npm - @xtr-dev/rondevu-server - Versions diffs - 0.5.6 → 0.5.8 - Mend

@xtr-dev/rondevu-server 0.5.6 → 0.5.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/index.js CHANGED Viewed

@@ -729,6 +729,21 @@ var init_memory = __esm({
         this.offersByTag.clear();
         this.offersByAnswerer.clear();
       }
+      // ===== Count Methods (for resource limits) =====
+      async getOfferCount() {
+        return this.offers.size;
+      }
+      async getOfferCountByUsername(username) {
+        const offerIds = this.offersByUsername.get(username);
+        return offerIds ? offerIds.size : 0;
+      }
+      async getCredentialCount() {
+        return this.credentials.size;
+      }
+      async getIceCandidateCount(offerId) {
+        const candidates = this.iceCandidates.get(offerId);
+        return candidates ? candidates.length : 0;
+      }
       // ===== Helper Methods =====
       removeOfferFromIndexes(offer) {
         const usernameOffers = this.offersByUsername.get(offer.username);
@@ -1241,6 +1256,23 @@ var init_sqlite = __esm({
       async close() {
         this.db.close();
       }
+      // ===== Count Methods (for resource limits) =====
+      async getOfferCount() {
+        const result = this.db.prepare("SELECT COUNT(*) as count FROM offers").get();
+        return result.count;
+      }
+      async getOfferCountByUsername(username) {
+        const result = this.db.prepare("SELECT COUNT(*) as count FROM offers WHERE username = ?").get(username);
+        return result.count;
+      }
+      async getCredentialCount() {
+        const result = this.db.prepare("SELECT COUNT(*) as count FROM credentials").get();
+        return result.count;
+      }
+      async getIceCandidateCount(offerId) {
+        const result = this.db.prepare("SELECT COUNT(*) as count FROM ice_candidates WHERE offer_id = ?").get(offerId);
+        return result.count;
+      }
       // ===== Helper Methods =====
       /**
        * Helper method to convert database row to Offer object
@@ -1691,6 +1723,29 @@ var init_mysql = __esm({
       async close() {
         await this.pool.end();
       }
+      // ===== Count Methods (for resource limits) =====
+      async getOfferCount() {
+        const [rows] = await this.pool.query("SELECT COUNT(*) as count FROM offers");
+        return Number(rows[0].count);
+      }
+      async getOfferCountByUsername(username) {
+        const [rows] = await this.pool.query(
+          "SELECT COUNT(*) as count FROM offers WHERE username = ?",
+          [username]
+        );
+        return Number(rows[0].count);
+      }
+      async getCredentialCount() {
+        const [rows] = await this.pool.query("SELECT COUNT(*) as count FROM credentials");
+        return Number(rows[0].count);
+      }
+      async getIceCandidateCount(offerId) {
+        const [rows] = await this.pool.query(
+          "SELECT COUNT(*) as count FROM ice_candidates WHERE offer_id = ?",
+          [offerId]
+        );
+        return Number(rows[0].count);
+      }
       // ===== Helper Methods =====
       rowToOffer(row) {
         return {
@@ -2154,6 +2209,29 @@ var init_postgres = __esm({
       async close() {
         await this.pool.end();
       }
+      // ===== Count Methods (for resource limits) =====
+      async getOfferCount() {
+        const result = await this.pool.query("SELECT COUNT(*) as count FROM offers");
+        return Number(result.rows[0].count);
+      }
+      async getOfferCountByUsername(username) {
+        const result = await this.pool.query(
+          "SELECT COUNT(*) as count FROM offers WHERE username = $1",
+          [username]
+        );
+        return Number(result.rows[0].count);
+      }
+      async getCredentialCount() {
