admin/logbuch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.6.1: Sicherheit – Rate Limiting, Default-PW via Env, AUTH_SECRET Pflicht, Bcrypt 12

Browse Source
This commit is contained in:
Reinhard X. Fürst
2026-05-11 13:26:51 +02:00
parent 0ea960259c
commit 9bea0a11de
33 changed files with 991 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/auth.ts
+4 -2
View File
@@ -39,7 +39,9 @@ export async function verifyCredentials(
if (!beo) return null;
if (!beo.pw) {
const valid = password === 'welzheim';
const defaultPw = process.env.DEFAULT_PASSWORD;
if (!defaultPw) throw new Error('DEFAULT_PASSWORD Umgebungsvariable ist nicht gesetzt!');
const valid = password === defaultPw;
return { beo, valid };
}
@@ -48,7 +50,7 @@ export async function verifyCredentials(
}
export async function hashPassword(password: string): Promise<string> {
return bcrypt.hash(password, 10);
return bcrypt.hash(password, 12);
}
export function getBeoDisplayName(beo: Beo): string {
lib/ratelimit.ts
+38
View File
@@ -0,0 +1,38 @@
// In-memory rate limiter funktioniert pro Prozess (single Docker container).
// Erlaubt MAX_ATTEMPTS Versuche pro IP innerhalb WINDOW_MS Millisekunden.
const MAX_ATTEMPTS = 10;
const WINDOW_MS = 15 * 60 * 1000; // 15 Minuten
interface Entry {
count: number;
resetAt: number;
}
const store = new Map<string, Entry>();
// Aufräumen abgelaufener Einträge alle 5 Minuten
setInterval(() => {
const now = Date.now();
for (const [key, entry] of store) {
if (entry.resetAt < now) store.delete(key);
}
}, 5 * 60 * 1000);
export function checkRateLimit(ip: string): { allowed: boolean; remainingMs: number } {
const now = Date.now();
const entry = store.get(ip);
if (!entry || entry.resetAt < now) {
store.set(ip, { count: 1, resetAt: now + WINDOW_MS });
return { allowed: true, remainingMs: 0 };
}
entry.count += 1;
if (entry.count > MAX_ATTEMPTS) {
return { allowed: false, remainingMs: entry.resetAt - now };
}
return { allowed: true, remainingMs: 0 };
}
lib/session.ts
+4 -1
View File
@@ -4,7 +4,10 @@ import { SignJWT, jwtVerify } from 'jose';
const SESSION_COOKIE_NAME = 'logbuch_session';
const SESSION_DURATION = 60 * 60 * 1000;
const secretKey = process.env.AUTH_SECRET || 'logbuch-secret-change-in-production';
const secretKey = process.env.AUTH_SECRET;
if (!secretKey) {
throw new Error('AUTH_SECRET Umgebungsvariable ist nicht gesetzt!');
}
const key = new TextEncoder().encode(secretKey);
export interface SessionData {