hacker-lobby 1.0.1 → 1.1.0

package/README.md

@@ -0,0 +1,99 @@
+# 📟 Hacker Lobby
+
+A secure, real-time, multiplayer terminal chat application built with a zero-dependency Node.js CLI frontend and a Cloudflare Workers/D1 database serverless backend.
+
+---
+
+## 🚀 Getting Started with Node.js, npm, and npx
+
+To run the Hacker Lobby client and server, you need **Node.js** installed on your system. Node.js comes bundled with **npm** (Node Package Manager) and **npx** (Node Package Runner) automatically.
+
+### 📥 1. Installation Guide
+
+#### 🪟 Windows
+* **Direct Installer**: Download the recommended LTS installer from the [official Node.js website](https://nodejs.org/). Run the `.msi` file and follow the default prompts.
+* **Terminal (Winget)**: Open PowerShell or Command Prompt as administrator and run:
+  ```powershell
+  winget install OpenJS.NodeJS
+  ```
+
+#### 🍎 macOS
+* **Direct Installer**: Download the macOS installer (`.pkg`) from the [official Node.js website](https://nodejs.org/) and run it.
+* **Homebrew**: Open Terminal and run:
+  ```bash
+  brew install node
+  ```
+
+#### 🐧 Linux (Ubuntu/Debian)
+Open Terminal and run the following command to install Node.js and npm:
+```bash
+sudo apt update
+sudo apt install nodejs npm -y
+```
+
+---
+
+### 💻 2. Accessing and Verifying via Terminal
+
+Once installed, restart your terminal application (PowerShell, Command Prompt, or bash) and verify the installation:
+
+1. **Verify Node.js** (executes JavaScript code):
+   ```bash
+   node -v
+   ```
+2. **Verify npm** (installs and manages dependencies):
+   ```bash
+   npm -v
+   ```
+3. **Verify npx** (executes npm packages without globally installing them):
+   ```bash
+   npx -v
+   ```
+
+---
+
+## 🛠️ Project Setup
+
+Follow these steps to set up and run Hacker Lobby locally:
+
+### 1. Install Dependencies
+Clone the repository, navigate to the folder, and run:
+```bash
+npm install
+```
+
+### 2. Configure Backend Database
+Initialize the local Cloudflare D1 database and apply the SQL schema:
+```bash
+npx wrangler d1 execute chat-db --local --file=schema.sql
+```
+
+### 3. Run the Backend Server
+Start the local serverless backend with Wrangler:
+```bash
+npx wrangler dev
+```
+The server will start listening at `http://127.0.0.1:8787`.
+
+### 4. Connect with CLI Chat Client
+Configure the client to connect to your local backend server using environment variables:
+
+* **PowerShell (Windows)**:
+  ```powershell
+  $env:API_URL="http://127.0.0.1:8787"; node index.js
+  ```
+* **macOS / Linux / Git Bash**:
+  ```bash
+  API_URL="http://127.0.0.1:8787" node index.js
+  ```
+
+---
+
+## ✨ Features
+
+- **Real-Time Messaging**: Built on Server-Sent Events (SSE) for zero-latency multiplayer updates.
+- **Secure Alias Locking**: Users can register and lock their alias with a password. Password hashes are calculated locally and checked securely using SHA-256 and salt on the database.
+- **Input Masking**: Passwords and confirmation queries are muted on the terminal during entry.
+- **Anti-Spam Rate Limiting**: Built-in IP-based Token Bucket rate limiting (capacity: 5 requests, refilling 1 token every 1.5 seconds) to prevent bot spam.
+- **Auto-Cleanup Cron**: Cloudflare worker triggers hourly routines to automatically prune chat logs older than 6 hours.
+- **Terminal XSS Protection**: Strip ANSI escape sequences from incoming user payloads to prevent control character injection attacks.

