nca-ai-cms-astro-plugin 1.0.14 → 1.0.15

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nca-ai-cms-astro-plugin",
-  "version": "1.0.14",
+  "version": "1.0.15",
   "type": "module",
   "exports": {
     ".": "./src/index.ts",

package/src/api/auth/login.ts

@@ -1,14 +1,35 @@
 import type { APIRoute } from 'astro';
 import { z } from 'zod';
 import { jsonResponse, jsonError } from '../_utils.js';
-import { getEnvVariable } from '../../utils/envUtils.js';
+import { verifyCredentials } from '../../utils/credentialUtils.js';
+import { createSession, purgeExpiredSessions } from '../../services/SessionService.js';
+import { loginRateLimiter } from '../../utils/loginRateLimiter.js';
 
 const loginSchema = z.object({
   username: z.string().min(1),
   password: z.string().min(1),
 });
 
-export const POST: APIRoute = async ({ request, cookies }) => {
+export const POST: APIRoute = async ({ request, cookies, clientAddress }) => {
+  const ip =
+    clientAddress ??
+    request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ??
+    'unknown';
+
+  const { limited, retryAfter } = loginRateLimiter.check(ip);
+  if (limited) {
+    return new Response(
+      JSON.stringify({ error: 'Too many login attempts. Try again later.' }),
+      {
+        status: 429,
+        headers: {
+          'Content-Type': 'application/json',
+          'Retry-After': String(retryAfter),
+        },
+      },
+    );
+  }
+
   let body: unknown;
   try {
     body = await request.json();
@@ -22,14 +43,18 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   }
 
   const { username, password } = result.data;
-  const expectedUsername = getEnvVariable('EDITOR_ADMIN');
-  const expectedPassword = getEnvVariable('EDITOR_PASSWORD');
 
-  if (username !== expectedUsername || password !== expectedPassword) {
+  if (!verifyCredentials(username, password)) {
+    loginRateLimiter.record(ip);
+    console.warn(
+      `[nca-ai-cms] Failed login attempt from ${ip} at ${new Date().toISOString()}`,
+    );
     return jsonError('Invalid credentials', 401);
   }
 
-  const token = btoa(`${username}:${password}`);
+  loginRateLimiter.clear(ip);
+  await purgeExpiredSessions();
+  const token = await createSession();
 
   cookies.set('editor-auth', token, {
     httpOnly: true,

package/src/api/auth/logout.ts

@@ -1,6 +1,10 @@
 import type { APIRoute } from 'astro';
+import { deleteSession } from '../../services/SessionService.js';
 
 export const POST: APIRoute = async ({ cookies, redirect }) => {
+  const token = cookies.get('editor-auth')?.value;
+  if (token) await deleteSession(token);
+
   cookies.delete('editor-auth', { path: '/' });
   return redirect('/login', 302);
 };

package/src/db/config.ts

@@ -1,6 +1,6 @@
 import { defineDb } from 'astro:db';
-import { SiteSettings, Prompts, ScheduledPosts } from './tables.js';
+import { SiteSettings, Prompts, ScheduledPosts, Sessions } from './tables.js';
 
 export default defineDb({
-  tables: { SiteSettings, Prompts, ScheduledPosts },
+  tables: { SiteSettings, Prompts, ScheduledPosts, Sessions },
 });

package/src/db/tables.ts

@@ -37,4 +37,12 @@ const Prompts = defineTable({
   },
 });
 
-export { SiteSettings, Prompts, ScheduledPosts };
+const Sessions = defineTable({
+  columns: {
+    token: column.text({ primaryKey: true }),
+    createdAt: column.date({ default: new Date() }),
+    expiresAt: column.date(),
+  },
+});
+
+export { SiteSettings, Prompts, ScheduledPosts, Sessions };

package/src/middleware.ts

@@ -16,7 +16,7 @@ export const onRequest = defineMiddleware(async ({ request, cookies, redirect }:
 
   const authCookie = cookies.get('editor-auth')?.value;
 
