npm - @openchamber/web - Versions diffs - 1.6.2 → 1.6.3 - Mend

@openchamber/web 1.6.2 → 1.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/assets/{ToolOutputDialog-C_ErvF_z.js → ToolOutputDialog-C-GmPj0l.js} +1 -1
package/dist/assets/{index-C2ViUvl2.js → index-76oYSL3c.js} +2 -2
package/dist/assets/{main-BivlNOB5.js → main-CY2cv9YC.js} +51 -51
package/dist/index.html +1 -1
package/package.json +1 -1
package/server/index.js +8 -2
package/server/lib/ui-auth.js +228 -3

package/dist/index.html CHANGED Viewed

@@ -223,7 +223,7 @@
         pointer-events: none;
       }
     </style>
-    <script type="module" crossorigin src="/assets/index-C2ViUvl2.js"></script>
+    <script type="module" crossorigin src="/assets/index-76oYSL3c.js"></script>
     <link rel="modulepreload" crossorigin href="/assets/vendor-.bun-BQ7mgOcE.js">
     <link rel="stylesheet" crossorigin href="/assets/vendor--Jn2c0Clh.css">
     <link rel="stylesheet" crossorigin href="/assets/index-ObfBKDTp.css">

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@openchamber/web",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "private": false,
   "type": "module",
   "main": "./server/index.js",

package/server/index.js CHANGED Viewed

@@ -1959,13 +1959,19 @@ async function waitForReady(url, timeoutMs = 10000) {
     try {
       const controller = new AbortController();
       const timeout = setTimeout(() => controller.abort(), 3000);
-      const res = await fetch(`${url.replace(/\/+$/, '')}/config`, {
+      const res = await fetch(`${url.replace(/\/+$/, '')}/global/health`, {
         method: 'GET',
         headers: { Accept: 'application/json' },
         signal: controller.signal
       });
       clearTimeout(timeout);
-      if (res.ok) return true;
+      if (res.ok) {
+        const body = await res.json().catch(() => null);
+        if (body?.healthy === true) {
+          return true;
+        }
+      }
     } catch {
       // ignore
     }