package/index.js

@@ -1,6 +1,37 @@
 #!/usr/bin/env node
 
 import readline from 'readline';
+import fs from 'fs';
+import path from 'path';
+import { fileURLToPath } from 'url';
+
+// Simple .env file loader for Node.js
+function loadEnv() {
+  try {
+    const __dirname = path.dirname(fileURLToPath(import.meta.url));
+    const envPath = path.resolve(__dirname, '.env');
+    if (fs.existsSync(envPath)) {
+      const content = fs.readFileSync(envPath, 'utf8');
+      for (const line of content.split('\n')) {
+        const trimmedLine = line.trim();
+        if (!trimmedLine || trimmedLine.startsWith('#')) continue;
+        const parts = trimmedLine.split('=');
+        if (parts.length >= 2) {
+          const key = parts[0].trim();
+          const value = parts.slice(1).join('=').trim().replace(/(^['"]|['"]$)/g, '');
+          if (key && !process.env[key]) {
+            process.env[key] = value;
+          }
+        }
+      }
+    }
+  } catch (e) {
+    // Ignore env loading errors
+  }
+}
+
+loadEnv();
+
 import { 
   clearScreen, 
   drawBanner, 
@@ -15,8 +46,9 @@ import {
   restoreCursor,
   clearCurrentLine
 } from './src/ui.js';
-import { setAlias, getAlias } from './src/config.js';
-import { connectToStream, sendMessage } from './src/api.js';
+import { setAlias, getAlias, setToken } from './src/config.js';
+import { connectToStream, sendMessage, checkAliasStatus, registerAlias, verifyAlias } from './src/api.js';
+import { encrypt, decrypt, isUsingCustomPassphrase } from './src/crypto.js';
 
 let abortController = null;
 
@@ -29,12 +61,16 @@ const rl = readline.createInterface({
 const messages = [];
 let chatActive = false;
 let muteNewline = false;
+let muteInput = false;
 
 // Override stdout.write to intercept the readline newline on enter keypress.
 // This prevents the entire terminal window from scrolling up when the user submits a message.
 const originalWrite = process.stdout.write.bind(process.stdout);
 process.stdout.write = (chunk, encoding, callback) => {
   const data = chunk.toString();
+  if (muteInput && data !== '\n' && data !== '\r\n' && data !== '\r') {
+    return true;
+  }
   if (muteNewline && (data === '\n' || data === '\r\n' || data === '\r')) {
     return true;
   }
@@ -54,7 +90,7 @@ function promptAlias() {
   
   process.stdout.write(`${COLORS.YELLOW}${COLORS.BOLD}Choose an alias: ${COLORS.RESET}`);
   
-  rl.question('', (input) => {
+  rl.question('', async (input) => {
     const alias = input.trim();
     if (!alias) {
       process.stdout.write('\n' + formatError('Alias cannot be empty. Please try again.') + '\n');
@@ -62,8 +98,115 @@ function promptAlias() {
       return;
     }
     
