npm - @xtr-dev/rondevu-server - Versions diffs - 0.5.0 → 0.5.6 - Mend

@xtr-dev/rondevu-server 0.5.0 → 0.5.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/.github/workflows/claude-code-review.yml +57 -0
package/.github/workflows/claude.yml +50 -0
package/.idea/modules.xml +8 -0
package/.idea/rondevu-server.iml +8 -0
package/.idea/workspace.xml +17 -0
package/README.md +80 -199
package/build.js +4 -1
package/dist/index.js +2755 -1448
package/dist/index.js.map +4 -4
package/migrations/fresh_schema.sql +36 -41
package/package.json +10 -4
package/src/app.ts +38 -18
package/src/config.ts +155 -9
package/src/crypto.ts +362 -265
package/src/index.ts +20 -25
package/src/rpc.ts +658 -405
package/src/storage/d1.ts +312 -263
package/src/storage/factory.ts +69 -0
package/src/storage/hash-id.ts +13 -9
package/src/storage/memory.ts +559 -0
package/src/storage/mysql.ts +588 -0
package/src/storage/postgres.ts +595 -0
package/src/storage/schemas/mysql.sql +59 -0
package/src/storage/schemas/postgres.sql +64 -0
package/src/storage/sqlite.ts +303 -269
package/src/storage/types.ts +113 -113
package/src/worker.ts +15 -34
package/tests/integration/api.test.ts +395 -0
package/tests/integration/setup.ts +170 -0
package/wrangler.toml +25 -26
package/ADVANCED.md +0 -502

package/src/rpc.ts CHANGED Viewed

@@ -2,28 +2,130 @@ import { Context } from 'hono';
 import { Storage } from './storage/types.ts';
 import { Config } from './config.ts';
 import {
-  validateUsernameClaim,
-  validateServicePublish,
-  validateServiceFqn,
-  parseServiceFqn,
-  isVersionCompatible,
-  verifyEd25519Signature,
-  validateAuthMessage,
+  validateTags,
   validateUsername,
+  verifySignature,
+  buildSignatureMessage,
 } from './crypto.ts';
-// Constants
+// Constants (non-configurable)
 const MAX_PAGE_SIZE = 100;
+// NOTE: MAX_SDP_SIZE, MAX_CANDIDATE_SIZE, MAX_CANDIDATE_DEPTH, and MAX_CANDIDATES_PER_REQUEST
+// are now configurable via environment variables (see config.ts)
+// ===== Rate Limiting =====
+// Rate limiting for credential generation (per IP)
+// NOTE: Uses fixed-window rate limiting with full window reset on expiry
+//   - Window starts on first request and expires after CREDENTIAL_RATE_WINDOW
+//   - When window expires, counter resets to 0 and new window starts
+//   - This is simpler than sliding windows but may allow bursts at window boundaries
+const CREDENTIAL_RATE_LIMIT = 1; // Max credentials per second per IP
+const CREDENTIAL_RATE_WINDOW = 1000; // 1 second in milliseconds
+/**
+ * Check JSON object depth to prevent stack overflow from deeply nested objects
+ * CRITICAL: Checks depth BEFORE recursing to prevent stack overflow
+ * @param obj Object to check
+ * @param maxDepth Maximum allowed depth
+ * @param currentDepth Current recursion depth
+ * @returns Actual depth of the object (returns maxDepth + 1 if exceeded)
+ */
+function getJsonDepth(obj: any, maxDepth: number, currentDepth = 0): number {
+  // Check for primitives/null first
+  if (obj === null || typeof obj !== 'object') {
+    return currentDepth;
+  }
+  // CRITICAL: Check depth BEFORE recursing to prevent stack overflow
+  // If we're already at max depth, don't recurse further
+  if (currentDepth >= maxDepth) {
+    return currentDepth + 1; // Indicate exceeded
+  }
+  let maxChildDepth = currentDepth;
+  for (const key in obj) {
+    if (Object.prototype.hasOwnProperty.call(obj, key)) {
+      const childDepth = getJsonDepth(obj[key], maxDepth, currentDepth + 1);
+      maxChildDepth = Math.max(maxChildDepth, childDepth);
+      // Early exit if exceeded
+      if (maxChildDepth > maxDepth) {
+        return maxChildDepth;
+      }
+    }
+  }
+  return maxChildDepth;
+}
+/**
+ * Validate parameter is a non-empty string
+ * Prevents type coercion issues and injection attacks
+ */
+function validateStringParam(value: any, paramName: string): void {
+  if (typeof value !== 'string' || value.length === 0) {
+    throw new RpcError(ErrorCodes.INVALID_PARAMS, `${paramName} must be a non-empty string`);
+  }
+}
+/**
+ * Standard error codes for RPC responses
+ */
+export const ErrorCodes = {
+  // Authentication errors
+  AUTH_REQUIRED: 'AUTH_REQUIRED',
+  INVALID_CREDENTIALS: 'INVALID_CREDENTIALS',
+  // Validation errors
+  INVALID_NAME: 'INVALID_NAME',
+  INVALID_TAG: 'INVALID_TAG',
+  INVALID_SDP: 'INVALID_SDP',
+  INVALID_PARAMS: 'INVALID_PARAMS',
+  MISSING_PARAMS: 'MISSING_PARAMS',
+  // Resource errors
+  OFFER_NOT_FOUND: 'OFFER_NOT_FOUND',
+  OFFER_ALREADY_ANSWERED: 'OFFER_ALREADY_ANSWERED',
+  OFFER_NOT_ANSWERED: 'OFFER_NOT_ANSWERED',
+  NO_AVAILABLE_OFFERS: 'NO_AVAILABLE_OFFERS',
+  // Authorization errors
+  NOT_AUTHORIZED: 'NOT_AUTHORIZED',
+  OWNERSHIP_MISMATCH: 'OWNERSHIP_MISMATCH',
+  // Limit errors
+  TOO_MANY_OFFERS: 'TOO_MANY_OFFERS',
+  SDP_TOO_LARGE: 'SDP_TOO_LARGE',
+  BATCH_TOO_LARGE: 'BATCH_TOO_LARGE',
+  RATE_LIMIT_EXCEEDED: 'RATE_LIMIT_EXCEEDED',
+  // Generic errors
+  INTERNAL_ERROR: 'INTERNAL_ERROR',
+  UNKNOWN_METHOD: 'UNKNOWN_METHOD',
+} as const;
+/**
+ * Custom error class with error code support
+ */
+export class RpcError extends Error {
+  constructor(
+    public errorCode: string,
+    message: string
+  ) {
+    super(message);
+    this.name = 'RpcError';
+  }
+}
 /**
- * RPC request format
+ * RPC request format (body only - auth in headers)
  */
 export interface RpcRequest {
   method: string;
-  message: string;
-  signature: string;
-  publicKey?: string; // Optional: for auto-claiming usernames
   params?: any;
+  clientIp?: string;