+        const result = await this.pool.query("SELECT COUNT(*) as count FROM credentials");
+        return Number(result.rows[0].count);
+      }
+      async getIceCandidateCount(offerId) {
+        const result = await this.pool.query(
+          "SELECT COUNT(*) as count FROM ice_candidates WHERE offer_id = $1",
+          [offerId]
+        );
+        return Number(result.rows[0].count);
+      }
       // ===== Helper Methods =====
       rowToOffer(row) {
         return {
@@ -2193,8 +2271,8 @@ var import_cors = require("hono/cors");
 // src/rpc.ts
 init_crypto();
 var MAX_PAGE_SIZE = 100;
-var CREDENTIAL_RATE_LIMIT = 1;
 var CREDENTIAL_RATE_WINDOW = 1e3;
+var REQUEST_RATE_WINDOW = 1e3;
 function getJsonDepth(obj, maxDepth, currentDepth = 0) {
   if (obj === null || typeof obj !== "object") {
     return currentDepth;
@@ -2242,6 +2320,9 @@ var ErrorCodes = {
   SDP_TOO_LARGE: "SDP_TOO_LARGE",
   BATCH_TOO_LARGE: "BATCH_TOO_LARGE",
   RATE_LIMIT_EXCEEDED: "RATE_LIMIT_EXCEEDED",
+  TOO_MANY_OFFERS_PER_USER: "TOO_MANY_OFFERS_PER_USER",
+  STORAGE_FULL: "STORAGE_FULL",
+  TOO_MANY_ICE_CANDIDATES: "TOO_MANY_ICE_CANDIDATES",
   // Generic errors
   INTERNAL_ERROR: "INTERNAL_ERROR",
   UNKNOWN_METHOD: "UNKNOWN_METHOD"
@@ -2290,15 +2371,22 @@ var handlers = {
    * SECURITY: Rate limited per IP to prevent abuse (database-backed for multi-instance support)
    */
   async generateCredentials(params, name, timestamp, signature, storage, config, request) {
+    const credentialCount = await storage.getCredentialCount();
+    if (credentialCount >= config.maxTotalCredentials) {
+      throw new RpcError(
+        ErrorCodes.STORAGE_FULL,
+        `Server credential limit reached (${config.maxTotalCredentials}). Try again later.`
+      );
+    }
     let rateLimitKey;
     let rateLimit;
     if (!request.clientIp) {
       console.warn("\u26A0\uFE0F  WARNING: Unable to determine client IP for credential generation. Using global rate limit.");
       rateLimitKey = "cred_gen:global_unknown";
-      rateLimit = 2;
+      rateLimit = 1;
     } else {
       rateLimitKey = `cred_gen:${request.clientIp}`;
-      rateLimit = CREDENTIAL_RATE_LIMIT;
+      rateLimit = config.credentialsPerIpPerSecond;
     }
     const allowed = await storage.checkRateLimit(
       rateLimitKey,
@@ -2308,7 +2396,7 @@ var handlers = {
     if (!allowed) {
       throw new RpcError(
         ErrorCodes.RATE_LIMIT_EXCEEDED,
-        `Rate limit exceeded. Maximum ${rateLimit} credential per second${request.clientIp ? " per IP" : " (global limit for unidentified IPs)"}.`
+        `Rate limit exceeded. Maximum ${rateLimit} credentials per second${request.clientIp ? " per IP" : " (global limit for unidentified IPs)"}.`
       );
     }
     if (params.name !== void 0) {
@@ -2427,6 +2515,20 @@ var handlers = {
         `Too many offers (max ${config.maxOffersPerRequest})`
       );
     }
+    const userOfferCount = await storage.getOfferCountByUsername(name);
+    if (userOfferCount + offers.length > config.maxOffersPerUser) {
+      throw new RpcError(
+        ErrorCodes.TOO_MANY_OFFERS_PER_USER,
+        `User offer limit exceeded. You have ${userOfferCount} offers, limit is ${config.maxOffersPerUser}.`
+      );
+    }
+    const totalOfferCount = await storage.getOfferCount();
+    if (totalOfferCount + offers.length > config.maxTotalOffers) {
+      throw new RpcError(
+        ErrorCodes.STORAGE_FULL,
+        `Server offer limit reached (${config.maxTotalOffers}). Try again later.`
+      );
+    }
     offers.forEach((offer, index) => {
       if (!offer || typeof offer !== "object") {
         throw new RpcError(ErrorCodes.INVALID_PARAMS, `Invalid offer at index ${index}: must be an object`);
@@ -2626,6 +2728,13 @@ var handlers = {