-    setAlias(alias);
-    initChat();
+    try {
+      const { locked } = await checkAliasStatus(alias);
+      if (locked) {
+        promptPassword(alias);
+      } else {
+        promptLockOption(alias);
+      }
+    } catch (err) {
+      process.stdout.write('\n' + formatSystem(`Could not verify alias status (${err.message}). Joining as guest...`) + '\n');
+      setTimeout(() => {
+        setAlias(alias);
+        setToken('');
+        initChat();
+      }, 1500);
+    }
+  });
+}
+
+function promptPassword(alias) {
+  process.stdout.write(`${COLORS.YELLOW}${COLORS.BOLD}This alias is locked. Enter password: ${COLORS.RESET}`);
+  
+  muteInput = true;
+  rl.question('', async (password) => {
+    muteInput = false;
+    process.stdout.write('\n');
+    
+    const pw = password.trim();
+    if (!pw) {
+      process.stdout.write(formatError('Password cannot be empty. Please try again.') + '\n');
+      setTimeout(() => promptPassword(alias), 1500);
+      return;
+    }
+    
+    try {
+      const res = await verifyAlias(alias, pw);
+      if (res.success && res.token) {
+        setAlias(alias);
+        setToken(res.token);
+        initChat();
+      } else {
+        process.stdout.write(formatError('Failed to verify alias.') + '\n');
+        setTimeout(promptAlias, 1500);
+      }
+    } catch (err) {
+      process.stdout.write(formatError(err.message || 'Incorrect password or verification error.') + '\n');
+      setTimeout(promptAlias, 1500);
+    }
+  });
+}
+
+function promptLockOption(alias) {
+  process.stdout.write(`${COLORS.YELLOW}${COLORS.BOLD}Would you like to lock @${alias} with a password? (y/n): ${COLORS.RESET}`);
+  
+  rl.question('', (ans) => {
+    const response = ans.trim().toLowerCase();
+    if (response === 'y' || response === 'yes') {
+      promptCreatePassword(alias);
+    } else {
+      setAlias(alias);
+      setToken('');
+      initChat();
+    }
+  });
+}
+
+function promptCreatePassword(alias) {
+  process.stdout.write(`${COLORS.YELLOW}${COLORS.BOLD}Create password: ${COLORS.RESET}`);
+  
+  muteInput = true;
+  rl.question('', (pw1) => {
+    muteInput = false;
+    process.stdout.write('\n');
+    
+    if (!pw1.trim()) {
+      process.stdout.write(formatError('Password cannot be empty.') + '\n');
+      setTimeout(() => promptCreatePassword(alias), 1500);
+      return;
+    }
+    
+    process.stdout.write(`${COLORS.YELLOW}${COLORS.BOLD}Confirm password: ${COLORS.RESET}`);
+    muteInput = true;
+    rl.question('', async (pw2) => {
+      muteInput = false;
+      process.stdout.write('\n');
+      
+      if (pw1 !== pw2) {
+        process.stdout.write(formatError('Passwords do not match. Let\'s try again.') + '\n');
+        setTimeout(() => promptCreatePassword(alias), 1500);
+        return;
+      }
+      
+      try {
+        const res = await registerAlias(alias, pw1);
+        if (res.success && res.token) {
+          process.stdout.write(formatSystem(`Alias @${alias} successfully locked!`) + '\n');
+          setTimeout(() => {
+            setAlias(alias);
+            setToken(res.token);
+            initChat();
+          }, 1500);
+        } else {
+          process.stdout.write(formatError('Registration failed.') + '\n');
+          setTimeout(promptAlias, 1500);
+        }
+      } catch (err) {
+        process.stdout.write(formatError(err.message || 'Error locking alias.') + '\n');
+        setTimeout(promptAlias, 1500);
+      }
+    });
   });
 }
 
@@ -76,6 +219,11 @@ function initChat() {
   // Add welcome system messages
   addSystemMessage(`Welcome @${getAlias()} to the HACKER LOBBY!`);
   addSystemMessage(`Type your message and press Enter. Type "/exit" to leave.`);
+  addSystemMessage(
+    isUsingCustomPassphrase()
+      ? '🔒 E2EE active (using custom LOBBY_PASSPHRASE)'
+      : '🔒 E2EE active (using default shared lobby key)'
+  );
   
   // Set up prompt
   const promptStr = `${COLORS.CYAN}${COLORS.BOLD}[${getAlias()}]: ${COLORS.RESET}`;
@@ -84,11 +232,14 @@ function initChat() {
   // Connect to backend Server-Sent Events stream
   abortController = new AbortController();
   connectToStream((message) => {
-    addMessage(message.username, message.content);
+    addMessage(message.username, decrypt(message.content));
   }, abortController.signal).catch((err) => {
     addSystemMessage(`Stream disconnected: ${err.message}`);
   });
   
+  // Post join message to the server
+  sendMessage(getAlias(), encrypt('joined the chat')).catch(() => {});
+  
   rl.on('line', (line) => {
     // Disable newline muting once readline has finished processing the line
     muteNewline = false;
@@ -100,7 +251,7 @@ function initChat() {
       }
       
       // Post the message to the Edge server
-      sendMessage(getAlias(), text).catch((err) => {
+      sendMessage(getAlias(), encrypt(text)).catch((err) => {
         addSystemMessage(`Failed to send message: ${err.message}`);
       });
     }
@@ -119,6 +270,11 @@ function initChat() {
     }
   });
   