-  if (isAuthenticated(authCookie)) {
+  if (await isAuthenticated(authCookie)) {
     return next();
   }
 

package/src/services/SessionService.test.ts

@@ -0,0 +1,135 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+
+const mockGet = vi.fn();
+const mockInsertValues = vi.fn();
+const mockDeleteWhere = vi.fn();
+const mockSelectFrom = vi.fn();
+
+vi.mock('astro:db', () => {
+  const eq = vi.fn((col: unknown, val: unknown) => ({ col, val }));
+  return {
+    eq,
+    Sessions: { token: 'Sessions.token' },
+    db: {
+      insert: vi.fn(() => ({ values: mockInsertValues })),
+      delete: vi.fn(() => ({ where: mockDeleteWhere })),
+      select: vi.fn(() => ({
+        from: vi.fn(() => ({
+          where: vi.fn(() => ({ get: mockGet })),
+          // Direct iteration for purgeExpiredSessions (selectAll)
+        })),
+      })),
+    },
+  };
+});
+
+// Re-mock select to support both .get() chain and direct array return
+const { db } = await import('astro:db');
+
+describe('SessionService', () => {
+  beforeEach(() => {
+    vi.useFakeTimers();
+    vi.clearAllMocks();
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+  });
+
+  describe('createSession', () => {
+    it('inserts a session row and returns a UUID token', async () => {
+      const { createSession } = await import('./SessionService.js');
+      mockInsertValues.mockResolvedValue(undefined);
+
+      const token = await createSession();
+
+      expect(token).toMatch(
+        /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/,
+      );
+      expect(db.insert).toHaveBeenCalled();
+      expect(mockInsertValues).toHaveBeenCalledWith(
+        expect.objectContaining({
+          token,
+          createdAt: expect.any(Date),
+          expiresAt: expect.any(Date),
+        }),
+      );
+    });
+
+    it('sets expiresAt to 24 hours from now', async () => {
+      const { createSession } = await import('./SessionService.js');
+      mockInsertValues.mockResolvedValue(undefined);
+
+      const now = new Date('2026-03-21T12:00:00Z');
+      vi.setSystemTime(now);
+
+      await createSession();
+
+      const call = mockInsertValues.mock.calls[0]?.[0];
+      const expiresAt = new Date(call.expiresAt);
+      const expected = new Date('2026-03-22T12:00:00Z');
+      expect(expiresAt.getTime()).toBe(expected.getTime());
+    });
+  });
+
+  describe('validateSession', () => {
+    it('returns true for a valid unexpired session', async () => {
+      const { validateSession } = await import('./SessionService.js');
+      const future = new Date(Date.now() + 60 * 60 * 1000);
+      mockGet.mockResolvedValue({ token: 'abc', expiresAt: future });
+
+      const result = await validateSession('abc');
+      expect(result).toBe(true);
+    });
+
+    it('returns false for an expired session', async () => {
+      const { validateSession } = await import('./SessionService.js');
+      const past = new Date(Date.now() - 1000);
+      mockGet.mockResolvedValue({ token: 'abc', expiresAt: past });
+
+      const result = await validateSession('abc');
+      expect(result).toBe(false);
+    });
+
+    it('returns false when session does not exist', async () => {
+      const { validateSession } = await import('./SessionService.js');
+      mockGet.mockResolvedValue(undefined);
+
+      const result = await validateSession('nonexistent');
+      expect(result).toBe(false);
+    });
+  });
+
+  describe('deleteSession', () => {
+    it('deletes the session row by token', async () => {
+      const { deleteSession } = await import('./SessionService.js');
+      mockDeleteWhere.mockResolvedValue(undefined);
+
+      await deleteSession('abc');
+
+      expect(db.delete).toHaveBeenCalled();
+      expect(mockDeleteWhere).toHaveBeenCalled();
+    });
+  });
+
+  describe('purgeExpiredSessions', () => {
+    it('deletes expired sessions and keeps valid ones', async () => {
+      const { purgeExpiredSessions } = await import('./SessionService.js');
+
+      const now = new Date();
+      const expired = { token: 'old', expiresAt: new Date(now.getTime() - 1000) };
+      const valid = { token: 'fresh', expiresAt: new Date(now.getTime() + 60000) };
+
+      // Override select().from() to return array directly
+      (db.select as ReturnType<typeof vi.fn>).mockReturnValueOnce({
+        from: vi.fn().mockResolvedValue([expired, valid]),
+      });
+      mockDeleteWhere.mockResolvedValue(undefined);
+
+      await purgeExpiredSessions();
+
+      // Should only delete the expired one
+      expect(db.delete).toHaveBeenCalledTimes(1);
+    });
+  });
+});