 }
 /**
@@ -33,96 +135,134 @@ export interface RpcResponse {
   success: boolean;
   result?: any;
   error?: string;
+  errorCode?: string;
+}
+/**
+ * RPC Method Parameter Interfaces
+ */
+export interface GenerateCredentialsParams {
+  name?: string;       // Optional: claim specific username (4-32 chars, alphanumeric + dashes + periods)
+  expiresAt?: number;
+}
+export interface DiscoverParams {
+  tags: string[];
+  limit?: number;
+  offset?: number;
+}
+export interface PublishOfferParams {
+  tags: string[];
+  offers: Array<{ sdp: string }>;
+  ttl?: number;
+}
+export interface DeleteOfferParams {
+  offerId: string;
+}
+export interface AnswerOfferParams {
+  offerId: string;
+  sdp: string;
+}
+export interface GetOfferAnswerParams {
+  offerId: string;
+}
+export interface PollParams {
+  since?: number;
+}
+export interface AddIceCandidatesParams {
+  offerId: string;
+  candidates: any[];
+}
+export interface GetIceCandidatesParams {
+  offerId: string;
+  since?: number;
 }
 /**
  * RPC method handler
+ * Generic type parameter allows individual handlers to specify their param types
  */
-type RpcHandler = (
-  params: any,
-  message: string,
+type RpcHandler<TParams = any> = (
+  params: TParams,
+  name: string,
+  timestamp: number,
   signature: string,
-  publicKey: string | undefined,
   storage: Storage,
-  config: Config
+  config: Config,
+  request: RpcRequest
 ) => Promise<any>;
 /**
- * Verify authentication for a method call
- * Automatically claims username if it doesn't exist
+ * Validate timestamp for replay attack prevention
+ * Throws RpcError if timestamp is invalid
  */
-async function verifyAuth(
-  username: string,
-  message: string,
-  signature: string,
-  publicKey: string | undefined,
-  storage: Storage
-): Promise<{ valid: boolean; error?: string }> {
-  // Get username record to fetch public key
-  let usernameRecord = await storage.getUsername(username);
-  // Auto-claim username if it doesn't exist
-  if (!usernameRecord) {
-    if (!publicKey) {
-      return {
-        valid: false,
-        error: `Username "${username}" is not claimed and no public key provided for auto-claim.`,
-      };
-    }
-    // Validate username format before claiming
-    const usernameValidation = validateUsername(username);
-    if (!usernameValidation.valid) {
-      return usernameValidation;
-    }
+function validateTimestamp(timestamp: number, config: Config): void {
+  const now = Date.now();
-    // Verify signature against the current message (not a claim message)
-    const signatureValid = await verifyEd25519Signature(publicKey, signature, message);
-    if (!signatureValid) {
-      return { valid: false, error: 'Invalid signature for auto-claim' };
-    }
+  // Check if timestamp is too old (replay attack)
+  if (now - timestamp > config.timestampMaxAge) {
+    throw new RpcError(ErrorCodes.INVALID_PARAMS, 'Timestamp too old');
+  }
-    // Auto-claim the username
-    const expiresAt = Date.now() + 365 * 24 * 60 * 60 * 1000; // 365 days
-    await storage.claimUsername({
-      username,
-      publicKey,
-      expiresAt,
-    });
+  // Check if timestamp is too far in future (clock skew)
+  if (timestamp - now > config.timestampMaxFuture) {
+    throw new RpcError(ErrorCodes.INVALID_PARAMS, 'Timestamp too far in future');
+  }
+}
-    usernameRecord = await storage.getUsername(username);
-    if (!usernameRecord) {
-      return { valid: false, error: 'Failed to claim username' };
-    }
+/**
+ * Verify request signature for authentication
+ * Throws RpcError on authentication failure
+ */
+async function verifyRequestSignature(
+  name: string,
+  timestamp: number,
+  nonce: string,
+  signature: string,
+  method: string,
+  params: any,
+  storage: Storage,
+  config: Config
+): Promise<void> {
+  // Validate timestamp first
+  validateTimestamp(timestamp, config);
+  // Get credential to retrieve secret
+  const credential = await storage.getCredential(name);
+  if (!credential) {
+    throw new RpcError(ErrorCodes.INVALID_CREDENTIALS, 'Invalid credentials');
   }
-  // Verify Ed25519 signature
-  const isValid = await verifyEd25519Signature(
-    usernameRecord.publicKey,
-    signature,
-    message
-  );
+  // Build message and verify signature (includes nonce to prevent signature reuse)
+  const message = buildSignatureMessage(timestamp, nonce, method, params);
+  const isValid = await verifySignature(credential.secret, message, signature);
   if (!isValid) {
-    return { valid: false, error: 'Invalid signature' };
+    throw new RpcError(ErrorCodes.INVALID_CREDENTIALS, 'Invalid signature');
   }
-  // Validate message format and timestamp
-  const validation = validateAuthMessage(username, message);
-  if (!validation.valid) {
-    return { valid: false, error: validation.error };
-  }
+  // Check nonce uniqueness AFTER successful signature verification
+  // This prevents DoS where invalid signatures burn nonces
+  // Only valid authenticated requests can mark nonces as used
+  const nonceKey = `nonce:${name}:${nonce}`;
+  const nonceExpiresAt = timestamp + config.timestampMaxAge;
+  const nonceIsNew = await storage.checkAndMarkNonce(nonceKey, nonceExpiresAt);
-  return { valid: true };
-}
+  if (!nonceIsNew) {
+    throw new RpcError(ErrorCodes.INVALID_CREDENTIALS, 'Nonce already used (replay attack detected)');
+  }
-/**
- * Extract username from message
- */
-function extractUsername(message: string): string | null {
-  // Message format: method:username:...