package/server/lib/ui-auth.js CHANGED Viewed

@@ -4,6 +4,207 @@ const SESSION_COOKIE_NAME = 'oc_ui_session';
 const SESSION_TTL_MS = 12 * 60 * 60 * 1000;
 const CLEANUP_INTERVAL_MS = 10 * 60 * 1000;
+// Login rate limit configuration
+const RATE_LIMIT_WINDOW_MS = 5 * 60 * 1000;
+const RATE_LIMIT_MAX_ATTEMPTS = Number(process.env.OPENCHAMBER_RATE_LIMIT_MAX_ATTEMPTS) || 10;
+const RATE_LIMIT_LOCKOUT_MS = 15 * 60 * 1000;
+const RATE_LIMIT_CLEANUP_MS = 60 * 60 * 1000;
+const RATE_LIMIT_NO_IP_MAX_ATTEMPTS = Number(process.env.OPENCHAMBER_RATE_LIMIT_NO_IP_MAX_ATTEMPTS) || 3;
+// Rate limit tracker: IP -> { count, lastAttempt, lockedUntil }
+const loginRateLimiter = new Map();
+let rateLimitCleanupTimer = null;
+// Concurrency control: key -> Promise<void>
+const rateLimitLocks = new Map();
+const getClientIp = (req) => {
+  const forwarded = req.headers['x-forwarded-for'];
+  if (typeof forwarded === 'string') {
+    const ip = forwarded.split(',')[0].trim();
+    if (ip.startsWith('::ffff:')) {
+      return ip.substring(7);
+    }
+    return ip;
+  }
+  const ip = req.ip || req.connection?.remoteAddress;
+  if (ip) {
+    if (ip.startsWith('::ffff:')) {
+      return ip.substring(7);
+    }
+    return ip;
+  }
+  return null;
+};
+const getRateLimitKey = (req) => {
+  const ip = getClientIp(req);
+  if (ip) return ip;
+  return 'rate-limit:no-ip';
+};
+const getRateLimitConfig = (key) => {
+  if (key === 'rate-limit:no-ip') {
+    return {
+      maxAttempts: RATE_LIMIT_NO_IP_MAX_ATTEMPTS,
+      windowMs: RATE_LIMIT_WINDOW_MS
+    };
+  }
+  return {
+    maxAttempts: RATE_LIMIT_MAX_ATTEMPTS,
+    windowMs: RATE_LIMIT_WINDOW_MS
+  };
+};
+const acquireRateLimitLock = async (key) => {
+  const prev = rateLimitLocks.get(key) || Promise.resolve();
+  const curr = prev.then(() => rateLimitLocks.delete(key));
+  rateLimitLocks.set(key, curr);
+  await curr;
+};
+const checkRateLimit = async (req) => {
+  const key = getRateLimitKey(req);
+  await acquireRateLimitLock(key);
+  const now = Date.now();
+  const { maxAttempts } = getRateLimitConfig(key);
+  let record;
+  try {
+    record = loginRateLimiter.get(key);
+  } catch (err) {
+    console.error('[RateLimit] Failed to get record', { key, error: err.message });
+    return {
+      allowed: true,
+      limit: maxAttempts,
+      remaining: maxAttempts,
+      reset: Math.ceil((now + RATE_LIMIT_WINDOW_MS) / 1000)
+    };
+  }
+  if (record?.lockedUntil && now < record.lockedUntil) {
+    return {
+      allowed: false,
+      retryAfter: Math.ceil((record.lockedUntil - now) / 1000),
+      locked: true,
+      limit: maxAttempts,
+      remaining: 0,
+      reset: Math.ceil(record.lockedUntil / 1000)
+    };
+  }
+  if (record?.lockedUntil && now >= record.lockedUntil) {
+    try {
+      loginRateLimiter.delete(key);
+    } catch (err) {
+      console.error('[RateLimit] Failed to delete expired record', { key, error: err.message });
+    }
+  }
+  if (!record || now - record.lastAttempt > RATE_LIMIT_WINDOW_MS) {
+    return {
+      allowed: true,
+      limit: maxAttempts,
+      remaining: maxAttempts,
+      reset: Math.ceil((now + RATE_LIMIT_WINDOW_MS) / 1000)
+    };
+  }
+  if (record.count >= maxAttempts) {
+    const lockedUntil = now + RATE_LIMIT_LOCKOUT_MS;
+    try {
+      loginRateLimiter.set(key, { count: record.count + 1, lastAttempt: now, lockedUntil });
+    } catch (err) {
+      console.error('[RateLimit] Failed to set lockout', { key, error: err.message });
+    }
+    return {
+      allowed: false,
+      retryAfter: Math.ceil(RATE_LIMIT_LOCKOUT_MS / 1000),
+      locked: true,
+      limit: maxAttempts,
+      remaining: 0,
+      reset: Math.ceil(lockedUntil / 1000)
+    };
+  }
+  const remaining = maxAttempts - record.count;
+  const reset = Math.ceil((record.lastAttempt + RATE_LIMIT_WINDOW_MS) / 1000);
+  return {
+    allowed: true,
+    limit: maxAttempts,
+    remaining,
