Security fixes: non-root user, signup rate limiting, differentiated CORS, persistent usage tracking

2026-02-14 17:04:55 +00:00 · 2026-02-14 17:04:55 +00:00 · 73bb041513
commit 73bb041513
parent 6a38ba4adc
5 changed files with 108 additions and 17 deletions
--- a/src/routes/signup.ts
+++ b/src/routes/signup.ts
@ -1,10 +1,25 @@
 import { Router, Request, Response } from "express";
+import rateLimit from "express-rate-limit";
 import { createFreeKey } from "../services/keys.js";

 const router = Router();

+// Rate limiting for signup - 5 signups per IP per hour
+const signupLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000, // 1 hour
+  max: 5, // 5 signups per IP per hour
+  message: {
+    error: "Too many signup attempts. Please try again in 1 hour.",
+    retryAfter: "1 hour"
+  },
+  standardHeaders: true,
+  legacyHeaders: false,
+  skipSuccessfulRequests: false,
+  skipFailedRequests: false,
+});
+
 // Self-service free API key signup
-router.post("/free", (req: Request, res: Response) => {
+router.post("/free", signupLimiter, (req: Request, res: Response) => {
  const { email } = req.body;

  if (!email || typeof email !== "string") {