5 commits

Author	SHA1	Message	Date
lila	59049002fc	fix(api): skip rate limiting for non-sensitive auth endpoints ... The authLimiter was blocking legitimate users because Better Auth's client polls /get-session frequently (on mount, route changes, focus), and /sign-out was also getting blocked after repeated session polls. Skip rate limiting for: - /get-session — read-only, requires valid cookie, no attack surface - /sign-out — no attack value in blocking logout - /callback/* — OAuth callbacks from providers Brute force protection remains on /sign-in, /sign-up, and other sensitive endpoints.	2026-04-23 22:12:38 +02:00
lila	9893ead689	feat(api): add helmet security headers and rate limiting ... - Add helmet middleware for secure HTTP response headers - Add express-rate-limit with three limiters: - authLimiter: per-IP, 20 req/15min on /api/auth/* - gameLimiter: per-user, 150 req/15min (not yet wired) - lobbyLimiter: per-user, 20 req/15min (not yet wired) - Set trust proxy for correct client IP behind Caddy - Add tests for all three limiters and helmet headers	2026-04-23 11:13:11 +02:00
lila	8c241636bf	feat(api): attach session to request in requireAuth ... - Add Express Request type augmentation for req.session - requireAuth now sets req.session after session validation, so protected handlers can read the user without calling getSession again - Add ConflictError (409) alongside existing AppError subclasses	2026-04-16 19:51:10 +02:00
lila	a3685a9e68	feat(api): add auth middleware to protect game endpoints ... - Add requireAuth middleware using Better Auth session validation - Apply to all game routes (start, answer) - Unauthenticated requests return 401	2026-04-12 13:38:32 +02:00
lila	48457936e8	feat(api): add global error handler with typed error classes ... - Add AppError base class, ValidationError (400), NotFoundError (404) - Add central error middleware in app.ts - Remove inline safeParse error handling from controllers - Replace plain Error throws with NotFoundError in gameService	2026-04-12 08:48:43 +02:00