     if (!offer) {
       throw new RpcError(ErrorCodes.OFFER_NOT_FOUND, "Offer not found");
     }
+    const currentCandidateCount = await storage.getIceCandidateCount(offerId);
+    if (currentCandidateCount + candidates.length > config.maxIceCandidatesPerOffer) {
+      throw new RpcError(
+        ErrorCodes.TOO_MANY_ICE_CANDIDATES,
+        `ICE candidate limit exceeded for offer. Current: ${currentCandidateCount}, limit: ${config.maxIceCandidatesPerOffer}.`
+      );
+    }
     const role = offer.username === name ? "offerer" : "answerer";
     const count = await storage.addIceCandidates(
       offerId,
@@ -2678,6 +2787,21 @@ async function handleRpc(requests, ctx, storage, config) {
   const clientIp = ctx.req.header("cf-connecting-ip") || // Cloudflare
   ctx.req.header("x-real-ip") || // Nginx
   ctx.req.header("x-forwarded-for")?.split(",")[0].trim() || void 0;
+  if (clientIp) {
+    const rateLimitKey = `req:${clientIp}`;
+    const allowed = await storage.checkRateLimit(
+      rateLimitKey,
+      config.requestsPerIpPerSecond,
+      REQUEST_RATE_WINDOW
+    );
+    if (!allowed) {
+      return requests.map(() => ({
+        success: false,
+        error: `Rate limit exceeded. Maximum ${config.requestsPerIpPerSecond} requests per second per IP.`,
+        errorCode: ErrorCodes.RATE_LIMIT_EXCEEDED
+      }));
+    }
+  }
   const name = ctx.req.header("X-Name");
   const timestampHeader = ctx.req.header("X-Timestamp");
   const nonce = ctx.req.header("X-Nonce");
@@ -2906,7 +3030,7 @@ function loadConfig() {
     console.error("\u26A0\uFE0F  WARNING: Using insecure deterministic development key");
     console.error("\u26A0\uFE0F  ONLY use NODE_ENV=development for local development");
     console.error("\u26A0\uFE0F  Generate production key with: openssl rand -hex 32");
-    masterEncryptionKey = "a3f8b9c2d1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2";
+    masterEncryptionKey = "a3f8b9c2d1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0";
   }
   if (masterEncryptionKey.length !== 64 || !/^[0-9a-fA-F]{64}$/.test(masterEncryptionKey)) {
     throw new Error("MASTER_ENCRYPTION_KEY must be 64-character hex string (32 bytes). Generate with: openssl rand -hex 32");
@@ -2946,7 +3070,14 @@ function loadConfig() {
     // Min 1 second
     timestampMaxFuture: parsePositiveInt(process.env.TIMESTAMP_MAX_FUTURE, "60000", "TIMESTAMP_MAX_FUTURE", 1e3),
     // Min 1 second
-    masterEncryptionKey
+    masterEncryptionKey,
+    // Resource limits
+    maxOffersPerUser: parsePositiveInt(process.env.MAX_OFFERS_PER_USER, "20", "MAX_OFFERS_PER_USER", 1),
+    maxTotalOffers: parsePositiveInt(process.env.MAX_TOTAL_OFFERS, "10000", "MAX_TOTAL_OFFERS", 1),
+    maxTotalCredentials: parsePositiveInt(process.env.MAX_TOTAL_CREDENTIALS, "50000", "MAX_TOTAL_CREDENTIALS", 1),
+    maxIceCandidatesPerOffer: parsePositiveInt(process.env.MAX_ICE_CANDIDATES_PER_OFFER, "50", "MAX_ICE_CANDIDATES_PER_OFFER", 1),
+    credentialsPerIpPerSecond: parsePositiveInt(process.env.CREDENTIALS_PER_IP_PER_SECOND, "1", "CREDENTIALS_PER_IP_PER_SECOND", 1),
+    requestsPerIpPerSecond: parsePositiveInt(process.env.REQUESTS_PER_IP_PER_SECOND, "50", "REQUESTS_PER_IP_PER_SECOND", 1)
   };
   return config;
 }
@@ -2963,7 +3094,14 @@ var CONFIG_DEFAULTS = {
   maxCandidatesPerRequest: 100,
   maxTotalOperations: 1e3,
   timestampMaxAge: 6e4,
-  timestampMaxFuture: 6e4
+  timestampMaxFuture: 6e4,
+  // Resource limits
+  maxOffersPerUser: 20,
+  maxTotalOffers: 1e4,
+  maxTotalCredentials: 5e4,
+  maxIceCandidatesPerOffer: 50,
+  credentialsPerIpPerSecond: 1,
+  requestsPerIpPerSecond: 50
 };
 async function runCleanup(storage, now) {
   const offers = await storage.deleteExpiredOffers(now);