Add CSP/HSTS headers, attachment extension whitelist, and upload rate limiting
- Add Content-Security-Policy and Strict-Transport-Security headers - Whitelist allowed file extensions on attachment uploads - Add rate limiting to password change (5/5min) and file uploads (20/60s) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -3,6 +3,7 @@ import type { RequestHandler } from './$types.js';
|
||||
import { requireAuth } from '$lib/server/guards.js';
|
||||
import { hashPassword, verifyPassword } from '$lib/server/auth.js';
|
||||
import { withBypassRLS } from '$lib/server/rls.js';
|
||||
import { passwordChangeLimiter } from '$lib/server/ratelimit.js';
|
||||
import { z } from 'zod';
|
||||
|
||||
const profileSchema = z.object({
|
||||
@@ -16,13 +17,17 @@ const passwordSchema = z.object({
|
||||
});
|
||||
|
||||
// Update profile
|
||||
export const PATCH: RequestHandler = async ({ request, locals }) => {
|
||||
export const PATCH: RequestHandler = async ({ request, locals, getClientAddress }) => {
|
||||
requireAuth(locals.user);
|
||||
|
||||
const body = await request.json();
|
||||
|
||||
// Password change
|
||||
if (body.currentPassword !== undefined) {
|
||||
const limit = passwordChangeLimiter(getClientAddress());
|
||||
if (!limit.ok) {
|
||||
return json({ error: 'Too many attempts', retryAfter: limit.retryAfter }, { status: 429 });
|
||||
}
|
||||
const result = passwordSchema.safeParse(body);
|
||||
if (!result.success) {
|
||||
return json({ error: result.error.issues[0].message }, { status: 400 });
|
||||
|
||||
Reference in New Issue
Block a user