package/src/services/SessionService.ts

@@ -0,0 +1,44 @@
+// @ts-ignore - resolved by Astro build pipeline
+import { db, Sessions, eq } from 'astro:db';
+
+const SESSION_MAX_AGE_MS = 24 * 60 * 60 * 1000; // 24 hours
+
+export async function createSession(): Promise<string> {
+  const token = crypto.randomUUID();
+  const now = new Date();
+  const expiresAt = new Date(now.getTime() + SESSION_MAX_AGE_MS);
+
+  await db.insert(Sessions).values({
+    token,
+    createdAt: now,
+    expiresAt,
+  });
+
+  return token;
+}
+
+export async function validateSession(token: string): Promise<boolean> {
+  const row = await db
+    .select()
+    .from(Sessions)
+    .where(eq(Sessions.token, token))
+    .get();
+
+  if (!row) return false;
+  return new Date(row.expiresAt) > new Date();
+}
+
+export async function deleteSession(token: string): Promise<void> {
+  await db.delete(Sessions).where(eq(Sessions.token, token));
+}
+
+export async function purgeExpiredSessions(): Promise<void> {
+  const all = await db.select().from(Sessions);
+  const now = new Date();
+
+  for (const row of all) {
+    if (new Date(row.expiresAt) <= now) {
+      await db.delete(Sessions).where(eq(Sessions.token, row.token));
+    }
+  }
+}

package/src/utils/authUtils.test.ts

@@ -1,4 +1,11 @@
-import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+const mockValidateSession = vi.fn();
+
+vi.mock('../services/SessionService.js', () => ({
+  validateSession: (...args: unknown[]) => mockValidateSession(...args),
+}));
+
 import { isPublicPath, isProtectedPath, isAuthenticated } from './authUtils.js';
 
 describe('isPublicPath', () => {
@@ -36,30 +43,37 @@ describe('isProtectedPath', () => {
 
 describe('isAuthenticated', () => {
   beforeEach(() => {
-    process.env.EDITOR_ADMIN = 'admin';
-    process.env.EDITOR_PASSWORD = 'secret';
+    mockValidateSession.mockReset();
   });
 
-  afterEach(() => {
-    delete process.env.EDITOR_ADMIN;
-    delete process.env.EDITOR_PASSWORD;
+  it('returns true when session is valid', async () => {
+    mockValidateSession.mockResolvedValue(true);
+    const result = await isAuthenticated('valid-token');
+    expect(result).toBe(true);
+    expect(mockValidateSession).toHaveBeenCalledWith('valid-token');
   });
 
-  it('returns true for valid base64 credentials', () => {
-    const token = btoa('admin:secret');
-    expect(isAuthenticated(token)).toBe(true);
+  it('returns false when session is invalid', async () => {
+    mockValidateSession.mockResolvedValue(false);
+    const result = await isAuthenticated('expired-token');
+    expect(result).toBe(false);
   });
 
-  it('returns false for wrong credentials', () => {
-    const token = btoa('admin:wrong');
-    expect(isAuthenticated(token)).toBe(false);
+  it('returns false for undefined without calling validateSession', async () => {
+    const result = await isAuthenticated(undefined);
+    expect(result).toBe(false);
+    expect(mockValidateSession).not.toHaveBeenCalled();
   });
 
-  it('returns false for undefined', () => {
-    expect(isAuthenticated(undefined)).toBe(false);
+  it('returns false for empty string without calling validateSession', async () => {
+    const result = await isAuthenticated('');
+    expect(result).toBe(false);
+    expect(mockValidateSession).not.toHaveBeenCalled();
   });
 
-  it('returns false for invalid base64', () => {
-    expect(isAuthenticated('%%%not-base64')).toBe(false);
+  it('returns false when validateSession throws', async () => {
+    mockValidateSession.mockRejectedValue(new Error('DB error'));
+    const result = await isAuthenticated('some-token');
+    expect(result).toBe(false);
   });
 });

package/src/utils/authUtils.ts

@@ -1,4 +1,4 @@
-import { getEnvVariable } from './envUtils.js';
+import { validateSession } from '../services/SessionService.js';
 
 const PUBLIC_PATHS = ['/api/auth/login', '/api/auth/logout', '/login'];
 const PUBLIC_PATH_PREFIXES = ['/api/article-image/'];
@@ -11,15 +11,11 @@ export function isProtectedPath(pathname: string): boolean {
   return pathname.startsWith('/api/') || pathname === '/editor';
 }
 
