feat(config): integrate rate limiting and CORS configuration from furt.conf

- Add RateLimiter:configure() function to accept config-based limits
- Integrate security section parameters (rate_limit_api_key_max, ip_max, window)
- Add CORS configuration from config file with environment fallback
- Replace hardcoded rate limiting defaults with configurable values
- Add test endpoint control via config.security.enable_test_endpoint
- Update startup logging to show actual configured rate limits
- Add configuration validation and detailed startup information

Rate limiting now uses values from [security] section instead of hardcoded
defaults. CORS origins prioritize config file over environment variables.

Related to DAW/furt#89

config/furt.conf.example

@@ -4,8 +4,20 @@
 # Server configuration
 [server]
 host = 127.0.0.1
-port = 8080
+port = 7811
 log_level = info
+log_requests = true
+client_timeout = 10
+
+# CORS configuration
+cors_allowed_origins = http://localhost:1313,http://127.0.0.1:1313,https://dragons-at-work.de,https://www.dragons-at-work.de
+
+# Security settings
+[security]
+rate_limit_api_key_max = 60
+rate_limit_ip_max = 100
+rate_limit_window = 3600
+enable_test_endpoint = false
 
 # Default SMTP settings (used when API keys don't have custom SMTP)
 [smtp_default]

config/server.lua

@@ -7,6 +7,45 @@ local ConfigParser = require("src.config_parser")
 -- Load configuration from furt.conf
 local config = ConfigParser.load_config()
 
+-- Configure rate limiting from config
+local RateLimiter = require("src.rate_limiter")
+local rate_limits = {
+    api_key_max = config.security and config.security.rate_limit_api_key_max or 60,
+    ip_max = config.security and config.security.rate_limit_ip_max or 100,
+    window = config.security and config.security.rate_limit_window or 3600
+}
+RateLimiter:configure(rate_limits)
+
+-- Parse CORS origins from config or environment
+local function get_cors_origins()
+    -- 1. Try config file first
+    if config.server.cors_allowed_origins then
+        local origins = {}
+        for origin in config.server.cors_allowed_origins:gmatch("([^,]+)") do
+            table.insert(origins, origin:match("^%s*(.-)%s*$"))
+        end
+        return origins
+    end
+
+    -- 2. Try environment variable
+    local env_origins = os.getenv("CORS_ALLOWED_ORIGINS")
+    if env_origins then
+        local origins = {}
+        for origin in env_origins:gmatch("([^,]+)") do
+            table.insert(origins, origin:match("^%s*(.-)%s*$"))
+        end
+        return origins
+    end
+
+    -- 3. Development defaults
+    return {
+        "http://localhost:1313",      -- Hugo dev server
+        "http://127.0.0.1:1313",     -- Hugo dev server alternative
+        "http://localhost:3000",     -- Common dev port
+        "http://127.0.0.1:3000"      -- Common dev port alternative
+    }
+end
+
 -- Add legacy compatibility and runtime enhancements
 local server_config = {
     -- HTTP Server settings (from [server] section)
@@ -16,33 +55,21 @@ local server_config = {
     -- Timeouts and limits
     client_timeout = config.server.client_timeout or 10,
 
-    -- CORS Configuration
+    -- CORS Configuration (prioritize config file over environment)
     cors = {
-        allowed_origins = (function()
-            local env_origins = os.getenv("CORS_ALLOWED_ORIGINS")
-            if env_origins then
-                -- Parse comma-separated list from environment
-                local origins = {}
-                for origin in env_origins:gmatch("([^,]+)") do
-                    table.insert(origins, origin:match("^%s*(.-)%s*$"))
-                end
-                return origins
-            else
-                -- Default development origins
-                return {
-                    "http://localhost:1313",      -- Hugo dev server
-                    "http://127.0.0.1:1313",     -- Hugo dev server alternative
-                    "http://localhost:3000",     -- Common dev port
-                    "http://127.0.0.1:3000"      -- Common dev port alternative
-                }
-            end
-        end)()
+        allowed_origins = get_cors_origins()
     },
 
     -- Logging
     log_level = config.server.log_level or "info",
     log_requests = config.server.log_requests or true,
 
+    -- Security settings
+    security = {
+        enable_test_endpoint = config.security and config.security.enable_test_endpoint or false,
+        rate_limits = rate_limits
+    },
+
     -- API Keys (converted from nginx-style to old format for backward compatibility)
     api_keys = config.api_keys,
 
@@ -62,8 +89,18 @@ local server_config = {
 print("Furt Multi-Tenant Configuration Loaded:")
 print("  Server: " .. server_config.host .. ":" .. server_config.port)
 print("  Log Level: " .. server_config.log_level)
+
+-- Print CORS configuration
+print("  CORS Origins:")
+for i, origin in ipairs(server_config.cors.allowed_origins) do
+    print("    " .. i .. ": " .. origin)
+end
+
+-- Print security configuration
+print("  Test Endpoint: " .. (server_config.security.enable_test_endpoint and "enabled" or "disabled"))
 print("  Default SMTP: " .. (config.smtp_default.host or "not configured"))
 
+-- Print API key information
 local api_key_count = 0
 for key_name, key_config in pairs(config.api_keys) do
     api_key_count = api_key_count + 1