+  // Handle Ctrl+C gracefully
+  rl.on('SIGINT', () => {
+    cleanupAndExit();
+  });
+  
   // Initial prompt display
   rl.prompt(true);
 }
@@ -143,7 +299,7 @@ function drawLayout() {
   
   // 2. Draw static divider line just above the input prompt
   moveCursor(rows - 1, 1);
-  process.stdout.write(COLORS.GRAY + '─'.repeat(cols) + COLORS.RESET);
+  process.stdout.write(COLORS.GRAY + '-'.repeat(cols) + COLORS.RESET);
   
   // 3. Set the scrolling region for messages
   setScrollRegion(topMargin, bottomMargin);
@@ -207,10 +363,14 @@ function addSystemMessage(text) {
   moveCursor(rows, col);
 }
 
-function cleanupAndExit() {
+async function cleanupAndExit() {
   if (abortController) {
     abortController.abort();
   }
+  try {
+    // Send leave notification to server before exiting
+    await sendMessage(getAlias(), encrypt('left the chat'));
+  } catch (_) {}
   resetScrollRegion();
   clearScreen();
   console.log(formatSystem('Goodbye!'));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hacker-lobby",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "description": "Multiplayer terminal chat application",
   "main": "index.js",
   "type": "module",
@@ -17,4 +17,4 @@
   "engines": {
     "node": ">=16.0.0"
   }
-}
+}

package/src/api.js

@@ -1,4 +1,12 @@
-const API_URL = process.env.API_URL || 'https://hacker-lobby-backend.spidozx.workers.dev';
+import { getToken } from './config.js';
+
+function getApiUrl() {
+  const url = process.env.API_URL;
+  if (!url) {
+    throw new Error('API_URL environment variable is missing. Please make sure you have a .env file configured locally.');
+  }
+  return url;
+}
 
 /**
  * Connects to the SSE stream at /listen and parses incoming messages in real-time.
@@ -6,7 +14,7 @@ const API_URL = process.env.API_URL || 'https://hacker-lobby-backend.spidozx.wor
  * @param {AbortSignal} [signal] - Optional signal to abort/disconnect the connection.
  */
 export async function connectToStream(onMessageCallback, signal) {
-  const url = `${API_URL}/listen`;
+  const url = `${getApiUrl()}/listen`;
 
   try {
     const response = await fetch(url, { signal });
@@ -57,20 +65,86 @@ export async function connectToStream(onMessageCallback, signal) {
  * @returns {Promise<Object>} Response JSON.
  */
 export async function sendMessage(user, text) {
-  const url = `${API_URL}/say`;
+  const url = `${getApiUrl()}/say`;
+  const token = getToken();
+
+  const response = await fetch(url, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({ user, text, token }),
+  });
+
+  if (!response.ok) {
+    const errData = await response.json().catch(() => ({}));
+    throw new Error(errData.error || `HTTP error! Status: ${response.status}`);
+  }
+
+  return response.json();
+}
 
+/**
+ * Checks if an alias is registered and locked.
+ * @param {string} alias
+ * @returns {Promise<{ locked: boolean }>}
+ */
+export async function checkAliasStatus(alias) {
+  const url = `${getApiUrl()}/alias/check`;
   const response = await fetch(url, {
     method: 'POST',
     headers: {
       'Content-Type': 'application/json',
     },
-    body: JSON.stringify({ user, text }),
+    body: JSON.stringify({ alias }),
   });
+  if (!response.ok) {
+    const errData = await response.json().catch(() => ({}));
+    throw new Error(errData.error || `HTTP error! Status: ${response.status}`);
+  }
+  return response.json();
+}
 
