feat: harden auth, shutdown, and session bundle (0.35.0)
Three features bundled into one release: - rate-limit /auth/login, /register, /me/password (token bucket, 5 req/sec sustained with 10-request burst by default; 429 + Retry-After header on hit; tracing::warn! per hit so operators see attack patterns; AUTH_RATE_PER_SEC / AUTH_RATE_BURST env knobs) - handle SIGTERM for graceful container stops (replaces bare ctrl_c() with a select over ctrl_c + SignalKind::terminate() so docker compose stop runs the daemon shutdown path instead of letting Chromium leak past SIGKILL) - clear session.user on 401 from any API call (setOn401Hook in api/client.ts, registered from session.svelte.ts gated on $app/environment::browser so the SSR bundle never installs it; fixes "logged in but no bookmarks/collections" mid-session expiry state) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
MechaCat02
@@ -21,6 +21,11 @@ pub enum AppError {
|
||||
PayloadTooLarge(String),
|
||||
#[error("unsupported media type: {0}")]
|
||||
UnsupportedMediaType(String),
|
||||
/// 429 with an optional `Retry-After` header value (in seconds).
|
||||
#[error("too many requests")]
|
||||
TooManyRequests {
|
||||
retry_after_secs: Option<u64>,
|
||||
},
|
||||
/// Semantic per-field validation failure. `details` is rendered into the
|
||||
/// envelope so the client can highlight the bad field(s).
|
||||
#[error("validation failed")]
|
||||
@@ -51,6 +56,7 @@ impl AppError {
|
||||
AppError::Conflict(_) => "conflict",
|
||||
AppError::PayloadTooLarge(_) => "payload_too_large",
|
||||
AppError::UnsupportedMediaType(_) => "unsupported_media_type",
|
||||
AppError::TooManyRequests { .. } => "too_many_requests",
|
||||
AppError::ValidationFailed { .. } => "validation_failed",
|
||||
AppError::Database(sqlx::Error::RowNotFound) => "not_found",
|
||||
AppError::Database(_) => "internal_error",
|
||||
@@ -79,6 +85,31 @@ impl IntoResponse for AppError {
|
||||
AppError::UnsupportedMediaType(msg) => {
|
||||
(StatusCode::UNSUPPORTED_MEDIA_TYPE, msg.clone(), None)
|
||||
}
|
||||
AppError::TooManyRequests { retry_after_secs } => {
|
||||
// Emit `Retry-After: N` (RFC 6585 §4) so a well-behaved
|
||||
// client can back off correctly. Done by building the
|
||||
// response by hand below — the `(status, headers,
|
||||
// body)` tuple shape doesn't fit the standard
|
||||
// `(status, body)` IntoResponse path for the other
|
||||
// variants.
|
||||
let body = json!({
|
||||
"error": {
|
||||
"code": code,
|
||||
"message": "too many requests; slow down",
|
||||
}
|
||||
});
|
||||
let mut resp = (StatusCode::TOO_MANY_REQUESTS, Json(body)).into_response();
|
||||
if let Some(secs) = retry_after_secs {
|
||||
// `HeaderValue: From<u64>` skips both the
|
||||
// intermediate `String` allocation and the
|
||||
// fallible-by-shape `from_str` path.
|
||||
resp.headers_mut().insert(
|
||||
axum::http::header::RETRY_AFTER,
|
||||
axum::http::HeaderValue::from(*secs),
|
||||
);
|
||||
}
|
||||
return resp;
|
||||
}
|
||||
AppError::ValidationFailed { message, details } => (
|
||||
StatusCode::UNPROCESSABLE_ENTITY,
|
||||
message.clone(),
|
||||
|
||||
Reference in New Issue
Block a user