-  const parts = message.split(':');
-  if (parts.length < 2) return null;
-  return parts[1];
+  // Update last used timestamp
+  const now = Date.now();
+  const credentialExpiresAt = now + (365 * 24 * 60 * 60 * 1000); // 1 year
+  await storage.updateCredentialUsage(name, now, credentialExpiresAt);
 }
 /**
@@ -131,191 +271,184 @@ function extractUsername(message: string): string | null {
 const handlers: Record<string, RpcHandler> = {
   /**
-   * Check if username is available
+   * Generate new credentials (name + secret pair)
+   * No authentication required - this is how users get started
+   * SECURITY: Rate limited per IP to prevent abuse (database-backed for multi-instance support)
    */
-  async getUser(params, message, signature, publicKey, storage, config) {
-    const { username } = params;
-    const claimed = await storage.getUsername(username);
+  async generateCredentials(params: GenerateCredentialsParams, name, timestamp, signature, storage, config, request: RpcRequest & { clientIp?: string }) {
+    // Rate limiting check (IP-based, stored in database)
+    // SECURITY: Use stricter global rate limit for requests without identifiable IP
+    let rateLimitKey: string;
+    let rateLimit: number;
+    if (!request.clientIp) {
+      // Warn about missing IP (suggests proxy misconfiguration)
+      console.warn('⚠️  WARNING: Unable to determine client IP for credential generation. Using global rate limit.');
+      // Use global rate limit with much stricter limit (prevents DoS while allowing basic function)
+      rateLimitKey = 'cred_gen:global_unknown';
+      rateLimit = 2; // Only 2 credentials per hour globally for all unknown IPs combined
+    } else {
+      rateLimitKey = `cred_gen:${request.clientIp}`;
+      rateLimit = CREDENTIAL_RATE_LIMIT; // 10 per hour per IP
+    }
+    const allowed = await storage.checkRateLimit(
+      rateLimitKey,
+      rateLimit,
+      CREDENTIAL_RATE_WINDOW
+    );
-    if (!claimed) {
-      return {
-        username,
-        available: true,
-      };
+    if (!allowed) {
+      throw new RpcError(
+        ErrorCodes.RATE_LIMIT_EXCEEDED,
+        `Rate limit exceeded. Maximum ${rateLimit} credential per second${request.clientIp ? ' per IP' : ' (global limit for unidentified IPs)'}.`
+      );
     }
-    return {
-      username: claimed.username,
-      available: false,
-      claimedAt: claimed.claimedAt,
-      expiresAt: claimed.expiresAt,
-      publicKey: claimed.publicKey,
-    };
-  },
-  /**
-   * Get service by FQN - Supports 3 modes:
-   * 1. Direct lookup: FQN includes @username
-   * 2. Paginated discovery: FQN without @username, with limit/offset
-   * 3. Random discovery: FQN without @username, no limit
-   */
-  async getService(params, message, signature, publicKey, storage, config) {
-    const { serviceFqn, limit, offset } = params;
-    const username = extractUsername(message);
-    // Verify authentication
-    if (username) {
-      const auth = await verifyAuth(username, message, signature, publicKey, storage);
-      if (!auth.valid) {
-        throw new Error(auth.error);
+    // Validate username if provided
+    if (params.name !== undefined) {
+      if (typeof params.name !== 'string') {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, 'name must be a string');
+      }
+      const usernameValidation = validateUsername(params.name);
+      if (!usernameValidation.valid) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, usernameValidation.error || 'Invalid username');
       }
     }
-    // Parse and validate FQN
-    const fqnValidation = validateServiceFqn(serviceFqn);
-    if (!fqnValidation.valid) {
-      throw new Error(fqnValidation.error || 'Invalid service FQN');
-    }
-    const parsed = parseServiceFqn(serviceFqn);
-    if (!parsed) {
-      throw new Error('Failed to parse service FQN');
+    // Validate expiresAt if provided
+    if (params.expiresAt !== undefined) {
+      if (typeof params.expiresAt !== 'number' || isNaN(params.expiresAt) || !Number.isFinite(params.expiresAt)) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, 'expiresAt must be a valid timestamp');
+      }
+      // Prevent setting expiry in the past (with 1 minute tolerance for clock skew)
+      const now = Date.now();
+      if (params.expiresAt < now - 60000) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, 'expiresAt cannot be in the past');
+      }
+      // Prevent unreasonably far future expiry (max 10 years)
+      const maxFuture = now + (10 * 365 * 24 * 60 * 60 * 1000);
+      if (params.expiresAt > maxFuture) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, 'expiresAt cannot be more than 10 years in the future');
+      }
     }
-    // Helper: Filter services by version compatibility
-    const filterCompatibleServices = (services) => {
-      return services.filter((s) => {
-        const serviceVersion = parseServiceFqn(s.serviceFqn);
-        return (
-          serviceVersion &&
-          isVersionCompatible(parsed.version, serviceVersion.version)
-        );
+    try {
+      const credential = await storage.generateCredentials({
+        name: params.name,
+        expiresAt: params.expiresAt,
       });
-    };
-    // Helper: Find available offer for service
-    const findAvailableOffer = async (service) => {
-      const offers = await storage.getOffersForService(service.id);
-      return offers.find((o) => !o.answererUsername);
-    };
+      return {
+        name: credential.name,
+        secret: credential.secret,
+        createdAt: credential.createdAt,
+        expiresAt: credential.expiresAt,
+      };
+    } catch (error: any) {
+      if (error.message === 'Username already taken') {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, 'Username already taken');
+      }
+      throw error;
+    }
+  },
-    // Helper: Build service response object
-    const buildServiceResponse = (service, offer) => ({
-      serviceId: service.id,