+/**
+ * Registers/locks an alias with a password.
+ * @param {string} alias
+ * @param {string} password
+ * @returns {Promise<{ success: boolean, token: string }>}
+ */
+export async function registerAlias(alias, password) {
+  const url = `${getApiUrl()}/alias/register`;
+  const response = await fetch(url, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({ alias, password }),
+  });
   if (!response.ok) {
     const errData = await response.json().catch(() => ({}));
     throw new Error(errData.error || `HTTP error! Status: ${response.status}`);
   }
+  return response.json();
+}
 
+/**
+ * Verifies the password for a locked alias.
+ * @param {string} alias
+ * @param {string} password
+ * @returns {Promise<{ success: boolean, token: string }>}
+ */
+export async function verifyAlias(alias, password) {
+  const url = `${getApiUrl()}/alias/verify`;
+  const response = await fetch(url, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({ alias, password }),
+  });
+  if (!response.ok) {
+    const errData = await response.json().catch(() => ({}));
+    throw new Error(errData.error || `HTTP error! Status: ${response.status}`);
+  }
   return response.json();
 }

package/src/config.js

@@ -1,5 +1,6 @@
 export const state = {
   alias: '',
+  token: '',
 };
 
 /**
@@ -17,3 +18,19 @@ export function setAlias(alias) {
 export function getAlias() {
   return state.alias;
 }
+
+/**
+ * Set the user's authentication token
+ * @param {string} token 
+ */
+export function setToken(token) {
+  state.token = token ? token.trim() : '';
+}
+
+/**
+ * Get the user's authentication token
+ * @returns {string}
+ */
+export function getToken() {
+  return state.token;
+}

package/src/crypto.js

@@ -0,0 +1,63 @@
+import crypto from 'crypto';
+
+// Get key from environment variable or use a secure default
+const PASSPHRASE = process.env.LOBBY_PASSPHRASE || 'hacker-lobby-default-secure-passphrase-2026';
+
+// Derive 32-byte key from passphrase using SHA-256
+const KEY = crypto.createHash('sha256').update(PASSPHRASE).digest();
+
+const ALGORITHM = 'aes-256-cbc';
+const IV_LENGTH = 16;
+
+/**
+ * Encrypts a plaintext string.
+ * Returns a string formatted as "iv_hex:ciphertext_hex"
+ * If encryption fails, returns the original text (fallback)
+ * @param {string} text
+ * @returns {string}
+ */
+export function encrypt(text) {
+  try {
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, KEY, iv);
+    let encrypted = cipher.update(text, 'utf8', 'hex');
+    encrypted += cipher.final('hex');
+    return `${iv.toString('hex')}:${encrypted}`;
+  } catch (err) {
+    return text;
+  }
+}
+
+/**
+ * Decrypts an encrypted string formatted as "iv_hex:ciphertext_hex".
+ * If decryption fails or if it's not encrypted, returns a fallback representation or the original text.
+ * @param {string} encryptedText
+ * @returns {string}
+ */
+export function decrypt(encryptedText) {
+  try {
+    if (!encryptedText || typeof encryptedText !== 'string' || !encryptedText.includes(':')) {
+      return '🔒 [Encrypted Message]';
+    }
+    const [ivHex, ciphertextHex] = encryptedText.split(':');
+    if (ivHex.length !== 32 || !/^[0-9a-fA-F]+$/.test(ivHex) || !/^[0-9a-fA-F]+$/.test(ciphertextHex)) {
+      return '🔒 [Encrypted Message]';
+    }
+    const iv = Buffer.from(ivHex, 'hex');
+    const decipher = crypto.createDecipheriv(ALGORITHM, KEY, iv);
+    let decrypted = decipher.update(ciphertextHex, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+    return decrypted;
+  } catch (err) {
+    // Decryption failed (probably wrong passphrase/key)
+    return '🔒 [Encrypted Message]';
+  }
+}
+
+/**
+ * Returns true if a custom passphrase is set in the environment.
+ * @returns {boolean}
+ */
+export function isUsingCustomPassphrase() {
+  return !!process.env.LOBBY_PASSPHRASE;
+}

