery',
+        },
+      },
+      ...overrides,
+    },
+    metaStore: {
+      getAuthTokenByHash: async () => null,
+      deleteAuthToken: async () => undefined,
+      getUserWithRoles: async () => null,
+      updateAuthTokenLastUsed: async () => undefined,
+      countUsers: async () => 0,
+      ...metaStoreOverrides,
+    },
+  } as unknown as AppContext
+}
+
+function createRequest(token?: string) {
+  return {
+    headers: token ? { authorization: `Bearer ${token}` } : {},
+  } as AuthenticatedRequest
+}
+
+test('authenticateRequest grants full local access when auth is disabled', async () => {
+  const context = createContext({
+    mode: 'local',
+    auth: {
+      enabled: false,
+      sessionTtlHours: 720,
+      apiKeyTtlDays: 365,
+      rateLimitWindowMs: 600000,
+      rateLimitMaxAttempts: 10,
+      oidcStateTtlMinutes: 15,
+    },
+  })
+  const req = createRequest()
+
+  const auth = await authenticateRequest(context, req)
+
+  assert.equal(auth.kind, 'local')
+  assert.deepEqual(auth.permissions, ['*'])
+})
+
+test('authenticateRequest rejects expired tokens and deletes them', async () => {
+  const deletions: string[] = []
+  const rawToken = 'expired-token'
+  const context = createContext(
+    {},
+    {
+      getAuthTokenByHash: async (tokenHash: string) =>
+        tokenHash === hashAuthToken(rawToken)
+          ? {
+              id: 'token-1',
+              userId: 'user-1',
+              kind: 'session',
+              name: 'Expired',
+              tokenPrefix: 'expired',
+              tokenHash,
+              storage: 'local',
+              expiresAt: '2000-01-01T00:00:00.000Z',
+              lastUsedAt: null,
+              createdAt: '2000-01-01T00:00:00.000Z',
+            }
+          : null,
+      deleteAuthToken: async (tokenId: string) => {
+        deletions.push(tokenId)
+      },
+    },
+  )
+  const req = createRequest(rawToken)
+
+  const auth = await authenticateRequest(context, req)
+
+  assert.equal(auth.kind, 'anonymous')
+  assert.deepEqual(deletions, ['token-1'])
+})

packages/backend/src/auth/rate-limit.test.ts

@@ -0,0 +1,33 @@
+import test from 'node:test'
+import assert from 'node:assert/strict'
+import { clearRateLimit, consumeRateLimit, resetRateLimitState } from './rate-limit.ts'
+
+test.afterEach(() => {
+  resetRateLimitState()
+})
+
+test('rate limiter blocks requests after the configured maximum', () => {
+  const key = 'login:127.0.0.1:user@example.com'
+  const now = 1_000
+
+  const first = consumeRateLimit(key, 60_000, 2, now)
+  const second = consumeRateLimit(key, 60_000, 2, now + 1)
+  const third = consumeRateLimit(key, 60_000, 2, now + 2)
+
+  assert.equal(first.allowed, true)
+  assert.equal(second.allowed, true)
+  assert.equal(third.allowed, false)
+  assert.equal(third.remaining, 0)
+})
+
+test('clearing a rate limit bucket resets the counter', () => {
+  const key = 'login:127.0.0.1:user@example.com'
+  const now = 2_000
+
+  consumeRateLimit(key, 60_000, 1, now)
+  clearRateLimit(key)
+  const next = consumeRateLimit(key, 60_000, 1, now + 1)
+
+  assert.equal(next.allowed, true)
+  assert.equal(next.remaining, 0)
+})

packages/backend/src/auth/rate-limit.ts

@@ -0,0 +1,49 @@
+type RateLimitEntry = {
+  count: number
+  resetAt: number
+}
+
+const authRateLimitState = new Map<string, RateLimitEntry>()
+
+function cleanupExpiredEntries(now: number) {
+  for (const [key, entry] of authRateLimitState.entries()) {
+    if (entry.resetAt <= now) {
+      authRateLimitState.delete(key)
+    }
+  }
+}
+
+export function consumeRateLimit(key: string, windowMs: number, maxAttempts: number, now = Date.now()) {
+  cleanupExpiredEntries(now)
+
+  const existing = authRateLimitState.get(key)
+  if (!existing || existing.resetAt <= now) {
+    authRateLimitState.set(key, {
+      count: 1,
+      resetAt: now + windowMs,
+    })
+
+    return {
+      allowed: true,
+      remaining: Math.max(0, maxAttempts - 1),
+      resetAt: now + windowMs,
+    }
+  }
+
+  existing.count += 1
+  authRateLimitState.set(key, existing)
+
+  return {
+    allowed: existing.count <= maxAttempts,
+    remaining: Math.max(0, maxAttempts - existing.count),
+    resetAt: existing.resetAt,
+  }
+}
+
+export function clearRateLimit(key: string) {
+  authRateLimitState.delete(key)
+}
+
+export function resetRateLimitState() {
+  authRateLimitState.clear()
+}

packages/backend/src/auth/url.test.ts

@@ -0,0 +1,70 @@
+import test from 'node:test'
+import assert from 'node:assert/strict'
+import type { AppConfig } from '../config/app-config.ts'
+import { getAppBaseUrl, resolveSafeReturnTo } from './url.ts'
+import type { AuthenticatedRequest } from './request.ts'
+
+function createConfig(overrides: Partial<AppConfig> = {}): AppConfig {
+  return {
+    port: 3000,
+    host: '127.0.0.1',
+    publicUrl: undefined,
+    corsAllowedOrigins: [],
+    serverName: 'Hosted Server',
+    mode: 'hosted',
+    requestBodyLimit: '10mb',
+    auth: {
+      enabled: true,
+      sessionTtlHours: 720,
+      apiKeyTtlDays: 365,
+      rateLimitWindowMs: 600000,
+      rateLimitMaxAttempts: 10,
+      oidcStateTtlMinutes: 15,
+    },
+    metaStore: {
+      driver: 'sqlite',
+      sqlitePath: '/tmp/starquery-auth-url-test.sqlite',
+      mysql: {
+        host: '127.0.0.1',
+        port: 3306,
+        user: 'starquery',
+        password: 'starquery',
+        database: 'starquery',
+      },
+    },
+    ...overrides,
+  }
+}
+
+function createRequest(protocol = 'http', host = 'localhost:3000') {
+  return {
+    protocol,
+    get(header: string) {
+      return header.toLowerCase() === 'host' ? host : undefined
+    },
+  } as AuthenticatedRequest
+}
+
+test('getAppBaseUrl prefers configured publicUrl over request headers', () => {
+  const config = createConfig({ publicUrl: 'https://app.example.com/' })
+  const req = createRequest('http', 'evil.example.com')
+
+  assert.equal(getAppBaseUrl(config, req), 'https://app.example.com/')
+})
+
+test('resolveSafeReturnTo allows relative paths on the same origin', () => {
+  const config = createConfig({ publicUrl: 'https://app.example.com/' })
+  const req = createRequest()
+
+  assert.equal(resolveSafeReturnTo(config, req, '/workspaces/demo'), 'https://app.example.com/workspaces/demo')
+})
+
+test('resolveSafeReturnTo rejects external redirect targets', () => {
+  const config = createConfig({ publicUrl: 'https://app.example.com/' })
+  const req = createRequest()
+
+  assert.throws(
+    () => resolveSafeReturnTo(config, req, 'https://evil.example.com/steal'),
+    /same origin/u,
+  )
+})