-      username: service.username,
-      serviceFqn: service.serviceFqn,
-      offerId: offer.id,
-      sdp: offer.sdp,
-      createdAt: service.createdAt,
-      expiresAt: service.expiresAt,
-    });
+  /**
+   * Discover offers by tags - Supports 2 modes:
+   * 1. Paginated discovery: tags array with limit/offset
+   * 2. Random discovery: tags array without limit (returns single random offer)
+   */
+  async discover(params: DiscoverParams, name, timestamp, signature, storage, config, request: RpcRequest) {
+    const { tags, limit, offset } = params;
+    // Validate tags
+    const tagsValidation = validateTags(tags);
+    if (!tagsValidation.valid) {
+      throw new RpcError(ErrorCodes.INVALID_TAG, tagsValidation.error || 'Invalid tags');
+    }
     // Mode 1: Paginated discovery
     if (limit !== undefined) {
+      // Validate numeric parameters
+      if (typeof limit !== 'number' || !Number.isInteger(limit) || limit < 0) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, 'limit must be a non-negative integer');
+      }
+      if (offset !== undefined && (typeof offset !== 'number' || !Number.isInteger(offset) || offset < 0)) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, 'offset must be a non-negative integer');
+      }
       const pageLimit = Math.min(Math.max(1, limit), MAX_PAGE_SIZE);
       const pageOffset = Math.max(0, offset || 0);
-      const allServices = await storage.getServicesByName(parsed.service, parsed.version);
-      const compatibleServices = filterCompatibleServices(allServices);
-      // Get unique services per username with available offers
-      const usernameSet = new Set<string>();
-      const uniqueServices: any[] = [];
-      for (const service of compatibleServices) {
-        if (!usernameSet.has(service.username)) {
-          usernameSet.add(service.username);
-          const availableOffer = await findAvailableOffer(service);
-          if (availableOffer) {
-            uniqueServices.push(buildServiceResponse(service, availableOffer));
-          }
-        }
-      }
+      // Exclude self if authenticated
+      const excludeUsername = name || null;
-      // Paginate results
-      const paginatedServices = uniqueServices.slice(pageOffset, pageOffset + pageLimit);
+      const offers = await storage.discoverOffers(
+        tags,
+        excludeUsername,
+        pageLimit,
+        pageOffset
+      );
       return {
-        services: paginatedServices,
-        count: paginatedServices.length,
+        offers: offers.map(offer => ({
+          offerId: offer.id,
+          username: offer.username,
+          tags: offer.tags,
+          sdp: offer.sdp,
+          createdAt: offer.createdAt,
+          expiresAt: offer.expiresAt,
+        })),
+        count: offers.length,
         limit: pageLimit,
         offset: pageOffset,
       };
     }
-    // Mode 2: Direct lookup with username
-    if (parsed.username) {
-      const service = await storage.getServiceByFqn(serviceFqn);
-      if (!service) {
-        throw new Error('Service not found');
-      }
-      const availableOffer = await findAvailableOffer(service);
-      if (!availableOffer) {
-        throw new Error('Service has no available offers');
-      }
+    // Mode 2: Random discovery (no limit provided)
+    // Exclude self if authenticated
+    const excludeUsername = name || null;
-      return buildServiceResponse(service, availableOffer);
-    }
+    const offer = await storage.getRandomOffer(tags, excludeUsername);
-    // Mode 3: Random discovery without username
-    const allServices = await storage.getServicesByName(parsed.service, parsed.version);
-    const compatibleServices = filterCompatibleServices(allServices);
-    if (compatibleServices.length === 0) {
-      throw new Error('No services found');
-    }
-    const randomService = compatibleServices[Math.floor(Math.random() * compatibleServices.length)];
-    const availableOffer = await findAvailableOffer(randomService);
-    if (!availableOffer) {
-      throw new Error('Service has no available offers');
+    if (!offer) {
+      throw new RpcError(ErrorCodes.OFFER_NOT_FOUND, 'No offers found matching tags');
     }
-    return buildServiceResponse(randomService, availableOffer);
+    return {
+      offerId: offer.id,
+      username: offer.username,
+      tags: offer.tags,
+      sdp: offer.sdp,
+      createdAt: offer.createdAt,
+      expiresAt: offer.expiresAt,
+    };
   },
   /**
-   * Publish a service
+   * Publish offers with tags
    */
-  async publishService(params, message, signature, publicKey, storage, config) {
-    const { serviceFqn, offers, ttl } = params;
-    const username = extractUsername(message);
-    if (!username) {
-      throw new Error('Username required for service publishing');
-    }
-    // Verify authentication
-    const auth = await verifyAuth(username, message, signature, publicKey, storage);
-    if (!auth.valid) {
-      throw new Error(auth.error);
-    }
-    // Validate service FQN
-    const fqnValidation = validateServiceFqn(serviceFqn);
-    if (!fqnValidation.valid) {
-      throw new Error(fqnValidation.error || 'Invalid service FQN');
-    }
+  async publishOffer(params: PublishOfferParams, name, timestamp, signature, storage, config, request: RpcRequest) {
+    const { tags, offers, ttl } = params;
-    const parsed = parseServiceFqn(serviceFqn);
-    if (!parsed || !parsed.username) {
-      throw new Error('Service FQN must include username');
+    if (!name) {
+      throw new RpcError(ErrorCodes.AUTH_REQUIRED, 'Name required for offer publishing');
     }
-    if (parsed.username !== username) {
-      throw new Error('Service FQN username must match authenticated username');
+    // Validate tags
+    const tagsValidation = validateTags(tags);
+    if (!tagsValidation.valid) {
+      throw new RpcError(ErrorCodes.INVALID_TAG, tagsValidation.error || 'Invalid tags');
     }
     // Validate offers