package/src/ui.js

@@ -54,6 +54,12 @@ ${COLORS.CYAN} ██╗  ██╗ █████╗  ██████╗█
  * @returns {string}
  */
 export function formatMessage(sender, text) {
+  if (text === 'joined the chat') {
+    return `${COLORS.GREEN}${COLORS.BOLD}[+]${COLORS.RESET} ${COLORS.CYAN}${COLORS.BOLD}${sender}${COLORS.RESET} ${COLORS.NEON_GREEN}joined the chat${COLORS.RESET}`;
+  }
+  if (text === 'left the chat') {
+    return `${COLORS.RED}${COLORS.BOLD}[-]${COLORS.RESET} ${COLORS.CYAN}${COLORS.BOLD}${sender}${COLORS.RESET} ${COLORS.RED}left the chat${COLORS.RESET}`;
+  }
   return `${COLORS.CYAN}${COLORS.BOLD}${sender}${COLORS.RESET}: ${text}`;
 }
 

package/src/worker.js

@@ -1,6 +1,9 @@
 // Regex to match ANSI escape sequences (control codes, color formatting, etc.)
 const ansiRegex = /[\u001b\u009b][[()#;?]*(?:[0-9]{1,4}(?:;[0-9]{0,4})*)?[0-9A-ORZcf-nqry=><]/g;
 
+// Regex to match encrypted content in the format ivHex:ciphertextHex
+const encryptedRegex = /^[0-9a-fA-F]{32}:[0-9a-fA-F]+$/;
+
 /**
  * Sanitizes input strings by stripping out all ANSI escape sequences to prevent terminal XSS.
  * @param {string} str
@@ -57,6 +60,125 @@ async function pollAndStream(writer, env, request) {
   }
 }
 
+async function hashPassword(password) {
+  const msgUint8 = new TextEncoder().encode(password);
+  const hashBuffer = await crypto.subtle.digest('SHA-256', msgUint8);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+  return hashHex;
+}
+
+const SESSION_SECRET_FALLBACK = 'hacker-lobby-secret-key-change-me';
+
+async function generateToken(alias, secret) {
+  const keySecret = secret || SESSION_SECRET_FALLBACK;
+  const expiry = Date.now() + 24 * 60 * 60 * 1000; // 24 hours
+  const message = `${alias}:${expiry}`;
+  const encoder = new TextEncoder();
+  const keyData = encoder.encode(keySecret);
+  const key = await crypto.subtle.importKey(
+    'raw',
+    keyData,
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
+  const signature = await crypto.subtle.sign(
+    'HMAC',
+    key,
+    encoder.encode(message)
+  );
+  const sigHex = Array.from(new Uint8Array(signature))
+    .map(b => b.toString(16).padStart(2, '0'))
+    .join('');
+  return `${message}:${sigHex}`;
+}
+
+async function verifyToken(token, secret) {
+  if (!token) return null;
+  const keySecret = secret || SESSION_SECRET_FALLBACK;
+  try {
+    const parts = token.split(':');
+    if (parts.length !== 3) return null;
+    const [alias, expiryStr, sigHex] = parts;
+    const expiry = parseInt(expiryStr, 10);
+    if (expiry < Date.now()) return null; // Expired
+
+    const message = `${alias}:${expiryStr}`;
+    const encoder = new TextEncoder();
+    const keyData = encoder.encode(keySecret);
+    const key = await crypto.subtle.importKey(
+      'raw',
+      keyData,
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['verify']
+    );
+    
+    // Convert hex signature back to bytes
+    const sigBytes = new Uint8Array(
+      sigHex.match(/.{1,2}/g).map(byte => parseInt(byte, 16))
+    );
+    const isValid = await crypto.subtle.verify(
+      'HMAC',
+      key,
+      sigBytes,
+      encoder.encode(message)
+    );
+    return isValid ? alias : null;
+  } catch (e) {
+    return null;
+  }
+}
+
+const BUCKET_CAPACITY = 5.0;
+const REFILL_RATE_PER_MS = 1.0 / 1500.0; // 1 token every 1.5 seconds
+
+async function isRateLimited(ip, env) {
+  if (!env.DB) return false;
+  const now = Date.now();
+  try {
+    const record = await env.DB.prepare(
+      'SELECT last_request_time, tokens FROM rate_limits WHERE ip = ?'
+    )
+      .bind(ip)
+      .first();
+
+    if (!record) {
+      const initialTokens = BUCKET_CAPACITY - 1.0;
+      await env.DB.prepare(
+        'INSERT INTO rate_limits (ip, last_request_time, tokens) VALUES (?, ?, ?)'
+      )
+        .bind(ip, now, initialTokens)
+        .run();
+      return false;
+    }
+
+    const lastRequestTime = record.last_request_time;
+    const oldTokens = record.tokens;
+    const elapsed = now - lastRequestTime;
+    let tokens = oldTokens + elapsed * REFILL_RATE_PER_MS;
+    if (tokens > BUCKET_CAPACITY) {
+      tokens = BUCKET_CAPACITY;
+    }
+
+    if (tokens >= 1.0) {
+      const nextTokens = tokens - 1.0;
+      await env.DB.prepare(
+        'UPDATE rate_limits SET last_request_time = ?, tokens = ? WHERE ip = ?'
+      )
+        .bind(now, nextTokens, ip)
+        .run();
+      return false;
+    } else {
+      return true;
+    }
+  } catch (err) {
+    console.error('Rate limit error:', err);
+    return false;
+  }
+}
+
 export default {
   /**
    * Fetch handler for Cloudflare Worker.
@@ -117,6 +239,130 @@ export default {
       });
     }
 
