diff --git a/apps/api/src/routes/oauth.ts b/apps/api/src/routes/oauth.ts index 4e57dcb..366e54c 100644 --- a/apps/api/src/routes/oauth.ts +++ b/apps/api/src/routes/oauth.ts @@ -13,6 +13,7 @@ import { oauthTokens, } from '@bmm/db'; import { getJWKS, signAccessToken } from '../lib/jwks.js'; +import { checkDailyLimit } from '../lib/rate-limit.js'; import { requireAuth } from '../plugins/session.js'; import { config } from '../config.js'; @@ -73,8 +74,18 @@ export async function oauthRoutes(app: FastifyInstance): Promise { return reply.send(await getJWKS()); }); - // RFC 7591 Dynamic Client Registration + // RFC 7591 Dynamic Client Registration — rate-limited per-IP to prevent + // DB-row spam. 20/day per visitor IP is well above legitimate MCP-client + // bootstrap rates (each AI client registers once per resource server, ever). + // (Zb-002.) app.post('/oauth/register', async (req, reply) => { + const rl = await checkDailyLimit('oauth_register', req.ip, 20); + if (!rl.ok) { + return reply.code(429).send({ + error: 'rate_limited', + detail: 'Too many client registrations from this IP. Try again tomorrow.', + }); + } const Body = z.object({ client_name: z.string().min(1).max(128).optional(), redirect_uris: z.array(z.string().url()).min(1).max(10), diff --git a/apps/api/src/routes/templates.ts b/apps/api/src/routes/templates.ts index 3e72cf3..175f6e4 100644 --- a/apps/api/src/routes/templates.ts +++ b/apps/api/src/routes/templates.ts @@ -14,6 +14,7 @@ import { templates, users, } from '@bmm/db'; +import { SHARED_BANNED_PATTERNS } from '@bmm/llm'; import { GeneratorSpec } from '@bmm/types'; import type { FastifyInstance } from 'fastify'; import { z } from 'zod'; @@ -25,20 +26,23 @@ import { requireAdmin, requireAuth } from '../plugins/session.js'; const db = createDb(); -const BANNED_PATTERNS = [ - /\beval\s*\(/, - /\bnew\s+Function\s*\(/, - /\bFunction\s*\(\s*['"`]/, // Function('code')() — no `new` needed +// Code-level extras on top of SHARED_BANNED_PATTERNS — these are concerns +// that only make sense scanning a fully-rendered server.ts (not a spec). +// Keeping them additive means @bmm/llm stays the single source of truth for +// "obvious-malicious patterns", and publish-time gets stricter checks on top. +// (Zc-001 consolidation.) +const CODE_EXTRA_PATTERNS: RegExp[] = [ /\bimport\s*\(/, // dynamic import (escape from bundle scope) /\bsetTimeout\s*\(\s*['"`]/, // setTimeout('code', ms) eval form /\bsetInterval\s*\(\s*['"`]/, - /\bchild_process\b/, /\bfs\s*\.\s*(unlink|rmdir|rm)\b/, /\bprocess\s*\.\s*kill\b/, - /ignore\s+previous\s+instructions/i, - /disregard\s+(the\s+)?(above|previous)/i, /you\s+are\s+now\s+(in\s+)?(developer|jailbreak|dan)\s+mode/i, ]; +const PUBLISH_BANNED_PATTERNS: readonly RegExp[] = [ + ...SHARED_BANNED_PATTERNS, + ...CODE_EXTRA_PATTERNS, +]; // Hardcoded-credential patterns. If Claude embedded a literal API key into the // generated code (publisher pasted it into the prompt), block the publish. @@ -54,7 +58,7 @@ const SECRET_PATTERNS = [ ]; function scanForInjection(code: string): void { - for (const pattern of BANNED_PATTERNS) { + for (const pattern of PUBLISH_BANNED_PATTERNS) { if (pattern.test(code)) throw new Error(`banned_pattern: ${pattern.source}`); } } @@ -314,21 +318,27 @@ export async function templateRoutes(app: FastifyInstance): Promise { ? rows.filter((r) => r.template.category === parsed.data.category) : rows; - // Augment with active deployment counts - const enriched = await Promise.all( - filtered.map(async (r) => { - const [active] = await db - .select({ c: count() }) - .from(mcpServers) - .where(and(eq(mcpServers.templateId, r.template.id), eq(mcpServers.status, 'live'))); - return { - ...r.template, - ownerName: r.ownerName ?? r.ownerEmail?.split('@')[0] ?? null, - ownerOrgName: r.ownerOrgName, - activeDeployments: Number(active?.c ?? 0), - }; - }), - ); + // Single grouped query — was N+1 (one COUNT per template). On a 100-row + // listing that's 101 round-trips → p95 latency cliff once the marketplace + // grows. (Zc-002.) + const templateIds = filtered.map((r) => r.template.id); + const activeCounts = new Map(); + if (templateIds.length > 0) { + const grouped = await db + .select({ id: mcpServers.templateId, c: count() }) + .from(mcpServers) + .where(and(eq(mcpServers.status, 'live'), sql`${mcpServers.templateId} = ANY(${templateIds})`)) + .groupBy(mcpServers.templateId); + for (const g of grouped) { + if (g.id) activeCounts.set(g.id, Number(g.c)); + } + } + const enriched = filtered.map((r) => ({ + ...r.template, + ownerName: r.ownerName ?? r.ownerEmail?.split('@')[0] ?? null, + ownerOrgName: r.ownerOrgName, + activeDeployments: activeCounts.get(r.template.id) ?? 