fix: security hardening and correctness fixes

Author: franzos

CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## [0.1.2] - 2026-03-12
+
+### Added
+- Logout mechanism with nav bar button
+- Security headers on all admin responses (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
+- Login-specific rate limiting (10/min per IP, separate from general admin limit)
+- Periodic eviction of stale notification rate limiter entries
+
+### Fixed
+- CSRF cookie no longer set as HttpOnly, allowing JS double-submit injection to work
+- Login cookie stores a SHA-256 derivative instead of the raw admin token
+- CSRF body size limit now uses configured `max_body_size` instead of hardcoded 10MB
+- Notification rate limiter no longer wastes per-project budget when global limit rejects
+- Discard stats flush no longer double-counts on partial DB write failures
+- Threshold alert state update failures are now logged instead of silently dropped
+
 ## [0.1.1] - 2026-03-09
 
 ### Added

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "stackpit"
-version = "0.1.1"
+version = "0.1.2"
 edition = "2021"
 description = "Lightweight, self-hosted error tracking and event monitoring"
 authors = ["Franz Geffke <mail@gofranz.com>"]

Cargo.toml

@@ -45,8 +45,9 @@ pub async fn handle_login(
             .as_ref()
             .is_some_and(|u| u.starts_with("https://"));
         let secure_flag = if secure { "; Secure" } else { "" };
+        let hashed = crate::middleware::hash_token_for_cookie(&token);
         let cookie =
-            format!("stackpit_token={token}; Path=/; SameSite=Strict; HttpOnly{secure_flag}");
+            format!("stackpit_token={hashed}; Path=/; SameSite=Strict; HttpOnly{secure_flag}");
         let mut resp = axum::response::Redirect::to("/web/projects/").into_response();
         if let Ok(val) = cookie.parse() {
             resp.headers_mut().insert("set-cookie", val);
@@ -61,3 +62,20 @@ pub async fn handle_login(
 pub struct LoginForm {
     token: String,
 }
+
+pub async fn handle_logout(State(state): State<AppState>) -> impl IntoResponse {
+    let secure = state
+        .config
+        .server
+        .external_url
+        .as_ref()
+        .is_some_and(|u| u.starts_with("https://"));
+    let secure_flag = if secure { "; Secure" } else { "" };
+    let cookie =
+        format!("stackpit_token=; Path=/; SameSite=Strict; HttpOnly; Max-Age=0{secure_flag}");
+    let mut resp = axum::response::Redirect::to("/web/login").into_response();
+    if let Ok(val) = cookie.parse() {
+        resp.headers_mut().insert("set-cookie", val);
+    }
+    resp
+}

src/html/login.rs

@@ -316,6 +316,7 @@ pub fn routes() -> Router<AppState> {
             "/web/login",
             get(login::login_form).post(login::handle_login),
         )
+        .route("/web/logout", post(login::handle_logout))
         // -- legacy redirects --
         .route(
             "/web/",

src/html/mod.rs

@@ -51,13 +51,15 @@ pub async fn admin_auth_middleware(
         return next.run(req).await;
     }
 
-    // Try Bearer header first, then fall back to cookie
-    let provided =
-        extract_bearer_token(req.headers()).or_else(|| extract_auth_cookie(req.headers()));
-
-    let is_valid = match &provided {
-        Some(p) => !p.is_empty() && p.as_bytes().ct_eq(expected.as_bytes()).into(),
-        None => false,
+    // Bearer header: compare raw token. Cookie: compare SHA-256 hash so
+    // the raw admin token is never stored in the browser cookie jar.
+    let is_valid = if let Some(ref bearer) = extract_bearer_token(req.headers()) {
+        !bearer.is_empty() && bearer.as_bytes().ct_eq(expected.as_bytes()).into()
+    } else if let Some(ref cookie_val) = extract_auth_cookie(req.headers()) {
+        let expected_hash = super::hash_token_for_cookie(expected);
+        !cookie_val.is_empty() && cookie_val.as_bytes().ct_eq(expected_hash.as_bytes()).into()
+    } else {
+        false
     };
 
     if is_valid {

src/middleware/admin_auth.rs

@@ -8,6 +8,12 @@ use crate::encoding::percent_decode;
 const CSRF_COOKIE_NAME: &str = "csrf_token";
 const CSRF_TOKEN_LEN: usize = 16; // 128-bit hex token
 
+#[derive(Clone)]
+pub struct CsrfConfig {
+    pub use_secure_cookies: bool,
+    pub max_body_size: usize,
+}
+
 fn generate_csrf_token() -> String {
     let mut buf = [0u8; CSRF_TOKEN_LEN];
     rand::fill(&mut buf);
@@ -29,7 +35,7 @@ fn extract_csrf_field(body: &[u8]) -> Option<String> {
 }
 
