chore: release v0.1.0.104

Account deletion, key enrollment, and credential management use a separate 30/15min limiter so they are not left at 300/min while login and sync routes stay independent.

Co-authored-by: Cursor <cursoragent@cursor.com>

.env.example

@@ -13,8 +13,8 @@ RP_ID=localhost
 # Must match the frontend URL exactly (Vite dev: http://localhost:5173; Docker: http://localhost)
 ORIGIN=http://localhost:5173
 
-# Behind Nginx Proxy Manager — see docs/deployment/npm-security.md
-# TRUST_PROXY=172.16.10.10
+# Behind reverse proxy — see docs/deployment/npm-security.md
+# Docker Compose (NPM → frontend nginx → backend): TRUST_PROXY=1
 # TRUST_PROXY=1
 
 # Docker Compose database (required for production deploy)

VERSION

@@ -1 +1 @@
-0.1.0.103
+0.1.0.105

client/nginx.conf

@@ -43,6 +43,9 @@ server {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection 'upgrade';
         proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
         proxy_cache_bypass $http_upgrade;
     }
 }

docs/deployment/npm-security.md

@@ -30,8 +30,9 @@ proxy_set_header X-Real-IP $remote_addr;
 ORIGIN=https://kapteins-daagbok.eu
 RP_ID=kapteins-daagbok.eu
 SESSION_SECRET=<min. 32 Zeichen, openssl rand -base64 48>
-TRUST_PROXY=172.16.10.10
-# oder TRUST_PROXY=1 für genau einen Proxy-Hop
+# Docker Compose: Frontend-Nginx ist der direkte Proxy zum Backend → 1 Hop
+TRUST_PROXY=1
+# Nur bei direktem Backend-Zugriff ohne Frontend-Nginx: NPM-IP, z. B. TRUST_PROXY=172.16.10.10
 ```
 
 `ORIGIN` muss **exakt** der Browser-URL entsprechen (ohne trailing slash).

scripts/server-patch-env-sprint1.sh

@@ -34,7 +34,7 @@ if ! grep -q "^POSTGRES_PASSWORD=" "$ENV_FILE" || grep -q "^POSTGRES_PASSWORD=$"
 else
   echo "  keep  POSTGRES_PASSWORD (already set)"
 fi
-# NPM on 172.16.10.10 → app on this host
-ensure_var TRUST_PROXY "172.16.10.10"
+# Frontend-Nginx → Backend (one hop); NPM is in front of Nginx, not Backend directly
+ensure_var TRUST_PROXY "1"
 
 echo "Done. Verify with: docker exec daagbox-prod-db psql -U postgres -d daagbox -c 'SELECT 1'"

server/src/app.ts

@@ -45,13 +45,45 @@ export function createApp(): express.Express {
   app.use(cookieParser())
   app.use(express.json({ limit: '50mb' }))
 
-  const authLimiter = rateLimit({
+  /** WebAuthn login/register/session — strict per IP; excludes high-volume sync routes. */
+  const authFlowPaths = new Set([
+    '/register-options',
+    '/register-verify',
+    '/login-options',
+    '/login-verify',
+    '/reauth-options',
+    '/reauth-verify',
+    '/logout',
+    '/session'
+  ])
+
+  /** Account/key/credential mutations — also strict; separate bucket from login flow. */
+  const sensitiveAuthExactPaths = new Set([
+    '/delete-account',
+    '/enroll-prf',
+    '/rotate-recovery',
+    '/add-credential-options',
+    '/add-credential-verify'
+  ])
+
+  function isSensitiveAuthPath(path: string): boolean {
+    return sensitiveAuthExactPaths.has(path) || path.startsWith('/credentials/')
+  }
+
+  const authFlowLimiter = rateLimit({
     windowMs: 15 * 60 * 1000,
     max: 60,
     standardHeaders: true,
     legacyHeaders: false
   })
 
+  const sensitiveAuthLimiter = rateLimit({
+    windowMs: 15 * 60 * 1000,
+    max: 30,
+    standardHeaders: true,
+    legacyHeaders: false
+  })
+
   const apiLimiter = rateLimit({
     windowMs: 1 * 60 * 1000,
     max: 300,
@@ -66,7 +98,15 @@ export function createApp(): express.Express {
     legacyHeaders: false
   })
 
-  app.use('/api/auth', authLimiter)
+  app.use('/api/auth', (req, res, next) => {
+    if (authFlowPaths.has(req.path)) {
+      return authFlowLimiter(req, res, next)
+    }
+    if (isSensitiveAuthPath(req.path)) {
+      return sensitiveAuthLimiter(req, res, next)
+    }
+    return next()
+  })
   app.use('/api/collaboration/invite-details', publicCollaborationLimiter)
   app.use('/api/collaboration/share-pull', publicCollaborationLimiter)
   app.use('/api', apiLimiter)