security hardening

2026-04-18 11:10:41 +00:00
parent a409203025
commit 21618efbad
36 changed files with 1455 additions and 283 deletions
--- a/routes/bosscord.js
+++ b/routes/bosscord.js
@@ -5,16 +5,26 @@
 require('../models'); // ensure Ticket model is registered
 const express = require('express');
 const mongoose = require('mongoose');
+const rateLimit = require('express-rate-limit');
 const { getBot } = require('../api/bosscordClient');
 const { getGmailClient, sendGmailReply } = require('../services/gmail');
 const { updateTicketActivity } = require('../services/tickets');
+const { enqueueSend } = require('../services/channelQueue');
 const { extractRawEmail } = require('../utils');
 const { CONFIG } = require('../config');

 const router = express.Router();
 const Ticket = mongoose.model('Ticket');

-const CORS_ORIGIN = process.env.BOSSCORD_CORS_ORIGIN || '*';
+const CORS_ORIGIN = process.env.BOSSCORD_CLIENT_ORIGIN || 'http://100.114.205.53:3081';
+
+const apiLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 60,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many requests, please try again later.' }
+});

 function corsMiddleware(req, res, next) {
  res.setHeader('Access-Control-Allow-Origin', CORS_ORIGIN);
@@ -39,6 +49,7 @@ function authMiddleware(req, res, next) {
  next();
 }

+router.use(apiLimiter);
 router.use(corsMiddleware);
 router.use(authMiddleware);

@@ -178,7 +189,7 @@ router.post('/tickets/:id/messages', express.json(), async (req, res) => {
      return res.status(404).json({ error: 'Discord channel not found' });
    }
    const discordUser = req.body.displayName || 'bOSScord';
-    await channel.send(content);
+    await enqueueSend(channel, content);

    if (!ticket.gmailThreadId.startsWith('discord-')) {
      try {