 pub async fn csrf_middleware(
-    State(use_secure_cookies): State<bool>,
+    State(config): State<CsrfConfig>,
     req: axum::http::Request<axum::body::Body>,
     next: Next,
 ) -> axum::response::Response {
@@ -42,7 +48,7 @@ pub async fn csrf_middleware(
     if is_post && is_web && !is_login {
         let cookie_token_for_check = cookie_token.clone();
         let (parts, body) = req.into_parts();
-        let bytes = match axum::body::to_bytes(body, 10 * 1024 * 1024).await {
+        let bytes = match axum::body::to_bytes(body, config.max_body_size).await {
             Ok(b) => b,
             Err(_) => {
                 return (axum::http::StatusCode::BAD_REQUEST, "request too large").into_response();
@@ -71,11 +77,14 @@ pub async fn csrf_middleware(
         let mut resp = next.run(req).await;
         if needs_cookie {
             let token = generate_csrf_token();
-            let secure_flag = if use_secure_cookies { "; Secure" } else { "" };
-            if let Ok(val) = format!(
-                "{CSRF_COOKIE_NAME}={token}; Path=/web; HttpOnly; SameSite=Strict{secure_flag}"
-            )
-            .parse()
+            let secure_flag = if config.use_secure_cookies {
+                "; Secure"
+            } else {
+                ""
+            };
+            if let Ok(val) =
+                format!("{CSRF_COOKIE_NAME}={token}; Path=/web; SameSite=Strict{secure_flag}")
+                    .parse()
             {
                 resp.headers_mut().append("set-cookie", val);
             }

src/middleware/csrf.rs

@@ -4,5 +4,32 @@ mod csrf;
 mod rate_limit;
 
 pub use admin_auth::admin_auth_middleware;
-pub use csrf::csrf_middleware;
+pub use csrf::{csrf_middleware, CsrfConfig};
 pub use rate_limit::{new_rate_limiter_state, rate_limit_middleware};
+
+/// Derives a cookie-safe token from the admin token using SHA-256.
+pub fn hash_token_for_cookie(token: &str) -> String {
+    use sha2::{Digest, Sha256};
+    hex::encode(Sha256::digest(token.as_bytes()))
+}
+
+pub async fn security_headers_middleware(
+    req: axum::http::Request<axum::body::Body>,
+    next: axum::middleware::Next,
+) -> axum::response::Response {
+    let mut resp = next.run(req).await;
+    let h = resp.headers_mut();
+    h.insert("x-content-type-options", "nosniff".parse().unwrap());
+    h.insert("x-frame-options", "DENY".parse().unwrap());
+    h.insert(
+        "referrer-policy",
+        "strict-origin-when-cross-origin".parse().unwrap(),
+    );
+    h.insert(
+        "content-security-policy",
+        "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none'"
+            .parse()
+            .unwrap(),
+    );
+    resp
+}

src/middleware/mod.rs

@@ -5,6 +5,7 @@ use std::collections::HashMap;
 use std::sync::{Arc, Mutex};
 
 const ADMIN_RATE_LIMIT: u32 = 120;
+const LOGIN_RATE_LIMIT: u32 = 10;
 const ADMIN_RATE_WINDOW_SECS: u64 = 60;
 
 pub(crate) struct IpBucket {
@@ -61,7 +62,15 @@ fn check_rate_limit(
         inner.last_cleanup = now;
     }
 
-    let bucket = inner.buckets.entry(ip).or_insert(IpBucket {
+    let is_login_post =
+        req.uri().path() == "/web/login" && req.method() == axum::http::Method::POST;
+    let (key, limit) = if is_login_post {
+        (format!("{ip}:login"), LOGIN_RATE_LIMIT)
+    } else {
+        (ip, ADMIN_RATE_LIMIT)
+    };
+
+    let bucket = inner.buckets.entry(key).or_insert(IpBucket {
         count: 0,
         window_start: now,
     });
@@ -71,7 +80,7 @@ fn check_rate_limit(
         bucket.window_start = now;
     }
 
-    if bucket.count >= ADMIN_RATE_LIMIT {
+    if bucket.count >= limit {
         false
     } else {
         bucket.count += 1;

src/middleware/rate_limit.rs

@@ -1,4 +1,5 @@
 use dashmap::DashMap;
+use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::Mutex;
 
 /// A sliding window over 60 one-second buckets.
@@ -56,6 +57,7 @@ pub struct NotifyRateLimiter {
     global_window: Mutex<SlidingWindow>,
     project_limit: u32,
     global_limit: u32,
+    last_cleanup: AtomicU64,
 }
 
 impl NotifyRateLimiter {
@@ -65,12 +67,25 @@ impl NotifyRateLimiter {
             global_window: Mutex::new(SlidingWindow::new()),
             project_limit,
             global_limit,
+            last_cleanup: AtomicU64::new(0),
         }
     }
 
     /// Returns `true` if the notification is allowed, `false` if rate-limited.
     pub fn check_and_record(&self, project_id: u64, now_secs: u64) -> bool {
-        // Check per-project limit
+        // Periodic cleanup: evict stale project entries every 2 minutes
+        let last = self.last_cleanup.load(Ordering::Relaxed);
+        if now_secs.saturating_sub(last) >= 120
+            && self
+                .last_cleanup
+                .compare_exchange(last, now_secs, Ordering::Relaxed, Ordering::Relaxed)
+                .is_ok()
+        {
+            self.project_windows
+                .retain(|_, w| now_secs.saturating_sub(w.current_second) < 120);
+        }
+
+        // Check per-project limit (don't increment yet -- wait for global check)
         if self.project_limit > 0 {
             let mut entry = self
                 .project_windows
@@ -81,7 +96,6 @@ impl NotifyRateLimiter {
             if window.count() >= self.project_limit {
                 return false;
             }
-            window.increment(now_secs);
         }
 
         // Check global limit
@@ -94,6 +108,13 @@ impl NotifyRateLimiter {
             global.increment(now_secs);
         }
 
+        // Both limits passed -- now safe to increment per-project
+        if self.project_limit > 0 {
+            if let Some(mut entry) = self.project_windows.get_mut(&project_id) {
+                entry.value_mut().increment(now_secs);
+            }
+        }
+
         true
     }
 }