+    // Routing for POST /alias/check
+    if (url.pathname === '/alias/check') {
+      if (request.method !== 'POST') {
+        return jsonResponse({ error: 'Method Not Allowed' }, 405);
+      }
+      try {
+        const body = await request.json();
+        const { alias } = body || {};
+        if (!alias || typeof alias !== 'string' || !alias.trim()) {
+          return jsonResponse({ error: 'Missing or invalid "alias" parameter' }, 400);
+        }
+        const cleanAlias = sanitizeAnsi(alias.trim());
+        
+        // Ensure database binding exists
+        if (!env.DB) {
+          return jsonResponse({ error: 'Database binding "DB" is not configured' }, 500);
+        }
+
+        const existing = await env.DB.prepare(
+          'SELECT alias FROM aliases WHERE alias = ?'
+        )
+          .bind(cleanAlias)
+          .first();
+          
+        return jsonResponse({ locked: !!existing });
+      } catch (err) {
+        return jsonResponse({ error: `Bad Request: ${err.message}` }, 400);
+      }
+    }
+
+    // Routing for POST /alias/register
+    if (url.pathname === '/alias/register') {
+      if (request.method !== 'POST') {
+        return jsonResponse({ error: 'Method Not Allowed' }, 405);
+      }
+      try {
+        const body = await request.json();
+        const { alias, password } = body || {};
+        if (!alias || typeof alias !== 'string' || !alias.trim()) {
+          return jsonResponse({ error: 'Missing or invalid "alias" parameter' }, 400);
+        }
+        if (!password || typeof password !== 'string' || !password.trim()) {
+          return jsonResponse({ error: 'Missing or invalid "password" parameter' }, 400);
+        }
+        const cleanAlias = sanitizeAnsi(alias.trim());
+        
+        // Ensure database binding exists
+        if (!env.DB) {
+          return jsonResponse({ error: 'Database binding "DB" is not configured' }, 500);
+        }
+
+        // Check if already registered
+        const existing = await env.DB.prepare(
+          'SELECT alias FROM aliases WHERE alias = ?'
+        )
+          .bind(cleanAlias)
+          .first();
+          
+        if (existing) {
+          return jsonResponse({ error: 'Alias is already locked' }, 400);
+        }
+        
+        const passwordHash = await hashPassword(password);
+        
+        await env.DB.prepare(
+          'INSERT INTO aliases (alias, password_hash) VALUES (?, ?)'
+        )
+          .bind(cleanAlias, passwordHash)
+          .run();
+          
+        const secret = env.SESSION_SECRET || env.JWT_SECRET;
+        const token = await generateToken(cleanAlias, secret);
+        
+        return jsonResponse({ success: true, token }, 201);
+      } catch (err) {
+        return jsonResponse({ error: `Bad Request: ${err.message}` }, 400);
+      }
+    }
+
+    // Routing for POST /alias/verify
+    if (url.pathname === '/alias/verify') {
+      if (request.method !== 'POST') {
+        return jsonResponse({ error: 'Method Not Allowed' }, 405);
+      }
+      try {
+        const body = await request.json();
+        const { alias, password } = body || {};
+        if (!alias || typeof alias !== 'string' || !alias.trim()) {
+          return jsonResponse({ error: 'Missing or invalid "alias" parameter' }, 400);
+        }
+        if (!password || typeof password !== 'string' || !password.trim()) {
+          return jsonResponse({ error: 'Missing or invalid "password" parameter' }, 400);
+        }
+        const cleanAlias = sanitizeAnsi(alias.trim());
+        
+        // Ensure database binding exists
+        if (!env.DB) {
+          return jsonResponse({ error: 'Database binding "DB" is not configured' }, 500);
+        }
+
+        const record = await env.DB.prepare(
+          'SELECT password_hash FROM aliases WHERE alias = ?'
+        )
+          .bind(cleanAlias)
+          .first();
+          
+        if (!record) {
+          return jsonResponse({ error: 'Alias is not locked/registered' }, 404);
+        }
+        
+        const passwordHash = await hashPassword(password);
+        if (record.password_hash !== passwordHash) {
+          return jsonResponse({ error: 'Invalid password' }, 401);
+        }
+        
+        const secret = env.SESSION_SECRET || env.JWT_SECRET;
+        const token = await generateToken(cleanAlias, secret);
+        
+        return jsonResponse({ success: true, token });
+      } catch (err) {
+        return jsonResponse({ error: `Bad Request: ${err.message}` }, 400);
+      }
+    }
+
     // Routing for POST /say
     if (url.pathname === '/say') {
       if (request.method !== 'POST') {
@@ -124,8 +370,14 @@ export default {
       }
 
