feat(config): integrate rate limiting and CORS configuration from furt.conf

- Add RateLimiter:configure() function to accept config-based limits - Integrate security section parameters (rate_limit_api_key_max, ip_max, window) - Add CORS configuration from config file with environment fallback - Replace hardcoded rate limiting defaults with configurable values - Add test endpoint control via config.security.enable_test_endpoint - Update startup logging to show actual configured rate limits - Add configuration validation and detailed startup information Rate limiting now uses values from [security] section instead of hardcoded defaults. CORS origins prioritize config file over environment variables. Related to DAW/furt#89
2025-08-29 20:01:47 +02:00 · 2025-08-29 20:01:47 +02:00 · 5c17c86fd4
commit 5c17c86fd4
parent ecd4f68595
4 changed files with 128 additions and 49 deletions
--- a/config/server.lua
+++ b/config/server.lua
@ -7,6 +7,45 @@ local ConfigParser = require("src.config_parser")
 -- Load configuration from furt.conf
 local config = ConfigParser.load_config()

+-- Configure rate limiting from config
+local RateLimiter = require("src.rate_limiter")
+local rate_limits = {
+    api_key_max = config.security and config.security.rate_limit_api_key_max or 60,
+    ip_max = config.security and config.security.rate_limit_ip_max or 100,
+    window = config.security and config.security.rate_limit_window or 3600
+}
+RateLimiter:configure(rate_limits)
+
+-- Parse CORS origins from config or environment
+local function get_cors_origins()
+    -- 1. Try config file first
+    if config.server.cors_allowed_origins then
+        local origins = {}
+        for origin in config.server.cors_allowed_origins:gmatch("([^,]+)") do
+            table.insert(origins, origin:match("^%s*(.-)%s*$"))
+        end
+        return origins
+    end
+
+    -- 2. Try environment variable
+    local env_origins = os.getenv("CORS_ALLOWED_ORIGINS")
+    if env_origins then
+        local origins = {}
+        for origin in env_origins:gmatch("([^,]+)") do
+            table.insert(origins, origin:match("^%s*(.-)%s*$"))
+        end
+        return origins
+    end
+
+    -- 3. Development defaults
+    return {
+        "http://localhost:1313",      -- Hugo dev server
+        "http://127.0.0.1:1313",     -- Hugo dev server alternative
+        "http://localhost:3000",     -- Common dev port
+        "http://127.0.0.1:3000"      -- Common dev port alternative
+    }
+end
+
 -- Add legacy compatibility and runtime enhancements
 local server_config = {
    -- HTTP Server settings (from [server] section)
@ -16,33 +55,21 @@ local server_config = {
    -- Timeouts and limits
    client_timeout = config.server.client_timeout or 10,

-    -- CORS Configuration
+    -- CORS Configuration (prioritize config file over environment)
    cors = {
-        allowed_origins = (function()
-            local env_origins = os.getenv("CORS_ALLOWED_ORIGINS")
-            if env_origins then
-                -- Parse comma-separated list from environment
-                local origins = {}
-                for origin in env_origins:gmatch("([^,]+)") do
-                    table.insert(origins, origin:match("^%s*(.-)%s*$"))
-                end
-                return origins
-            else
-                -- Default development origins
-                return {
-                    "http://localhost:1313",      -- Hugo dev server
-                    "http://127.0.0.1:1313",     -- Hugo dev server alternative
-                    "http://localhost:3000",     -- Common dev port
-                    "http://127.0.0.1:3000"      -- Common dev port alternative
-                }
-            end
-        end)()
+        allowed_origins = get_cors_origins()
    },

    -- Logging
    log_level = config.server.log_level or "info",
    log_requests = config.server.log_requests or true,

+    -- Security settings
+    security = {
+        enable_test_endpoint = config.security and config.security.enable_test_endpoint or false,
+        rate_limits = rate_limits
+    },
+
    -- API Keys (converted from nginx-style to old format for backward compatibility)
    api_keys = config.api_keys,

@ -62,8 +89,18 @@ local server_config = {
 print("Furt Multi-Tenant Configuration Loaded:")
 print("  Server: " .. server_config.host .. ":" .. server_config.port)
 print("  Log Level: " .. server_config.log_level)
+
+-- Print CORS configuration
+print("  CORS Origins:")
+for i, origin in ipairs(server_config.cors.allowed_origins) do
+    print("    " .. i .. ": " .. origin)
+end
+
+-- Print security configuration
+print("  Test Endpoint: " .. (server_config.security.enable_test_endpoint and "enabled" or "disabled"))
 print("  Default SMTP: " .. (config.smtp_default.host or "not configured"))

+-- Print API key information
 local api_key_count = 0
 for key_name, key_config in pairs(config.api_keys) do
    api_key_count = api_key_count + 1