0, + })); // Sort const now = Date.now(); diff --git a/packages/auth/src/index.ts b/packages/auth/src/index.ts index 5c482ad..ac25d0b 100644 --- a/packages/auth/src/index.ts +++ b/packages/auth/src/index.ts @@ -6,6 +6,7 @@ import { desc, eq, gt, + isNull, magicLinks, memberships, organizations, @@ -17,7 +18,13 @@ import { const MAGIC_LINK_TTL_MS = 15 * 60 * 1000; // 15 min const SESSION_TTL_MS = 30 * 24 * 60 * 60 * 1000; // 30 days const SCRYPT_KEYLEN = 64; -const SCRYPT_N = 16_384; +// OWASP 2024+ recommends scrypt N≥2^17 for password hashing. Hash format +// embeds N (`scrypt$N$salt$hash`), so verifyPassword auto-handles old hashes +// at lower N — backward-compatible cost bump. (Za-002.) +const SCRYPT_N = 131_072; +// scrypt with high N also needs maxmem ceiling raised — Node defaults to +// ~32MiB which is below what N=131072 requires. (~128MiB needed per op.) +const SCRYPT_MAXMEM = 256 * 1024 * 1024; function sha256(input: string): string { return crypto.createHash('sha256').update(input).digest('hex'); @@ -29,7 +36,9 @@ function randomToken(bytes = 32): string { export function hashPassword(password: string): string { const salt = crypto.randomBytes(16).toString('hex'); - const derived = crypto.scryptSync(password, salt, SCRYPT_KEYLEN, { N: SCRYPT_N }).toString('hex'); + const derived = crypto + .scryptSync(password, salt, SCRYPT_KEYLEN, { N: SCRYPT_N, maxmem: SCRYPT_MAXMEM }) + .toString('hex'); return `scrypt$${SCRYPT_N}$${salt}$${derived}`; } @@ -41,7 +50,10 @@ export function verifyPassword(password: string, stored: string): boolean { const expectedHex = parts[3]; if (!Number.isFinite(N) || !salt || !expectedHex) return false; const expected = Buffer.from(expectedHex, 'hex'); - const actual = crypto.scryptSync(password, salt, expected.length, { N }); + // Use the N embedded in the hash so old (lower-N) hashes still verify. + // maxmem scales with N — 128 * N * r bytes minimum, doubled for headroom. + const maxmem = Math.max(64 * 1024 * 1024, N * 256); + const actual = crypto.scryptSync(password, salt, expected.length, { N, maxmem }); if (actual.length !== expected.length) return false; return crypto.timingSafeEqual(actual, expected); } @@ -97,7 +109,18 @@ export async function consumeMagicLink( if (!row || row.consumedAt) { throw new Error('invalid_or_expired_token'); } - await db.update(magicLinks).set({ consumedAt: new Date() }).where(eq(magicLinks.id, row.id)); + // Atomic single-use: only the request whose UPDATE actually flips + // consumedAt from NULL → now() is allowed to mint a session. Two concurrent + // requests with the same token can't both win — the loser sees rows = 0. + // (Za-003.) + const claimed = await db + .update(magicLinks) + .set({ consumedAt: new Date() }) + .where(and(eq(magicLinks.id, row.id), isNull(magicLinks.consumedAt))) + .returning({ id: magicLinks.id }); + if (claimed.length === 0) { + throw new Error('invalid_or_expired_token'); + } // Get or create user + default org let user = (await db.select().from(users).where(eq(users.email, row.email)).limit(1))[0]; @@ -116,10 +139,15 @@ export async function consumeMagicLink( if (!user) throw new Error('user_resolve_failed'); + // Deterministic ordering — when org-invites eventually let one user have + // multiple memberships, we want the same "primary org" to win every login, + // not a random one. Oldest membership = the org the user originally signed + // up for. (Za-004.) const [membership] = await db .select() .from(memberships) .where(eq(memberships.userId, user.id)) + .orderBy(memberships.createdAt) .limit(1); if (!membership) throw new Error('no_org_membership'); @@ -362,10 +390,15 @@ export async function loginWithPassword( if (!verifyPassword(password, user.passwordHash)) { throw new Error('invalid_credentials'); } + // Deterministic ordering — when org-invites eventually let one user have + // multiple memberships, we want the same "primary org" to win every login, + // not a random one. Oldest membership = the org the user originally signed + // up for. (Za-004.) const [membership] = await db .select() .from(memberships) .where(eq(memberships.userId, user.id)) + .orderBy(memberships.createdAt) .limit(1); if (!membership) throw new Error('no_org_membership'); diff --git a/packages/llm/src/index.ts b/packages/llm/src/index.ts index 21accb3..0fc8451 100644 --- a/packages/llm/src/index.ts +++ b/packages/llm/src/index.ts @@ -42,7 +42,10 @@ Return JSON only. No explanation.`; // determined attacker can bypass any of these with string concatenation // (`'chi'+'ld_process'`) or alternate APIs — that's why container isolation // has to hold even when this fails. -const BANNED_PATTERNS = [ +// +// Exported so the publish-time template scan in apps/api/src/routes/templates +// can reuse it instead of maintaining a parallel list that drifts. (Zc-001.) +export const SHARED_BANNED_PATTERNS: readonly RegExp[] = [ /\beval\s*\(/, /\bnew\s+Function\s*\(/, /\bFunction\s*\(\s*['"`]/, // Function('...') without `new` @@ -358,7 +361,7 @@ export function scanForInjection(spec: GeneratorSpecT): void { } } for (const text of surfaces) { - for (const pattern of BANNED_PATTERNS) { + for (const pattern of SHARED_BANNED_PATTERNS) { if (pattern.test(text)) { throw new BannedPatternError(`banned_pattern_detected: ${pattern.source}`); }