refactor(auth): remove nonce, rely on rate limiting + JWT

Author: lukeocodes

app.py

@@ -8,7 +8,7 @@
 - POST endpoint: /api/text-to-speech
 - Accepts JSON text input
 - Returns raw audio bytes (application/octet-stream)
-- JWT session auth with page nonce (production only)
+- JWT session auth with rate limiting (production only)
 - Serves built frontend from frontend/dist/
 """
 
@@ -18,7 +18,7 @@
 import time
 
 import jwt
-from flask import Flask, request, jsonify, make_response
+from flask import Flask, request, jsonify, make_response, send_from_directory
 from flask_cors import CORS
 from deepgram import DeepgramClient
 from dotenv import load_dotenv
@@ -40,50 +40,13 @@
 }
 
 # ============================================================================
-# SESSION AUTH - JWT tokens with page nonce for production security
+# SESSION AUTH - JWT tokens with rate limiting for production security
 # ============================================================================
 
 SESSION_SECRET = os.environ.get("SESSION_SECRET") or secrets.token_hex(32)
-REQUIRE_NONCE = bool(os.environ.get("SESSION_SECRET"))
-
-# In-memory nonce store: nonce -> expiry timestamp
-session_nonces = {}
-NONCE_TTL = 5 * 60  # 5 minutes
 JWT_EXPIRY = 3600  # 1 hour
 
 
-def generate_nonce():
-    """Generates a single-use nonce and stores it with an expiry."""
-    nonce = secrets.token_hex(16)
-    session_nonces[nonce] = time.time() + NONCE_TTL
-    return nonce
-
-
-def consume_nonce(nonce):
-    """Validates and consumes a nonce (single-use). Returns True if valid."""
-    expiry = session_nonces.pop(nonce, None)
-    if expiry is None:
-        return False
-    return time.time() < expiry
-
-
-def cleanup_nonces():
-    """Remove expired nonces."""
-    now = time.time()
-    expired = [k for k, v in session_nonces.items() if now >= v]
-    for k in expired:
-        del session_nonces[k]
-
-
-# Read frontend/dist/index.html template for nonce injection
-_index_html_template = None
-try:
-    with open(os.path.join(os.path.dirname(__file__), "frontend", "dist", "index.html")) as f:
-        _index_html_template = f.read()
-except FileNotFoundError:
-    pass  # No built frontend (dev mode)
-
-
 def require_session(f):
     """Decorator that validates JWT from Authorization header."""
     @functools.wraps(f)
@@ -162,34 +125,16 @@ def validate_api_key():
 
 @app.route("/", methods=["GET"])
 def serve_index():
-    """Serve index.html with injected session nonce (production only)."""
-    if not _index_html_template:
+    """Serve the built frontend index.html."""
+    frontend_dir = os.path.join(os.path.dirname(__file__), "frontend", "dist")
+    if not os.path.isfile(os.path.join(frontend_dir, "index.html")):
         return "Frontend not built. Run make build first.", 404
-    cleanup_nonces()
-    nonce = generate_nonce()
-    html = _index_html_template.replace(
-        "</head>",
-        f'<meta name="session-nonce" content="{nonce}">\n</head>'
-    )
-    response = make_response(html)
-    response.headers["Content-Type"] = "text/html"
-    return response
+    return send_from_directory(frontend_dir, "index.html")
 
 
 @app.route("/api/session", methods=["GET"])
 def get_session():
-    """Issues a JWT. In production, requires valid nonce via X-Session-Nonce header."""
-    if REQUIRE_NONCE:
-        nonce = request.headers.get("X-Session-Nonce")
-        if not nonce or not consume_nonce(nonce):
-            return jsonify({
-                "error": {
-                    "type": "AuthenticationError",
-                    "code": "INVALID_NONCE",
-                    "message": "Valid session nonce required. Please refresh the page.",
-                }
-            }), 403
-
+    """Issues a JWT for session authentication."""
     token = jwt.encode(
         {"iat": int(time.time()), "exp": int(time.time()) + JWT_EXPIRY},
         SESSION_SECRET,
@@ -365,13 +310,12 @@ def get_metadata():
     host = CONFIG["host"]
     debug = os.environ.get("FLASK_DEBUG", "0") == "1"
 
-    nonce_status = " (nonce required)" if REQUIRE_NONCE else ""
     print("\n" + "=" * 70)
     print(f"🚀 Flask Text To Speech Server (Backend API)")
     print("=" * 70)
     print(f"🚀 Backend API Server running at http://localhost:{port}")
     print(f"")
-    print(f"📡 GET  /api/session{nonce_status}")
+    print(f"📡 GET  /api/session")
     print(f"📡 POST /api/text-to-speech (auth required)")
     print(f"📡 GET  /api/metadata")
     print(f"Debug:    {'ON' if debug else 'OFF'}")

deploy/Caddyfile

@@ -3,7 +3,7 @@
 }
 
 :8080 {
-	# HTML page: Caddy templates inject base path + session nonce
+	# HTML page: Caddy templates inject base path
 	@htmlpage {
 		path /
 		path /index.html

deploy/Dockerfile

@@ -13,8 +13,8 @@ COPY frontend/package.json frontend/pnpm-lock.yaml ./frontend/
 RUN cd frontend && pnpm install --frozen-lockfile
 COPY frontend/ ./frontend/
 RUN cd frontend && pnpm build
-# Inject Caddy template directives for subpath base path + session nonce
-RUN sed -i 's|<head>|<head>\n  <base href="{{ .Req.Header.Get "X-Base-Path" }}">\n  <meta name="session-nonce" content="{{ placeholder "http.request.uuid" }}">|' ./frontend/dist/index.html
+# Inject Caddy template directive for subpath base path
+RUN sed -i 's|<head>|<head>\n  <base href="{{ .Req.Header.Get "X-Base-Path" }}">|' ./frontend/dist/index.html
 
 # Stage 3: Runtime
 FROM python:3.13-slim