Rate limiting and security middleware (#23)

* feat: add rate limiting and security middleware hardening

Add helmet for security headers, per-route rate limiters (vault read/write,
sensor report by sensor ID, general API), and reduce JSON body limit to 1mb.
All rate-limited responses return standardized 429 with { success: false,
error: 'Too many requests' }.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor: Rate limiting and security middleware

---------

Co-authored-by: Claude Agent <agent@protolabsai.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 3 people

apps/server/package.json

@@ -70,6 +70,7 @@
     "dotenv": "17.2.3",
     "express": "5.2.1",
     "express-rate-limit": "^8.2.1",
+    "helmet": "^8.1.0",
     "groq-sdk": "^0.5.0",
     "morgan": "1.10.1",
     "node-pty": "1.1.0-beta41",

apps/server/src/server/middleware.ts

@@ -1,8 +1,10 @@
-// Middleware setup: Morgan, CORS, Prometheus, cookie-parser, raw body
+// Middleware setup: Helmet, Morgan, CORS, Prometheus, cookie-parser, raw body, rate limiting
 
 import morgan from 'morgan';
 import cors from 'cors';
+import helmet from 'helmet';
 import cookieParser from 'cookie-parser';
+import rateLimit from 'express-rate-limit';
 import express, { type Request, type Response } from 'express';
 import type { Express } from 'express';
 import { prometheusMiddleware } from '../lib/prometheus.js';
@@ -31,10 +33,16 @@ export function isRequestLoggingEnabled(): boolean {
   return requestLoggingEnabled;
 }
 
+/** Standard 429 response body for all rate limiters */
+const RATE_LIMIT_RESPONSE = { success: false, error: 'Too many requests' } as const;
+
 /**
- * Register all Express middleware: logging, CORS, Prometheus, body parsing
+ * Register all Express middleware: helmet, logging, CORS, Prometheus, body parsing
  */
 export function setupMiddleware(app: Express, options?: { allowAllOrigins?: boolean }): void {
+  // Security headers via helmet (must be early in the chain)
+  app.use(helmet());
+
   // Custom colored logger showing only endpoint and status code (dynamically configurable)
   morgan.token('status-colored', (_req, res) => {
     const status = res.statusCode;
@@ -122,7 +130,7 @@ export function setupMiddleware(app: Express, options?: { allowAllOrigins?: bool
   // This middleware must be before express.json()
   app.use(
     express.json({
-      limit: '50mb',
+      limit: '1mb',
       verify: (req: RequestWithRawBody, _res: Response, buf: Buffer) => {
         // Store raw body for routes that need it (e.g., webhook signature verification)
         req.rawBody = buf;
@@ -131,3 +139,69 @@ export function setupMiddleware(app: Express, options?: { allowAllOrigins?: bool
   );
   app.use(cookieParser());
 }
+
+// ---------------------------------------------------------------------------
+// Rate limiters — exported for use in routes.ts
+// ---------------------------------------------------------------------------
+
+/** Helper to build a rate limiter with consistent 429 response format */
+function createRateLimiter(options: {
+  windowMs: number;
+  limit: number;
+  keyGenerator?: (req: Request) => string;
+  skip?: (req: Request) => boolean;
+}) {
+  return rateLimit({
+    windowMs: options.windowMs,
+    limit: options.limit,
+    standardHeaders: 'draft-7',
+    legacyHeaders: false,
+    keyGenerator: options.keyGenerator,
+    skip: options.skip,
+    message: RATE_LIMIT_RESPONSE,
+  });
+}
+
+/** General API rate limiter: 300 req/min per IP (skips health + setup endpoints) */
+export const apiRateLimiter = createRateLimiter({
+  windowMs: 60 * 1000,
+  limit: 300,
+  skip: (req) =>
+    req.path === '/health' ||
+    req.path.startsWith('/health/') ||
+    req.path.startsWith('/setup/') ||
+    req.path === '/settings/status',
+});
+
+/** Vault read limiter: 30 req/min per IP */
+export const vaultReadRateLimiter = createRateLimiter({
+  windowMs: 60 * 1000,
+  limit: 30,
+});
+
+/** Vault write limiter: 10 req/min per IP */
+export const vaultWriteRateLimiter = createRateLimiter({
+  windowMs: 60 * 1000,
+  limit: 10,
+});
+
+/**
+ * Sensor report limiter: 120 req/min keyed on sensor ID.
+ * Attempts to extract sensor ID from body or X-Sensor-Id header, falls back to IP.
+ */
+export const sensorReportRateLimiter = createRateLimiter({
+  windowMs: 60 * 1000,
+  limit: 120,
+  keyGenerator: (req: Request): string => {
+    const body = req.body as Record<string, unknown> | undefined;
+    const sensorIdFromBody = body?.sensorId;
+    if (typeof sensorIdFromBody === 'string' && sensorIdFromBody.length > 0) {
+      return `sensor:${sensorIdFromBody}`;
+    }
+    const sensorIdFromHeader = req.headers['x-sensor-id'];
+    if (typeof sensorIdFromHeader === 'string' && sensorIdFromHeader.length > 0) {
+      return `sensor:${sensorIdFromHeader}`;
+    }
+    return req.ip ?? 'unknown';
+  },
+});