     if (!offers || !Array.isArray(offers) || offers.length === 0) {
-      throw new Error('Must provide at least one offer');
+      throw new RpcError(ErrorCodes.MISSING_PARAMS, 'Must provide at least one offer');
     }
     if (offers.length > config.maxOffersPerRequest) {
-      throw new Error(
+      throw new RpcError(
+        ErrorCodes.TOO_MANY_OFFERS,
         `Too many offers (max ${config.maxOffersPerRequest})`
       );
     }
@@ -323,17 +456,27 @@ const handlers: Record<string, RpcHandler> = {
     // Validate each offer has valid SDP
     offers.forEach((offer, index) => {
       if (!offer || typeof offer !== 'object') {
-        throw new Error(`Invalid offer at index ${index}: must be an object`);
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, `Invalid offer at index ${index}: must be an object`);
       }
       if (!offer.sdp || typeof offer.sdp !== 'string') {
-        throw new Error(`Invalid offer at index ${index}: missing or invalid SDP`);
+        throw new RpcError(ErrorCodes.INVALID_SDP, `Invalid offer at index ${index}: missing or invalid SDP`);
       }
       if (!offer.sdp.trim()) {
-        throw new Error(`Invalid offer at index ${index}: SDP cannot be empty`);
+        throw new RpcError(ErrorCodes.INVALID_SDP, `Invalid offer at index ${index}: SDP cannot be empty`);
+      }
+      if (offer.sdp.length > config.maxSdpSize) {
+        throw new RpcError(ErrorCodes.SDP_TOO_LARGE, `SDP too large at index ${index} (max ${config.maxSdpSize} bytes)`);
       }
     });
-    // Create service with offers
+    // Validate TTL if provided
+    if (ttl !== undefined) {
+      if (typeof ttl !== 'number' || isNaN(ttl) || ttl < 0) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, 'TTL must be a non-negative number');
+      }
+    }
+    // Create offers with tags
     const now = Date.now();
     const offerTtl =
       ttl !== undefined
@@ -344,65 +487,45 @@ const handlers: Record<string, RpcHandler> = {
         : config.offerDefaultTtl;
     const expiresAt = now + offerTtl;
-    // Prepare offer requests with TTL
+    // Prepare offer requests with tags
     const offerRequests = offers.map(offer => ({
-      username,
-      serviceFqn,
+      username: name,
+      tags,
       sdp: offer.sdp,
       expiresAt,
     }));
-    const result = await storage.createService({
-      serviceFqn,
-      expiresAt,
-      offers: offerRequests,
-    });
+    const createdOffers = await storage.createOffers(offerRequests);
     return {
-      serviceId: result.service.id,
-      username: result.service.username,
-      serviceFqn: result.service.serviceFqn,
-      offers: result.offers.map(offer => ({
+      username: name,
+      tags,
+      offers: createdOffers.map(offer => ({
         offerId: offer.id,
         sdp: offer.sdp,
         createdAt: offer.createdAt,
         expiresAt: offer.expiresAt,
       })),
-      createdAt: result.service.createdAt,
-      expiresAt: result.service.expiresAt,
+      createdAt: now,
+      expiresAt,
     };
   },
   /**
-   * Delete a service
+   * Delete an offer by ID
    */
-  async deleteService(params, message, signature, publicKey, storage, config) {
-    const { serviceFqn } = params;
-    const username = extractUsername(message);
-    if (!username) {
-      throw new Error('Username required');
-    }
+  async deleteOffer(params: DeleteOfferParams, name, timestamp, signature, storage, config, request: RpcRequest) {
+    const { offerId } = params;
-    // Verify authentication
-    const auth = await verifyAuth(username, message, signature, publicKey, storage);
-    if (!auth.valid) {
-      throw new Error(auth.error);
+    if (!name) {
+      throw new RpcError(ErrorCodes.AUTH_REQUIRED, 'Name required');
     }
-    const parsed = parseServiceFqn(serviceFqn);
-    if (!parsed || !parsed.username) {
-      throw new Error('Service FQN must include username');
-    }
+    validateStringParam(offerId, 'offerId');
-    const service = await storage.getServiceByFqn(serviceFqn);
-    if (!service) {
-      throw new Error('Service not found');
-    }
-    const deleted = await storage.deleteService(service.id, username);
+    const deleted = await storage.deleteOffer(offerId, name);
     if (!deleted) {
-      throw new Error('Service not found or not owned by this username');
+      throw new RpcError(ErrorCodes.NOT_AUTHORIZED, 'Offer not found or not owned by this name');
     }
     return { success: true };
@@ -411,38 +534,34 @@ const handlers: Record<string, RpcHandler> = {
   /**
    * Answer an offer
    */
-  async answerOffer(params, message, signature, publicKey, storage, config) {
-    const { serviceFqn, offerId, sdp } = params;
-    const username = extractUsername(message);
+  async answerOffer(params: AnswerOfferParams, name, timestamp, signature, storage, config, request: RpcRequest) {
+    const { offerId, sdp } = params;
-    if (!username) {
-      throw new Error('Username required');
-    }
+    // Validate input parameters
+    validateStringParam(offerId, 'offerId');
-    // Verify authentication
-    const auth = await verifyAuth(username, message, signature, publicKey, storage);
-    if (!auth.valid) {
-      throw new Error(auth.error);
+    if (!name) {
+      throw new RpcError(ErrorCodes.AUTH_REQUIRED, 'Name required');
     }
     if (!sdp || typeof sdp !== 'string' || sdp.length === 0) {
-      throw new Error('Invalid SDP');
+      throw new RpcError(ErrorCodes.INVALID_SDP, 'Invalid SDP');
     }
-    if (sdp.length > 64 * 1024) {
-      throw new Error('SDP too large (max 64KB)');
+    if (sdp.length > config.maxSdpSize) {
+      throw new RpcError(ErrorCodes.SDP_TOO_LARGE, `SDP too large (max ${config.maxSdpSize} bytes)`);
     }
     const offer = await storage.getOfferById(offerId);
     if (!offer) {
-      throw new Error('Offer not found');
+      throw new RpcError(ErrorCodes.OFFER_NOT_FOUND, 'Offer not found');
     }