       try {
+        const ip = request.headers.get('CF-Connecting-IP') || '127.0.0.1';
+        const isLimited = await isRateLimited(ip, env);
+        if (isLimited) {
+          return jsonResponse({ error: 'Rate limit exceeded. Please wait before sending more messages.' }, 429);
+        }
+
         const body = await request.json();
-        const { user, text } = body || {};
+        const { user, text, token } = body || {};
 
         // Validation: parameters must exist, be strings, and not be empty
         if (!user || typeof user !== 'string' || !user.trim()) {
@@ -136,6 +388,10 @@ export default {
           return jsonResponse({ error: 'Missing or invalid "text" parameter' }, 400);
         }
 
+        if (!encryptedRegex.test(text)) {
+          return jsonResponse({ error: 'Bad Request: Message content must be encrypted.' }, 400);
+        }
+
         // Sanitize username and content of ANSI escape sequences to prevent terminal XSS
         const sanitizedUser = sanitizeAnsi(user);
         const sanitizedText = sanitizeAnsi(text);
@@ -145,6 +401,21 @@ export default {
           return jsonResponse({ error: 'Database binding "DB" is not configured' }, 500);
         }
 
+        // Authentication check: if alias is locked, verify token
+        const record = await env.DB.prepare(
+          'SELECT alias FROM aliases WHERE alias = ?'
+        )
+          .bind(sanitizedUser)
+          .first();
+
+        if (record) {
+          const secret = env.SESSION_SECRET || env.JWT_SECRET;
+          const verifiedAlias = await verifyToken(token, secret);
+          if (!verifiedAlias || verifiedAlias !== sanitizedUser) {
+            return jsonResponse({ error: 'Unauthorized: This alias is locked and requires a valid session token' }, 401);
+          }
+        }
+
         // Insert into D1 messages table safely using parameterized bindings
         await env.DB.prepare(
           'INSERT INTO messages (username, content) VALUES (?, ?)'