+    reset
+  };
+};
+const recordFailedAttempt = async (req) => {
+  const key = getRateLimitKey(req);
+  await acquireRateLimitLock(key);
+  const now = Date.now();
+  const { maxAttempts } = getRateLimitConfig(key);
+  const record = loginRateLimiter.get(key);
+  if (!record || now - record.lastAttempt > RATE_LIMIT_WINDOW_MS) {
+    try {
+      loginRateLimiter.set(key, { count: 1, lastAttempt: now });
+    } catch (err) {
+      console.error('[RateLimit] Failed to record attempt', { key, error: err.message });
+    }
+  } else {
+    const newCount = record.count + 1;
+    try {
+      loginRateLimiter.set(key, { count: newCount, lastAttempt: now });
+    } catch (err) {
+      console.error('[RateLimit] Failed to record attempt', { key, error: err.message });
+    }
+  }
+};
+const clearRateLimit = async (req) => {
+  const key = getRateLimitKey(req);
+  await acquireRateLimitLock(key);
+  try {
+    loginRateLimiter.delete(key);
+  } catch (err) {
+    console.error('[RateLimit] Failed to clear', { key, error: err.message });
+  }
+};
+const cleanupRateLimitRecords = () => {
+  const now = Date.now();
+  for (const [key, record] of loginRateLimiter.entries()) {
+    const isExpired = record.lockedUntil && now >= record.lockedUntil;
+    const isStale = now - record.lastAttempt > RATE_LIMIT_CLEANUP_MS;
+    if (isExpired || isStale) {
+      try {
+        loginRateLimiter.delete(key);
+      } catch (err) {
+        console.error('[RateLimit] Cleanup failed', { key, error: err.message });
+      }
+    }
+  }
+};
+const startRateLimitCleanup = () => {
+  if (!rateLimitCleanupTimer) {
+    rateLimitCleanupTimer = setInterval(cleanupRateLimitRecords, RATE_LIMIT_CLEANUP_MS);
+    if (rateLimitCleanupTimer && typeof rateLimitCleanupTimer.unref === 'function') {
+      rateLimitCleanupTimer.unref();
+    }
+  }
+};
+const stopRateLimitCleanup = () => {
+  if (rateLimitCleanupTimer) {
+    clearInterval(rateLimitCleanupTimer);
+    rateLimitCleanupTimer = null;
+  }
+};
 const isSecureRequest = (req) => {
   if (req.secure) {
     return true;
@@ -221,6 +422,7 @@ export const createUiAuth = ({
   };
   startCleanup();
+  startRateLimitCleanup();
   const respondUnauthorized = (req, res) => {
     res.status(401);
@@ -254,14 +456,32 @@ export const createUiAuth = ({
     res.status(401).json({ authenticated: false, locked: true });
   };
-  const handleSessionCreate = (req, res) => {
+  const handleSessionCreate = async (req, res) => {
+    const rateLimitResult = await checkRateLimit(req);
+    res.setHeader('X-RateLimit-Limit', rateLimitResult.limit);
+    res.setHeader('X-RateLimit-Remaining', rateLimitResult.remaining);
+    res.setHeader('X-RateLimit-Reset', rateLimitResult.reset);
+    if (!rateLimitResult.allowed) {
+      res.setHeader('Retry-After', rateLimitResult.retryAfter);
+      res.status(429).json({
+        error: 'Too many login attempts, please try again later',
+        retryAfter: rateLimitResult.retryAfter
+      });
+      return;
+    }
     const candidate = typeof req.body?.password === 'string' ? req.body.password : '';
     if (!verifyPassword(candidate)) {
+      await recordFailedAttempt(req);
       clearSessionCookie(req, res);
-      res.status(401).json({ error: 'Invalid password', locked: true });
+      res.status(401).json({ error: 'Invalid credentials' });
       return;
     }
+    await clearRateLimit(req);
     const previousToken = getTokenFromRequest(req);
     if (previousToken) {
       dropSession(previousToken);
@@ -272,11 +492,16 @@ export const createUiAuth = ({
   };
   const dispose = () => {
+    sessions.clear();
+    loginRateLimiter.clear();
     if (cleanupTimer) {
       clearInterval(cleanupTimer);
       cleanupTimer = null;
     }
-    sessions.clear();
+    if (rateLimitCleanupTimer) {
+      clearInterval(rateLimitCleanupTimer);
+      rateLimitCleanupTimer = null;
+    }
   };
   return {