feat(config): integrate rate limiting and CORS configuration from furt.conf

- Add RateLimiter:configure() function to accept config-based limits - Integrate security section parameters (rate_limit_api_key_max, ip_max, window) - Add CORS configuration from config file with environment fallback - Replace hardcoded rate limiting defaults with configurable values - Add test endpoint control via config.security.enable_test_endpoint - Update startup logging to show actual configured rate limits - Add configuration validation and detailed startup information Rate limiting now uses values from [security] section instead of hardcoded defaults. CORS origins prioritize config file over environment variables. Related to DAW/furt#89
2025-08-29 20:01:47 +02:00 · 2025-08-29 20:01:47 +02:00 · 5c17c86fd4
commit 5c17c86fd4
parent ecd4f68595
4 changed files with 128 additions and 49 deletions
--- a/src/main.lua
+++ b/src/main.lua
@ -1,4 +1,4 @@
-- furt-lua/src/main.lua
+-- src/main.lua
 -- Pure Lua HTTP-Server for Furt API-Gateway
 -- Dragons@Work Digital Sovereignty Project

@ -256,8 +256,17 @@ function FurtServer:start()
    print("Content-Hash: " .. (version_info.content_hash or "unknown"))
    print("VCS: " .. (version_info.vcs_info and version_info.vcs_info.hash or "none"))
    print("API-Key authentication: ENABLED")
-    print("Rate limiting: ENABLED (60 req/hour per API key, 100 req/hour per IP)")
-    print("CORS enabled for configured origins")
+
+    -- Show actual configured rate limits
+    local rate_limits = config.security and config.security.rate_limits
+    if rate_limits then
+        print(string.format("Rate limiting: ENABLED (%d req/hour per API key, %d req/hour per IP)",
+              rate_limits.api_key_max, rate_limits.ip_max))
+    else
+        print("Rate limiting: ENABLED (default values)")
+    end
+
+    print("CORS enabled for " .. (#config.cors.allowed_origins) .. " configured origins")
    print("Press Ctrl+C to stop")

    while true do
@ -288,20 +297,21 @@ server:add_route("GET", "/health", function(request, server)
            smtp_configured = config.smtp_default and config.smtp_default.host ~= nil,
            auth_enabled = true,
            rate_limiting = true,
+            rate_limits = config.security and config.security.rate_limits,
            merkwerk_integrated = version_info.source == "merkwerk"
        }
    }
    return server:create_response(200, response_data, nil, nil, request)
 end)

-- Test endpoint for development (disable in production)
-if os.getenv("ENABLE_TEST_ENDPOINT") == "true" then
+-- Test endpoint for development (configurable via furt.conf)
+if config.security and config.security.enable_test_endpoint then
    server:add_route("POST", "/test", function(request, server)
        local response_data = {
            message = "Test endpoint working",
            received_data = request.body,
            headers_count = 0,
-            warning = "This is a development endpoint"
+            warning = "This is a development endpoint (enabled via config)"
        }

        -- Count headers
@ -311,7 +321,7 @@ if os.getenv("ENABLE_TEST_ENDPOINT") == "true" then

        return server:create_response(200, response_data, nil, nil, request)
    end)
-    print("[WARN] Test endpoint enabled (development mode)")
+    print("[WARN] Test endpoint enabled via configuration")
 end

 -- Protected routes (require authentication)