     if (offer.answererUsername) {
-      throw new Error('Offer already answered');
+      throw new RpcError(ErrorCodes.OFFER_ALREADY_ANSWERED, 'Offer already answered');
     }
-    await storage.answerOffer(offerId, username, sdp);
+    await storage.answerOffer(offerId, name, sdp);
     return { success: true, offerId };
   },
@@ -450,31 +569,27 @@ const handlers: Record<string, RpcHandler> = {
   /**
    * Get answer for an offer
    */
-  async getOfferAnswer(params, message, signature, publicKey, storage, config) {
-    const { serviceFqn, offerId } = params;
-    const username = extractUsername(message);
+  async getOfferAnswer(params: GetOfferAnswerParams, name, timestamp, signature, storage, config, request: RpcRequest) {
+    const { offerId } = params;
-    if (!username) {
-      throw new Error('Username required');
-    }
+    // Validate input parameters
+    validateStringParam(offerId, 'offerId');
-    // Verify authentication
-    const auth = await verifyAuth(username, message, signature, publicKey, storage);
-    if (!auth.valid) {
-      throw new Error(auth.error);
+    if (!name) {
+      throw new RpcError(ErrorCodes.AUTH_REQUIRED, 'Name required');
     }
     const offer = await storage.getOfferById(offerId);
     if (!offer) {
-      throw new Error('Offer not found');
+      throw new RpcError(ErrorCodes.OFFER_NOT_FOUND, 'Offer not found');
     }
-    if (offer.username !== username) {
-      throw new Error('Not authorized to access this offer');
+    if (offer.username !== name) {
+      throw new RpcError(ErrorCodes.NOT_AUTHORIZED, 'Not authorized to access this offer');
     }
     if (!offer.answererUsername || !offer.answerSdp) {
-      throw new Error('Offer not yet answered');
+      throw new RpcError(ErrorCodes.OFFER_NOT_ANSWERED, 'Offer not yet answered');
     }
     return {
@@ -488,73 +603,57 @@ const handlers: Record<string, RpcHandler> = {
   /**
    * Combined polling for answers and ICE candidates
    */
-  async poll(params, message, signature, publicKey, storage, config) {
+  async poll(params: PollParams, name, timestamp, signature, storage, config, request: RpcRequest) {
     const { since } = params;
-    const username = extractUsername(message);
-    if (!username) {
-      throw new Error('Username required');
+    if (!name) {
+      throw new RpcError(ErrorCodes.AUTH_REQUIRED, 'Name required');
     }
-    // Verify authentication
-    const auth = await verifyAuth(username, message, signature, publicKey, storage);
-    if (!auth.valid) {
-      throw new Error(auth.error);
+    // Validate since parameter
+    if (since !== undefined && (typeof since !== 'number' || since < 0 || !Number.isFinite(since))) {
+      throw new RpcError(ErrorCodes.INVALID_PARAMS, 'Invalid since parameter: must be a non-negative number');
     }
+    const sinceTimestamp = since !== undefined ? since : 0;
-    const sinceTimestamp = since || 0;
-    // Get all answered offers
-    const answeredOffers = await storage.getAnsweredOffers(username);
+    // Get all answered offers (where user is the offerer)
+    const answeredOffers = await storage.getAnsweredOffers(name);
     const filteredAnswers = answeredOffers.filter(
       (offer) => offer.answeredAt && offer.answeredAt > sinceTimestamp
     );
-    // Get all user's offers
-    const allOffers = await storage.getOffersByUsername(username);
+    // Get all user's offers (where user is offerer)
+    const ownedOffers = await storage.getOffersByUsername(name);
+    // Get all offers the user has answered (where user is answerer)
+    const answeredByUser = await storage.getOffersAnsweredBy(name);
+    // Combine offer IDs from both sources for ICE candidate fetching
+    // The storage method handles filtering by role automatically
+    const allOfferIds = [
+      ...ownedOffers.map(offer => offer.id),
+      ...answeredByUser.map(offer => offer.id),
+    ];
+    // Remove duplicates (shouldn't happen, but defensive)
+    const offerIds = [...new Set(allOfferIds)];
+    // Batch fetch ICE candidates for all offers using JOIN to avoid N+1 query problem
+    // Server filters by role - offerers get answerer candidates, answerers get offerer candidates
+    const iceCandidatesMap = await storage.getIceCandidatesForMultipleOffers(
+      offerIds,
+      name,
+      sinceTimestamp
+    );
-    // For each offer, get ICE candidates from both sides
+    // Convert Map to Record for response
     const iceCandidatesByOffer: Record<string, any[]> = {};
-    for (const offer of allOffers) {
-      const offererCandidates = await storage.getIceCandidates(
-        offer.id,
-        'offerer',
-        sinceTimestamp
-      );
-      const answererCandidates = await storage.getIceCandidates(
-        offer.id,
-        'answerer',
-        sinceTimestamp
-      );
-      const allCandidates = [
-        ...offererCandidates.map((c: any) => ({
-          ...c,
-          role: 'offerer' as const,
-        })),
-        ...answererCandidates.map((c: any) => ({
-          ...c,
-          role: 'answerer' as const,
-        })),
-      ];
-      if (allCandidates.length > 0) {
-        const isOfferer = offer.username === username;
-        const filtered = allCandidates.filter((c) =>
-          isOfferer ? c.role === 'answerer' : c.role === 'offerer'
-        );
-        if (filtered.length > 0) {
-          iceCandidatesByOffer[offer.id] = filtered;
-        }
-      }
+    for (const [offerId, candidates] of iceCandidatesMap.entries()) {
+      iceCandidatesByOffer[offerId] = candidates;
     }
     return {
       answers: filteredAnswers.map((offer) => ({
         offerId: offer.id,
-        serviceId: offer.serviceId,
         answererId: offer.answererUsername,
         sdp: offer.answerSdp,
         answeredAt: offer.answeredAt,
@@ -566,40 +665,68 @@ const handlers: Record<string, RpcHandler> = {
   /**
    * Add ICE candidates
    */
-  async addIceCandidates(params, message, signature, publicKey, storage, config) {
