From 3556aaede7293dc81942ab6bcadd8b91f28a3bca Mon Sep 17 00:00:00 2001 From: Michelle Date: Sat, 28 Feb 2026 13:37:27 +0100 Subject: [PATCH] Add DragonflyDB integration for JWT revocation and implement rate limiting for authentication routes --- .env.example | 3 + compose.yml | 16 +++++ package-lock.json | 118 ++++++++++++++++++++++++++++++++++- package.json | 3 + server/config/redis.js | 25 ++++++++ server/middleware/auth.js | 19 +++++- server/routes/auth.js | 65 ++++++++++++++++++- src/contexts/AuthContext.jsx | 7 ++- 8 files changed, 251 insertions(+), 5 deletions(-) create mode 100644 server/config/redis.js diff --git a/.env.example b/.env.example index c37735c..102fdfd 100644 --- a/.env.example +++ b/.env.example @@ -19,6 +19,9 @@ POSTGRES_DB=redlight # SQLite file path (only used when DATABASE_URL is not set) # SQLITE_PATH=./redlight.db +# Dragonfly (Redis-compatible in-memory database) Configuration +REDIS_URL=redis://dragonfly:6379 + # Default Admin Account (created on first run) ADMIN_EMAIL=admin@example.com ADMIN_PASSWORD=admin123 diff --git a/compose.yml b/compose.yml index d70112f..f28a259 100644 --- a/compose.yml +++ b/compose.yml @@ -10,6 +10,8 @@ services: depends_on: postgres: condition: service_healthy + dragonfly: + condition: service_healthy postgres: image: postgres:17-alpine @@ -23,6 +25,20 @@ services: timeout: 5s retries: 5 + dragonfly: + image: ghcr.io/dragonflydb/dragonfly:latest + restart: unless-stopped + ulimits: + memlock: -1 + volumes: + - dragonflydata:/data + healthcheck: + test: ["CMD", "redis-cli", "-p", "6379", "ping"] + interval: 5s + timeout: 5s + retries: 5 + volumes: pgdata: uploads: + dragonflydata: diff --git a/package-lock.json b/package-lock.json index 524a1d1..3ea70a1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -15,11 +15,14 @@ "cors": "^2.8.5", "dotenv": "^16.4.0", "express": "^4.21.0", + "express-rate-limit": "^7.5.1", + "ioredis": "^5.10.0", "jsonwebtoken": "^9.0.0", "lucide-react": "^0.460.0", "multer": "^2.0.2", "nodemailer": "^8.0.1", "pg": "^8.18.0", + "rate-limit-redis": "^4.3.1", "react": "^18.3.0", "react-dom": "^18.3.0", "react-hot-toast": "^2.4.0", @@ -723,6 +726,12 @@ "node": ">=12" } }, + "node_modules/@ioredis/commands": { + "version": "1.5.1", + "resolved": "https://registry.npmjs.org/@ioredis/commands/-/commands-1.5.1.tgz", + "integrity": "sha512-JH8ZL/ywcJyR9MmJ5BNqZllXNZQqQbnVZOqpPQqE1vHiFgAw4NHbvE0FOduNU8IX9babitBT46571OnPTT0Zcw==", + "license": "MIT" + }, "node_modules/@jridgewell/gen-mapping": { "version": "0.3.13", "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.13.tgz", @@ -1780,6 +1789,15 @@ "node": ">=12" } }, + "node_modules/cluster-key-slot": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/cluster-key-slot/-/cluster-key-slot-1.1.2.tgz", + "integrity": "sha512-RMr0FhtfXemyinomL4hrWcYJxmX6deFdCxpJzhDttxgO1+bcCnkk+9drydLVDmAMG7NE6aN/fl4F7ucU/90gAA==", + "license": "Apache-2.0", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/color-convert": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz", @@ -1942,7 +1960,6 @@ "version": "4.4.3", "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz", "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==", - "dev": true, "license": "MIT", "dependencies": { "ms": "^2.1.3" @@ -1989,6 +2006,15 @@ "node": ">=0.4.0" } }, + "node_modules/denque": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/denque/-/denque-2.1.0.tgz", + "integrity": "sha512-HVQE3AAb/pxF8fQAoiqpvg9i3evqug3hoiwakOyZAwJm+6vZehbkYXZ0l4JxS+I3QxM97v5aaRNhj8v5oBhekw==", + "license": "Apache-2.0", + "engines": { + "node": ">=0.10" + } + }, "node_modules/depd": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz", @@ -2266,6 +2292,21 @@ "url": "https://opencollective.com/express" } }, + "node_modules/express-rate-limit": { + "version": "7.5.1", + "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.5.1.tgz", + "integrity": "sha512-7iN8iPMDzOMHPUYllBEsQdWVB6fPDMPqwjBaFrgr4Jgr/+okjvzAy+UHlYYL/Vs0OsOrMkwS6PJDkFlJwoxUnw==", + "license": "MIT", + "engines": { + "node": ">= 16" + }, + "funding": { + "url": "https://github.com/sponsors/express-rate-limit" + }, + "peerDependencies": { + "express": ">= 4.11" + } + }, "node_modules/express/node_modules/debug": { "version": "2.6.9", "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz", @@ -2679,6 +2720,30 @@ "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==", "license": "ISC" }, + "node_modules/ioredis": { + "version": "5.10.0", + "resolved": "https://registry.npmjs.org/ioredis/-/ioredis-5.10.0.tgz", + "integrity": "sha512-HVBe9OFuqs+Z6n64q09PQvP1/R4Bm+30PAyyD4wIEqssh3v9L21QjCVk4kRLucMBcDokJTcLjsGeVRlq/nH6DA==", + "license": "MIT", + "dependencies": { + "@ioredis/commands": "1.5.1", + "cluster-key-slot": "^1.1.0", + "debug": "^4.3.4", + "denque": "^2.1.0", + "lodash.defaults": "^4.2.0", + "lodash.isarguments": "^3.1.0", + "redis-errors": "^1.2.0", + "redis-parser": "^3.0.0", + "standard-as-callback": "^2.1.0" + }, + "engines": { + "node": ">=12.22.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/ioredis" + } + }, "node_modules/ipaddr.js": { "version": "1.9.1", "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz", @@ -2876,12 +2941,24 @@ "dev": true, "license": "MIT" }, + "node_modules/lodash.defaults": { + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/lodash.defaults/-/lodash.defaults-4.2.0.tgz", + "integrity": "sha512-qjxPLHd3r5DnsdGacqOMU6pb/avJzdh9tFX2ymgoZE27BmjXrNy/y4LoaiTeAb+O3gL8AfpJGtqfX/ae2leYYQ==", + "license": "MIT" + }, "node_modules/lodash.includes": { "version": "4.3.0", "resolved": "https://registry.npmjs.org/lodash.includes/-/lodash.includes-4.3.0.tgz", "integrity": "sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w==", "license": "MIT" }, + "node_modules/lodash.isarguments": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/lodash.isarguments/-/lodash.isarguments-3.1.0.tgz", + "integrity": "sha512-chi4NHZlZqZD18a0imDHnZPrDeBbTtVN7GXMwuGdRH9qotxAjYs3aVLKc7zNOG9eddR5Ksd8rvFEBc9SsggPpg==", + "license": "MIT" + }, "node_modules/lodash.isboolean": { "version": "3.0.3", "resolved": "https://registry.npmjs.org/lodash.isboolean/-/lodash.isboolean-3.0.3.tgz", @@ -3707,6 +3784,18 @@ "node": ">= 0.6" } }, + "node_modules/rate-limit-redis": { + "version": "4.3.1", + "resolved": "https://registry.npmjs.org/rate-limit-redis/-/rate-limit-redis-4.3.1.tgz", + "integrity": "sha512-+a1zU8+D7L8siDK9jb14refQXz60vq427VuiplgnaLk9B2LnvGe/APLTfhwb4uNIL7eWVknh8GnRp/unCj+lMA==", + "license": "MIT", + "engines": { + "node": ">= 16" + }, + "peerDependencies": { + "express-rate-limit": ">= 6" + } + }, "node_modules/raw-body": { "version": "2.5.3", "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.3.tgz", @@ -3858,6 +3947,27 @@ "node": ">=8.10.0" } }, + "node_modules/redis-errors": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/redis-errors/-/redis-errors-1.2.0.tgz", + "integrity": "sha512-1qny3OExCf0UvUV/5wpYKf2YwPcOqXzkwKKSmKHiE6ZMQs5heeE/c8eXK+PNllPvmjgAbfnsbpkGZWy8cBpn9w==", + "license": "MIT", + "engines": { + "node": ">=4" + } + }, + "node_modules/redis-parser": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/redis-parser/-/redis-parser-3.0.0.tgz", + "integrity": "sha512-DJnGAeenTdpMEH6uAJRK/uiyEIH9WVsUmoLwzudwGJUwZPp80PDBWPHXSAGNPwNvIXAbe7MSUB1zQFugFml66A==", + "license": "MIT", + "dependencies": { + "redis-errors": "^1.0.0" + }, + "engines": { + "node": ">=4" + } + }, "node_modules/require-directory": { "version": "2.1.1", "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz", @@ -4239,6 +4349,12 @@ "node": ">= 10.x" } }, + "node_modules/standard-as-callback": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/standard-as-callback/-/standard-as-callback-2.1.0.tgz", + "integrity": "sha512-qoRRSyROncaz1z0mvYqIE4lCd9p2R90i6GxW3uZv5ucSu8tU7B5HXUP1gG8pVZsYNVaXjk8ClXHPttLyxAL48A==", + "license": "MIT" + }, "node_modules/statuses": { "version": "2.0.2", "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz", diff --git a/package.json b/package.json index 04c4b31..097f831 100644 --- a/package.json +++ b/package.json @@ -19,11 +19,14 @@ "cors": "^2.8.5", "dotenv": "^16.4.0", "express": "^4.21.0", + "express-rate-limit": "^7.5.1", + "ioredis": "^5.10.0", "jsonwebtoken": "^9.0.0", "lucide-react": "^0.460.0", "multer": "^2.0.2", "nodemailer": "^8.0.1", "pg": "^8.18.0", + "rate-limit-redis": "^4.3.1", "react": "^18.3.0", "react-dom": "^18.3.0", "react-hot-toast": "^2.4.0", diff --git a/server/config/redis.js b/server/config/redis.js new file mode 100644 index 0000000..70b705d --- /dev/null +++ b/server/config/redis.js @@ -0,0 +1,25 @@ +import Redis from 'ioredis'; + +const REDIS_URL = process.env.REDIS_URL || 'redis://localhost:6379'; + +const redis = new Redis(REDIS_URL, { + enableOfflineQueue: false, + maxRetriesPerRequest: 1, + retryStrategy: (times) => { + if (times > 3) return null; // stop retrying after 3 attempts + return Math.min(times * 200, 1000); + }, +}); + +redis.on('error', (err) => { + // Suppress ECONNREFUSED noise after initial failure — only warn + if (err.code !== 'ECONNREFUSED') { + console.warn('⚠️ DragonflyDB error:', err.message); + } +}); + +redis.on('connect', () => { + console.log('🐉 DragonflyDB connected'); +}); + +export default redis; diff --git a/server/middleware/auth.js b/server/middleware/auth.js index c2fa22b..289ed5b 100644 --- a/server/middleware/auth.js +++ b/server/middleware/auth.js @@ -1,5 +1,7 @@ import jwt from 'jsonwebtoken'; +import { v4 as uuidv4 } from 'uuid'; import { getDb } from '../config/database.js'; +import redis from '../config/redis.js'; const JWT_SECRET = process.env.JWT_SECRET || 'fallback-secret-change-me'; @@ -13,6 +15,20 @@ export async function authenticateToken(req, res, next) { try { const decoded = jwt.verify(token, JWT_SECRET); + + // Check JWT blacklist in DragonflyDB (revoked tokens via logout) + if (decoded.jti) { + try { + const revoked = await redis.get(`blacklist:${decoded.jti}`); + if (revoked) { + return res.status(401).json({ error: 'Token has been revoked' }); + } + } catch (redisErr) { + // Graceful degradation: if Redis is unavailable, allow the request + console.warn('Redis blacklist check skipped:', redisErr.message); + } + } + const db = getDb(); const user = await db.get('SELECT id, name, display_name, email, role, theme, language, avatar_color, avatar_image, email_verified FROM users WHERE id = ?', [decoded.userId]); if (!user) { @@ -33,5 +49,6 @@ export function requireAdmin(req, res, next) { } export function generateToken(userId) { - return jwt.sign({ userId }, JWT_SECRET, { expiresIn: '7d' }); + const jti = uuidv4(); + return jwt.sign({ userId, jti }, JWT_SECRET, { expiresIn: '7d' }); } diff --git a/server/routes/auth.js b/server/routes/auth.js index 14c83bf..b9b54a9 100644 --- a/server/routes/auth.js +++ b/server/routes/auth.js @@ -1,13 +1,49 @@ import { Router } from 'express'; import bcrypt from 'bcryptjs'; +import jwt from 'jsonwebtoken'; import { v4 as uuidv4 } from 'uuid'; import fs from 'fs'; import path from 'path'; import { fileURLToPath } from 'url'; +import { rateLimit } from 'express-rate-limit'; +import { RedisStore } from 'rate-limit-redis'; import { getDb } from '../config/database.js'; +import redis from '../config/redis.js'; import { authenticateToken, generateToken } from '../middleware/auth.js'; import { isMailerConfigured, sendVerificationEmail } from '../config/mailer.js'; +const JWT_SECRET = process.env.JWT_SECRET || 'fallback-secret-change-me'; + +// ── Rate Limiting ──────────────────────────────────────────────────────────── +function makeRedisStore(prefix) { + try { + return new RedisStore({ + sendCommand: (...args) => redis.call(...args), + prefix, + }); + } catch { + return undefined; // falls back to in-memory if Redis unavailable + } +} + +const loginLimiter = rateLimit({ + windowMs: 15 * 60 * 1000, // 15 minutes + max: 20, + standardHeaders: true, + legacyHeaders: false, + message: { error: 'Too many login attempts. Please try again in 15 minutes.' }, + store: makeRedisStore('rl:login:'), +}); + +const registerLimiter = rateLimit({ + windowMs: 60 * 60 * 1000, // 1 hour + max: 10, + standardHeaders: true, + legacyHeaders: false, + message: { error: 'Too many registration attempts. Please try again later.' }, + store: makeRedisStore('rl:register:'), +}); + const __filename = fileURLToPath(import.meta.url); const __dirname = path.dirname(__filename); const uploadsDir = path.join(__dirname, '..', '..', 'uploads', 'avatars'); @@ -20,7 +56,7 @@ if (!fs.existsSync(uploadsDir)) { const router = Router(); // POST /api/auth/register -router.post('/register', async (req, res) => { +router.post('/register', registerLimiter, async (req, res) => { try { const { username, display_name, email, password } = req.body; @@ -194,7 +230,7 @@ router.post('/resend-verification', async (req, res) => { }); // POST /api/auth/login -router.post('/login', async (req, res) => { +router.post('/login', loginLimiter, async (req, res) => { try { const { email, password } = req.body; @@ -223,6 +259,31 @@ router.post('/login', async (req, res) => { } }); +// POST /api/auth/logout – revoke JWT via DragonflyDB blacklist +router.post('/logout', authenticateToken, async (req, res) => { + try { + const authHeader = req.headers.authorization; + const token = authHeader && authHeader.split(' ')[1]; + const decoded = jwt.decode(token); + + if (decoded?.jti && decoded?.exp) { + const ttl = decoded.exp - Math.floor(Date.now() / 1000); + if (ttl > 0) { + try { + await redis.setex(`blacklist:${decoded.jti}`, ttl, '1'); + } catch (redisErr) { + console.warn('Redis blacklist write failed:', redisErr.message); + } + } + } + + res.json({ message: 'Logged out successfully' }); + } catch (err) { + console.error('Logout error:', err); + res.status(500).json({ error: 'Logout failed' }); + } +}); + // GET /api/auth/me router.get('/me', authenticateToken, (req, res) => { res.json({ user: req.user }); diff --git a/src/contexts/AuthContext.jsx b/src/contexts/AuthContext.jsx index 30ec413..f0c234c 100644 --- a/src/contexts/AuthContext.jsx +++ b/src/contexts/AuthContext.jsx @@ -38,7 +38,12 @@ export function AuthProvider({ children }) { return res.data.user; }, []); - const logout = useCallback(() => { + const logout = useCallback(async () => { + try { + await api.post('/auth/logout'); + } catch { + // ignore — token is removed locally regardless + } localStorage.removeItem('token'); setUser(null); }, []);