feat(api): add helmet security headers and rate limiting

- Add helmet middleware for secure HTTP response headers - Add express-rate-limit with three limiters: - authLimiter: per-IP, 20 req/15min on /api/auth/* - gameLimiter: per-user, 150 req/15min (not yet wired) - lobbyLimiter: per-user, 20 req/15min (not yet wired) - Set trust proxy for correct client IP behind Caddy - Add tests for all three limiters and helmet headers
2026-04-23 11:13:11 +02:00 · 2026-04-23 11:13:11 +02:00 · 9893ead689
commit 9893ead689
parent 1dfe391233
6 changed files with 300 additions and 1 deletions
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@ -1,20 +1,26 @@
 import express from "express";
 import type { Express } from "express";
 import { toNodeHandler } from "better-auth/node";
+import cors from "cors";
+import helmet from "helmet";
 import { auth } from "./lib/auth.js";
 import { apiRouter } from "./routes/apiRouter.js";
 import { errorHandler } from "./middleware/errorHandler.js";
-import cors from "cors";
+import { authLimiter } from "./middleware/rateLimiters.js";

 export function createApp() {
  const app: Express = express();

+  app.set("trust proxy", 1);
+  app.use(helmet());
+
  app.use(
    cors({
      origin: process.env["CORS_ORIGIN"] || "http://localhost:5173",
      credentials: true,
    }),
  );
+  app.use("/api/auth", authLimiter);
  app.all("/api/auth/*splat", toNodeHandler(auth));
  app.use(express.json());
  app.use("/api/v1", apiRouter);