-    const { serviceFqn, offerId, candidates } = params;
-    const username = extractUsername(message);
+  async addIceCandidates(params: AddIceCandidatesParams, name, timestamp, signature, storage, config, request: RpcRequest) {
+    const { offerId, candidates } = params;
-    if (!username) {
-      throw new Error('Username required');
-    }
+    // Validate input parameters
+    validateStringParam(offerId, 'offerId');
-    // Verify authentication
-    const auth = await verifyAuth(username, message, signature, publicKey, storage);
-    if (!auth.valid) {
-      throw new Error(auth.error);
+    if (!name) {
+      throw new RpcError(ErrorCodes.AUTH_REQUIRED, 'Name required');
     }
     if (!Array.isArray(candidates) || candidates.length === 0) {
-      throw new Error('Missing or invalid required parameter: candidates');
+      throw new RpcError(ErrorCodes.MISSING_PARAMS, 'Missing or invalid required parameter: candidates');
+    }
+    if (candidates.length > config.maxCandidatesPerRequest) {
+      throw new RpcError(
+        ErrorCodes.INVALID_PARAMS,
+        `Too many candidates (max ${config.maxCandidatesPerRequest})`
+      );
     }
     // Validate each candidate is an object (don't enforce structure per CLAUDE.md)
     candidates.forEach((candidate, index) => {
       if (!candidate || typeof candidate !== 'object') {
-        throw new Error(`Invalid candidate at index ${index}: must be an object`);
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, `Invalid candidate at index ${index}: must be an object`);
+      }
+      // Check JSON depth to prevent stack overflow from deeply nested objects
+      const depth = getJsonDepth(candidate, config.maxCandidateDepth + 1);
+      if (depth > config.maxCandidateDepth) {
+        throw new RpcError(
+          ErrorCodes.INVALID_PARAMS,
+          `Candidate at index ${index} too deeply nested (max depth ${config.maxCandidateDepth})`
+        );
+      }
+      // Ensure candidate is serializable and check size (will be stored as JSON)
+      let candidateJson: string;
+      try {
+        candidateJson = JSON.stringify(candidate);
+      } catch (e) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, `Candidate at index ${index} is not serializable`);
+      }
+      // Validate candidate size to prevent abuse
+      if (candidateJson.length > config.maxCandidateSize) {
+        throw new RpcError(
+          ErrorCodes.INVALID_PARAMS,
+          `Candidate at index ${index} too large (max ${config.maxCandidateSize} bytes)`
+        );
       }
     });
     const offer = await storage.getOfferById(offerId);
     if (!offer) {
-      throw new Error('Offer not found');
+      throw new RpcError(ErrorCodes.OFFER_NOT_FOUND, 'Offer not found');
     }
-    const role = offer.username === username ? 'offerer' : 'answerer';
+    const role = offer.username === name ? 'offerer' : 'answerer';
     const count = await storage.addIceCandidates(
       offerId,
-      username,
+      name,
       role,
       candidates
     );
@@ -610,28 +737,36 @@ const handlers: Record<string, RpcHandler> = {
   /**
    * Get ICE candidates
    */
-  async getIceCandidates(params, message, signature, publicKey, storage, config) {
-    const { serviceFqn, offerId, since } = params;
-    const username = extractUsername(message);
+  async getIceCandidates(params: GetIceCandidatesParams, name, timestamp, signature, storage, config, request: RpcRequest) {
+    const { offerId, since } = params;
-    if (!username) {
-      throw new Error('Username required');
-    }
+    // Validate input parameters
+    validateStringParam(offerId, 'offerId');
-    // Verify authentication
-    const auth = await verifyAuth(username, message, signature, publicKey, storage);
-    if (!auth.valid) {
-      throw new Error(auth.error);
+    if (!name) {
+      throw new RpcError(ErrorCodes.AUTH_REQUIRED, 'Name required');
     }
-    const sinceTimestamp = since || 0;
+    // Validate since parameter
+    if (since !== undefined && (typeof since !== 'number' || since < 0 || !Number.isFinite(since))) {
+      throw new RpcError(ErrorCodes.INVALID_PARAMS, 'Invalid since parameter: must be a non-negative number');
+    }
+    const sinceTimestamp = since !== undefined ? since : 0;
     const offer = await storage.getOfferById(offerId);
     if (!offer) {
-      throw new Error('Offer not found');
+      throw new RpcError(ErrorCodes.OFFER_NOT_FOUND, 'Offer not found');
+    }
+    // Validate that user is authorized to access this offer's candidates
+    // Only the offerer and answerer can access ICE candidates
+    const isOfferer = offer.username === name;
+    const isAnswerer = offer.answererUsername === name;
+    if (!isOfferer && !isAnswerer) {
+      throw new RpcError(ErrorCodes.NOT_AUTHORIZED, 'Not authorized to access ICE candidates for this offer');
     }
-    const isOfferer = offer.username === username;
     const role = isOfferer ? 'answerer' : 'offerer';
     const candidates = await storage.getIceCandidates(
@@ -650,74 +785,192 @@ const handlers: Record<string, RpcHandler> = {
   },
 };
+// Methods that don't require authentication
+const UNAUTHENTICATED_METHODS = new Set(['generateCredentials', 'discover']);
 /**
- * Handle RPC batch request
+ * Handle RPC batch request with header-based authentication
  */
 export async function handleRpc(
   requests: RpcRequest[],
+  ctx: Context,
   storage: Storage,
   config: Config
 ): Promise<RpcResponse[]> {
   const responses: RpcResponse[] = [];
+  // Extract client IP for rate limiting
+  // Try multiple headers for proxy compatibility
+  const clientIp =
+    ctx.req.header('cf-connecting-ip') || // Cloudflare
+    ctx.req.header('x-real-ip') || // Nginx
+    ctx.req.header('x-forwarded-for')?.split(',')[0].trim() ||
+    undefined; // Don't use fallback - let handlers decide how to handle missing IP
+  // Read auth headers (same for all requests in batch)
