@mars-stack/core 8.0.7 → 8.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -9,7 +9,7 @@ alwaysApply: true
|
|
|
9
9
|
- Every API route under `src/app/api/protected/` MUST use `withAuth`, `withAuthNoParams`, `withRole`, or `withOwnership` from `@/lib/mars`.
|
|
10
10
|
- Admin-only routes MUST use `withRole(['admin'], ...)` which verifies the role against the database on every request. Never trust the JWT role claim alone.
|
|
11
11
|
- Ownership-gated routes MUST use `withOwnership`. Never accept a `userId` parameter from the client for authorization.
|
|
12
|
-
- Public auth endpoints (`login`, `signup`, `forgot`, `reset`, `verify`) MUST call `checkRateLimit` with the appropriate `RATE_LIMITS` config from `@mars-stack/core/rate-limit`.
|
|
12
|
+
- Public auth endpoints (`login`, `signup`, `forgot`, `reset`, `verify`, `me`, `logout`) MUST call `checkRateLimit` with the appropriate `RATE_LIMITS` config from `@mars-stack/core/rate-limit`.
|
|
13
13
|
|
|
14
14
|
## Secrets
|
|
15
15
|
|
|
@@ -79,6 +79,20 @@ export declare const RATE_LIMITS: {
|
|
|
79
79
|
readonly identifier: "email-verification";
|
|
80
80
|
readonly sliding: true;
|
|
81
81
|
};
|
|
82
|
+
/** Session introspection — unauthenticated callers can probe; cap per IP. */
|
|
83
|
+
readonly sessionMe: {
|
|
84
|
+
readonly limit: 60;
|
|
85
|
+
readonly windowSeconds: 60;
|
|
86
|
+
readonly identifier: "auth-session-me";
|
|
87
|
+
readonly sliding: true;
|
|
88
|
+
};
|
|
89
|
+
/** Logout revokes sessions — rate limit to reduce abuse / DoS. */
|
|
90
|
+
readonly logout: {
|
|
91
|
+
readonly limit: 20;
|
|
92
|
+
readonly windowSeconds: 60;
|
|
93
|
+
readonly identifier: "auth-logout";
|
|
94
|
+
readonly sliding: true;
|
|
95
|
+
};
|
|
82
96
|
readonly api: {
|
|
83
97
|
readonly limit: 60;
|
|
84
98
|
readonly windowSeconds: 60;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rate-limit/index.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAErB,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAkC3C,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,UAAU,eAAe;IACvB,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB;AAqED;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,EAAE,EAAE,MAAM,EACV,MAAM,EAAE,eAAe,GACtB,OAAO,CAAC,eAAe,CAAC,CAuC1B;AAED,MAAM,WAAW,kBAAkB;IACjC,oFAAoF;IACpF,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;;GASG;AACH,wBAAgB,WAAW,CACzB,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE,kBAAuB,GAC/B,MAAM,CAYR;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,YAAY,CAa/D;AAED,eAAO,MAAM,WAAW
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rate-limit/index.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAErB,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAkC3C,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,UAAU,eAAe;IACvB,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB;AAqED;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,EAAE,EAAE,MAAM,EACV,MAAM,EAAE,eAAe,GACtB,OAAO,CAAC,eAAe,CAAC,CAuC1B;AAED,MAAM,WAAW,kBAAkB;IACjC,oFAAoF;IACpF,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;;GASG;AACH,wBAAgB,WAAW,CACzB,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE,kBAAuB,GAC/B,MAAM,CAYR;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,YAAY,CAa/D;AAED,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAqBtB,6EAA6E;;;;;;;IAO7E,kEAAkE;;;;;;;;;;;;CAQ1D,CAAC"}
|
package/dist/rate-limit/index.js
CHANGED
|
@@ -160,6 +160,20 @@ var RATE_LIMITS = {
|
|
|
160
160
|
identifier: "email-verification",
|
|
161
161
|
sliding: true
|
|
162
162
|
},
|
|
163
|
+
/** Session introspection — unauthenticated callers can probe; cap per IP. */
|
|
164
|
+
sessionMe: {
|
|
165
|
+
limit: 60,
|
|
166
|
+
windowSeconds: 60,
|
|
167
|
+
identifier: "auth-session-me",
|
|
168
|
+
sliding: true
|
|
169
|
+
},
|
|
170
|
+
/** Logout revokes sessions — rate limit to reduce abuse / DoS. */
|
|
171
|
+
logout: {
|
|
172
|
+
limit: 20,
|
|
173
|
+
windowSeconds: 60,
|
|
174
|
+
identifier: "auth-logout",
|
|
175
|
+
sliding: true
|
|
176
|
+
},
|
|
163
177
|
api: { limit: 60, windowSeconds: 60, identifier: "api" }
|
|
164
178
|
};
|
|
165
179
|
|