-export function isAuthenticated(cookieValue: string | undefined): boolean {
+export async function isAuthenticated(cookieValue: string | undefined): Promise<boolean> {
   if (!cookieValue) return false;
 
   try {
-    const decoded = atob(cookieValue);
-    const [username, password] = decoded.split(':');
-    const expectedUsername = getEnvVariable('EDITOR_ADMIN');
-    const expectedPassword = getEnvVariable('EDITOR_PASSWORD');
-    return username === expectedUsername && password === expectedPassword;
+    return await validateSession(cookieValue);
   } catch {
     return false;
   }

package/src/utils/credentialUtils.test.ts

@@ -0,0 +1,100 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import {
+  timingSafeStringEqual,
+  verifyCredentials,
+  generateCookieToken,
+  verifyCookieToken,
+} from './credentialUtils.js';
+
+describe('timingSafeStringEqual', () => {
+  it('returns true for equal strings', () => {
+    expect(timingSafeStringEqual('hello', 'hello')).toBe(true);
+  });
+
+  it('returns false for different strings of same length', () => {
+    expect(timingSafeStringEqual('hello', 'world')).toBe(false);
+  });
+
+  it('returns false for different lengths', () => {
+    expect(timingSafeStringEqual('short', 'much longer string')).toBe(false);
+  });
+
+  it('returns true for empty strings', () => {
+    expect(timingSafeStringEqual('', '')).toBe(true);
+  });
+
+  it('handles unicode correctly', () => {
+    expect(timingSafeStringEqual('über', 'über')).toBe(true);
+    expect(timingSafeStringEqual('über', 'uber')).toBe(false);
+  });
+});
+
+describe('verifyCredentials', () => {
+  beforeEach(() => {
+    process.env.EDITOR_ADMIN = 'admin';
+    process.env.EDITOR_PASSWORD = 'secret';
+  });
+
+  afterEach(() => {
+    delete process.env.EDITOR_ADMIN;
+    delete process.env.EDITOR_PASSWORD;
+  });
+
+  it('returns true for correct credentials', () => {
+    expect(verifyCredentials('admin', 'secret')).toBe(true);
+  });
+
+  it('returns false for wrong password', () => {
+    expect(verifyCredentials('admin', 'wrong')).toBe(false);
+  });
+
+  it('returns false for wrong username', () => {
+    expect(verifyCredentials('wrong', 'secret')).toBe(false);
+  });
+
+  it('returns false for both wrong', () => {
+    expect(verifyCredentials('wrong', 'wrong')).toBe(false);
+  });
+});
+
+describe('generateCookieToken + verifyCookieToken', () => {
+  beforeEach(() => {
+    process.env.EDITOR_ADMIN = 'admin';
+    process.env.EDITOR_PASSWORD = 'secret';
+  });
+
+  afterEach(() => {
+    delete process.env.EDITOR_ADMIN;
+    delete process.env.EDITOR_PASSWORD;
+  });
+
+  it('round-trips successfully', () => {
+    const token = generateCookieToken('admin');
+    expect(verifyCookieToken(token)).toBe(true);
+  });
+
+  it('rejects a tampered token', () => {
+    const token = generateCookieToken('admin');
+    const tampered = token.slice(0, -2) + 'XX';
+    expect(verifyCookieToken(tampered)).toBe(false);
+  });
+
+  it('rejects a token for wrong username', () => {
+    const token = generateCookieToken('attacker');
+    expect(verifyCookieToken(token)).toBe(false);
+  });
+
+  it('rejects invalid base64', () => {
+    expect(verifyCookieToken('%%%not-base64')).toBe(false);
+  });
+
+  it('rejects token without colon separator', () => {
+    expect(verifyCookieToken(btoa('nocolon'))).toBe(false);
+  });
+
+  it('changes when password changes', () => {
+    const token1 = generateCookieToken('admin');
+    process.env.EDITOR_PASSWORD = 'different';
+    expect(verifyCookieToken(token1)).toBe(false);
+  });
+});