+  const name = ctx.req.header('X-Name');
+  const timestampHeader = ctx.req.header('X-Timestamp');
+  const nonce = ctx.req.header('X-Nonce');
+  const signature = ctx.req.header('X-Signature');
+  // Parse timestamp if present
+  const timestamp = timestampHeader ? parseInt(timestampHeader, 10) : 0;
+  // CRITICAL: Pre-calculate total operations BEFORE processing any requests
+  // This prevents DoS where first N requests complete before limit triggers
+  // Example attack prevented: 100 publishOffer × 100 offers = 10,000 operations
+  let totalOperations = 0;
+  // Count all operations across all requests first
+  for (const request of requests) {
+    const { method, params } = request;
+    if (method === 'publishOffer' && params?.offers && Array.isArray(params.offers)) {
+      totalOperations += params.offers.length;
+    } else if (method === 'addIceCandidates' && params?.candidates && Array.isArray(params.candidates)) {
+      totalOperations += params.candidates.length;
+    } else {
+      totalOperations += 1; // Single operation
+    }
+  }
+  // Reject entire batch if total operations exceed limit
+  // This happens BEFORE processing any requests
+  // Return error for EACH request to maintain response array alignment
+  if (totalOperations > config.maxTotalOperations) {
+    return requests.map(() => ({
+      success: false,
+      error: `Total operations across batch exceed limit: ${totalOperations} > ${config.maxTotalOperations}`,
+      errorCode: ErrorCodes.BATCH_TOO_LARGE,
+    }));
+  }
+  // Process all requests
   for (const request of requests) {
     try {
-      const { method, message, signature, publicKey, params } = request;
+      const { method, params } = request;
       // Validate request
       if (!method || typeof method !== 'string') {
         responses.push({
           success: false,
           error: 'Missing or invalid method',
+          errorCode: ErrorCodes.INVALID_PARAMS,
         });
         continue;
       }
-      if (!message || typeof message !== 'string') {
+      // Get handler
+      const handler = handlers[method];
+      if (!handler) {
         responses.push({
           success: false,
-          error: 'Missing or invalid message',
+          error: `Unknown method: ${method}`,
+          errorCode: ErrorCodes.UNKNOWN_METHOD,
         });
         continue;
       }
-      if (!signature || typeof signature !== 'string') {
+      // Validate auth headers only for methods that require authentication
+      const requiresAuth = !UNAUTHENTICATED_METHODS.has(method);
+      if (requiresAuth) {
+        if (!name || typeof name !== 'string') {
+          responses.push({
+            success: false,
+            error: 'Missing or invalid X-Name header',
+            errorCode: ErrorCodes.AUTH_REQUIRED,
+          });
+          continue;
+        }
+        if (!timestampHeader || typeof timestampHeader !== 'string' || isNaN(timestamp)) {
+          responses.push({
+            success: false,
+            error: 'Missing or invalid X-Timestamp header',
+            errorCode: ErrorCodes.AUTH_REQUIRED,
+          });
+          continue;
+        }
+        if (!nonce || typeof nonce !== 'string') {
+          responses.push({
+            success: false,
+            error: 'Missing or invalid X-Nonce header (use crypto.randomUUID())',
+            errorCode: ErrorCodes.AUTH_REQUIRED,
+          });
+          continue;
+        }
+        if (!signature || typeof signature !== 'string') {
+          responses.push({
+            success: false,
+            error: 'Missing or invalid X-Signature header',
+            errorCode: ErrorCodes.AUTH_REQUIRED,
+          });
+          continue;
+        }
+        // Verify signature (validates timestamp, nonce, and signature)
+        await verifyRequestSignature(
+          name,
+          timestamp,
+          nonce,
+          signature,
+          method,
+          params,
+          storage,
+          config
+        );
+        // Execute handler with auth
+        const result = await handler(
+          params || {},
+          name,
+          timestamp,
+          signature,
+          storage,
+          config,
+          { ...request, clientIp }
+        );
         responses.push({
-          success: false,
-          error: 'Missing or invalid signature',
+          success: true,
+          result,
         });
-        continue;
-      }
+      } else {
+        // Execute handler without strict auth requirement
+        const result = await handler(
+          params || {},
+          name || '',
+          0, // timestamp
+          '', // signature
+          storage,
+          config,
+          { ...request, clientIp }
+        );
-      // Get handler
-      const handler = handlers[method];
-      if (!handler) {
         responses.push({
-          success: false,
-          error: `Unknown method: ${method}`,
+          success: true,
+          result,
         });
-        continue;
       }
-      // Execute handler
-      const result = await handler(
-        params || {},
-        message,
-        signature,
-        publicKey,
-        storage,
-        config
-      );
-      responses.push({
-        success: true,
-        result,
-      });
     } catch (err) {
-      responses.push({
-        success: false,
-        error: (err as Error).message || 'Internal server error',
-      });
+      if (err instanceof RpcError) {
+        responses.push({
+          success: false,
+          error: err.message,
+          errorCode: err.errorCode,
+        });
+      } else {
+        // Generic error - don't leak internal details
+        // Log the actual error for debugging
+        console.error('Unexpected RPC error:', err);
+        responses.push({
+          success: false,
+          error: 'Internal server error',
+          errorCode: ErrorCodes.INTERNAL_ERROR,
+        });
+      }
     }
   }