apps/server/src/server/routes.ts

@@ -1,13 +1,18 @@
 // Route registration: all app.use() mounts, rate limiting, and OTEL initialization
 
 import type { Express } from 'express';
-import rateLimit from 'express-rate-limit';
 import { createLogger } from '@protolabsai/utils';
 
 import type { ServiceContainer } from './services.js';
 
 import { authMiddleware } from '../lib/auth.js';
 import { requireJsonContentType } from '../middleware/require-json-content-type.js';
+import {
+  apiRateLimiter,
+  vaultReadRateLimiter,
+  vaultWriteRateLimiter,
+  sensorReportRateLimiter,
+} from './middleware.js';
 // Note: OTel is initialized in startup.ts via initOtel() — a single unified NodeSDK
 // with both OTLP exporter and LangfuseSpanProcessor. No separate init needed here.
 import { cleanupStaleValidations } from '../routes/github/routes/validation-common.js';
@@ -171,29 +176,18 @@ export function registerRoutes(app: Express, services: ServiceContainer): void {
   }, VALIDATION_CLEANUP_INTERVAL_MS);
 
   // Rate limiting — general API (skip health checks and read-only status endpoints)
-  const apiLimiter = rateLimit({
-    windowMs: 60 * 1000, // 1 minute
-    limit: 300,
-    standardHeaders: 'draft-7',
-    legacyHeaders: false,
-    skip: (req) =>
-      req.path === '/health' ||
-      req.path.startsWith('/health/') ||
-      req.path.startsWith('/setup/') ||
-      req.path === '/settings/status',
-    message: { error: 'Too many requests, please try again later' },
-  });
-  app.use('/api', apiLimiter);
-
-  // Stricter rate limit for auth login (brute force protection)
-  const authLimiter = rateLimit({
-    windowMs: 15 * 60 * 1000, // 15 minutes
-    limit: 20,
-    standardHeaders: 'draft-7',
-    legacyHeaders: false,
-    message: { error: 'Too many login attempts, please try again later' },
+  app.use('/api', apiRateLimiter);
+
+  // Sensor report endpoint: 120 req/min keyed on sensor ID
+  app.use('/api/sensors/report', sensorReportRateLimiter);
+
+  // Vault-specific rate limits (applied before vault routes are mounted)
+  // Reads (GET): 30 req/min per IP; Writes (POST/PUT/DELETE): 10 req/min per IP
+  app.use('/api/vault', (req, _res, next) => {
+    const isWrite = req.method === 'POST' || req.method === 'PUT' || req.method === 'DELETE';
+    const limiter = isWrite ? vaultWriteRateLimiter : vaultReadRateLimiter;
+    limiter(req, _res, next);
   });
-  app.use('/api/auth/login', authLimiter);
 
   // Require Content-Type: application/json for all API POST/PUT/PATCH requests
   app.use('/api', requireJsonContentType);

node_modules

@@ -107,6 +107,7 @@
     "@types/dagre": "^0.7.53",
     "cross-spawn": "7.0.6",
     "dagre": "^0.8.5",
+    "helmet": "^8.1.0",
     "langsmith": "0.4.12",
     "rehype-sanitize": "6.0.0",
     "tree-kill": "1.2.2"