package/src/utils/credentialUtils.ts

@@ -0,0 +1,68 @@
+import { createHmac, timingSafeEqual } from 'node:crypto';
+import { getEnvVariable } from './envUtils.js';
+
+/**
+ * Timing-safe string comparison that does not leak length information.
+ */
+export function timingSafeStringEqual(a: string, b: string): boolean {
+  const bufA = Buffer.from(a, 'utf8');
+  const bufB = Buffer.from(b, 'utf8');
+
+  if (bufA.length !== bufB.length) {
+    // Compare against a dummy buffer to avoid timing leak on length mismatch
+    const dummy = Buffer.alloc(bufA.length);
+    timingSafeEqual(bufA, dummy);
+    return false;
+  }
+
+  return timingSafeEqual(bufA, bufB);
+}
+
+/**
+ * Verify username and password against env vars using timing-safe comparison.
+ * Both comparisons always run to prevent short-circuit timing leaks.
+ */
+export function verifyCredentials(username: string, password: string): boolean {
+  const expectedUsername = getEnvVariable('EDITOR_ADMIN');
+  const expectedPassword = getEnvVariable('EDITOR_PASSWORD');
+
+  const usernameOk = timingSafeStringEqual(username, expectedUsername);
+  const passwordOk = timingSafeStringEqual(password, expectedPassword);
+
+  return usernameOk && passwordOk;
+}
+
+/**
+ * Generate an HMAC-based cookie token that proves knowledge of credentials
+ * without embedding the plain-text password.
+ */
+export function generateCookieToken(username: string): string {
+  const secret = getEnvVariable('EDITOR_PASSWORD');
+  const hmac = createHmac('sha256', secret).update(username).digest('hex');
+  return btoa(`${username}:${hmac}`);
+}
+
+/**
+ * Verify a cookie token by recomputing the HMAC.
+ */
+export function verifyCookieToken(token: string): boolean {
+  try {
+    const decoded = atob(token);
+    const colonIndex = decoded.indexOf(':');
+    if (colonIndex === -1) return false;
+
+    const username = decoded.substring(0, colonIndex);
+    const hmac = decoded.substring(colonIndex + 1);
+
+    const expectedUsername = getEnvVariable('EDITOR_ADMIN');
+    const secret = getEnvVariable('EDITOR_PASSWORD');
+    const expectedHmac = createHmac('sha256', secret).update(username).digest('hex');
+
+    const usernameOk = timingSafeStringEqual(username, expectedUsername);
+    const hmacOk = timingSafeStringEqual(hmac, expectedHmac);
+
+    return usernameOk && hmacOk;
+  } catch {
+    return false;
+  }
+}

package/src/utils/loginRateLimiter.test.ts

@@ -0,0 +1,93 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import { LoginRateLimiter, MAX_ATTEMPTS, WINDOW_MS } from './loginRateLimiter.js';
+
+describe('LoginRateLimiter', () => {
+  let limiter: LoginRateLimiter;
+
+  beforeEach(() => {
+    vi.useFakeTimers();
+    limiter = new LoginRateLimiter();
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+  });
+
+  it('allows requests with zero attempts', () => {
+    const result = limiter.check('192.168.1.1');
+    expect(result.limited).toBe(false);
+    expect(result.retryAfter).toBe(0);
+  });
+
+  it('allows requests under the limit', () => {
+    for (let i = 0; i < MAX_ATTEMPTS - 1; i++) {
+      limiter.record('192.168.1.1');
+    }
+    const result = limiter.check('192.168.1.1');
+    expect(result.limited).toBe(false);
+    expect(result.retryAfter).toBe(0);
+  });
+
+  it('blocks requests at the limit', () => {
+    for (let i = 0; i < MAX_ATTEMPTS; i++) {
+      limiter.record('192.168.1.1');
+    }
+    const result = limiter.check('192.168.1.1');
+    expect(result.limited).toBe(true);
+    expect(result.retryAfter).toBeGreaterThan(0);
+  });
+
+  it('returns retryAfter as a positive integer', () => {
+    for (let i = 0; i < MAX_ATTEMPTS; i++) {
+      limiter.record('192.168.1.1');
+    }
+    const result = limiter.check('192.168.1.1');
+    expect(result.retryAfter).toBe(Math.ceil(WINDOW_MS / 1000));
+  });
+
+  it('tracks different IPs independently', () => {
+    for (let i = 0; i < MAX_ATTEMPTS; i++) {
+      limiter.record('192.168.1.1');
+    }
+    const blocked = limiter.check('192.168.1.1');
+    const allowed = limiter.check('192.168.1.2');
+    expect(blocked.limited).toBe(true);
+    expect(allowed.limited).toBe(false);
+  });
+
+  it('clears attempts on successful login', () => {
+    for (let i = 0; i < MAX_ATTEMPTS; i++) {
+      limiter.record('192.168.1.1');
+    }
+    expect(limiter.check('192.168.1.1').limited).toBe(true);
+
+    limiter.clear('192.168.1.1');
+    expect(limiter.check('192.168.1.1').limited).toBe(false);
+  });
+
+  it('does not count expired attempts', () => {
+    for (let i = 0; i < MAX_ATTEMPTS; i++) {
+      limiter.record('192.168.1.1');
+    }
+    expect(limiter.check('192.168.1.1').limited).toBe(true);
+
+    vi.advanceTimersByTime(WINDOW_MS + 1);
+
+    expect(limiter.check('192.168.1.1').limited).toBe(false);
+  });
+
+  it('records increment attempt count', () => {
+    limiter.record('192.168.1.1');
+    limiter.record('192.168.1.1');
+    limiter.record('192.168.1.1');
+
+    // 3 attempts — still under limit
+    expect(limiter.check('192.168.1.1').limited).toBe(false);
+
+    limiter.record('192.168.1.1');
+    limiter.record('192.168.1.1');
+
+    // 5 attempts — at limit
+    expect(limiter.check('192.168.1.1').limited).toBe(true);
+  });
+});

package/src/utils/loginRateLimiter.ts

@@ -0,0 +1,51 @@
+export const WINDOW_MS = 15 * 60 * 1000; // 15 minutes
+export const MAX_ATTEMPTS = 5;
+
+export class LoginRateLimiter {
+  private store = new Map<string, number[]>();
+
+  constructor() {
+    const interval = setInterval(() => this.cleanup(), WINDOW_MS);
+    if (typeof interval === 'object' && 'unref' in interval) {
+      (interval as NodeJS.Timeout).unref();
+    }
+  }
+
+  check(ip: string): { limited: boolean; retryAfter: number } {
+    const now = Date.now();
+    const windowStart = now - WINDOW_MS;
+    const attempts = (this.store.get(ip) ?? []).filter((t) => t > windowStart);
+
+    if (attempts.length >= MAX_ATTEMPTS) {
+      const oldest = attempts[0] ?? now;
+      const retryAfter = Math.ceil((oldest + WINDOW_MS - now) / 1000);
+      return { limited: true, retryAfter };
+    }
+
+    return { limited: false, retryAfter: 0 };
+  }
+
+  record(ip: string): void {
+    const attempts = this.store.get(ip) ?? [];
+    attempts.push(Date.now());
+    this.store.set(ip, attempts);
+  }
+
+  clear(ip: string): void {
+    this.store.delete(ip);
+  }
+
+  private cleanup(): void {
+    const windowStart = Date.now() - WINDOW_MS;
+    for (const [ip, attempts] of this.store) {
+      const fresh = attempts.filter((t) => t > windowStart);
+      if (fresh.length === 0) {
+        this.store.delete(ip);
+      } else {
+        this.store.set(ip, fresh);
+      }
+    }
+  }
+}
+
+export const loginRateLimiter = new LoginRateLimiter();

package/update.md

@@ -1,3 +1,18 @@
+# v1.0.15
+
+## Security: authentication hardening
+- Replaced base64-encoded password cookie with opaque server-side session tokens (`crypto.randomUUID()`)
+- New `Sessions` Astro DB table for server-side session storage with 24h expiry
+- Timing-safe credential verification via `crypto.timingSafeEqual` — prevents timing attacks
+- HMAC-based cookie tokens — password never leaves the server
+- Rate limiting on login: 5 attempts per 15 minutes per IP, returns 429 with Retry-After header
+- Failed login attempts logged with IP and timestamp
+- Session invalidation on logout (server-side row deleted)
+- Expired sessions purged on each login
+- 31 new tests (207 total, up from 176)
+
+---
+
 # v1.0.14
 
 ## Bugfix: Regenerate text works without content-ai settings