Security hardening

- JWT: validate signing algorithm (prevent alg confusion)
- Login: rate limiting (10 attempts per 5 min per IP)
- Request body: 10MB size limit (prevent DoS)
- WebSocket: require JWT auth (token query param or cookie)
- Daemon endpoints: require admin role (not just any user)
- io.LimitReader on all request body decoding

internal/api/handlers.go

@@ -2,7 +2,9 @@ package api
 
 import (
 	"encoding/json"
+	"io"
 	"net/http"
+	"sync"
 	"time"
 
 	"github.com/google/uuid"
@@ -12,6 +14,8 @@ import (
 	"markdownhub/internal/git"
 )
 
+const maxBodySize = 10 * 1024 * 1024 // 10MB
+
 func writeJSON(w http.ResponseWriter, status int, v interface{}) {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(status)
@@ -20,12 +24,47 @@ func writeJSON(w http.ResponseWriter, status int, v interface{}) {
 
 func decodeBody(r *http.Request, v interface{}) error {
 	defer r.Body.Close()
-	return json.NewDecoder(r.Body).Decode(v)
+	limited := io.LimitReader(r.Body, maxBodySize)
+	return json.NewDecoder(limited).Decode(v)
+}
+
+// Simple rate limiter for login
+var loginAttempts = struct {
+	sync.Mutex
+	m map[string][]time.Time
+}{m: make(map[string][]time.Time)}
+
+func isRateLimited(ip string) bool {
+	loginAttempts.Lock()
+	defer loginAttempts.Unlock()
+	now := time.Now()
+	cutoff := now.Add(-5 * time.Minute)
+	// Clean old entries
+	valid := loginAttempts.m[ip][:0]
+	for _, t := range loginAttempts.m[ip] {
+		if t.After(cutoff) {
+			valid = append(valid, t)
+		}
+	}
+	loginAttempts.m[ip] = valid
+	return len(valid) >= 10 // max 10 attempts per 5 minutes
+}
+
+func recordLoginAttempt(ip string) {
+	loginAttempts.Lock()
+	defer loginAttempts.Unlock()
+	loginAttempts.m[ip] = append(loginAttempts.m[ip], time.Now())
 }
 
 // ─── Auth ────────────────────────────────────────────────────────────────────
 
 func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
+	ip := r.RemoteAddr
+	if isRateLimited(ip) {
+		writeJSON(w, 429, map[string]string{"error": "too many attempts, try again later"})
+		return
+	}
+
 	var req struct {
 		Email    string `json:"email"`
 		Password string `json:"password"`
@@ -43,6 +82,7 @@ func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
 		"SELECT id, password_hash, is_admin, totp_secret FROM users WHERE email = ?", req.Email,
 	).Scan(&id, &hash, &isAdmin, &totpSecret)
 	if err != nil || !auth.CheckPassword(hash, req.Password) {
+		recordLoginAttempt(ip)
 		writeJSON(w, 401, map[string]string{"error": "invalid credentials"})
 		return
 	}

internal/api/router.go

@@ -69,10 +69,10 @@ func NewRouter(db *sql.DB, dataDir, secret string) http.Handler {
 	mux.HandleFunc("POST /api/build/status", s.requireAuth(s.handleBuildStatus))
 	mux.HandleFunc("POST /api/build/cancel", s.requireAuth(s.handleBuildCancel))
 
-	// Daemon endpoints
-	mux.HandleFunc("POST /api/daemon/poll", s.requireAuth(s.handleDaemonPoll))
-	mux.HandleFunc("POST /api/daemon/heartbeat", s.requireAuth(s.handleDaemonHeartbeat))
-	mux.HandleFunc("POST /api/daemon/report", s.requireAuth(s.handleDaemonReport))
+	// Daemon endpoints (admin only)
+	mux.HandleFunc("POST /api/daemon/poll", s.requireAdmin(s.handleDaemonPoll))
+	mux.HandleFunc("POST /api/daemon/heartbeat", s.requireAdmin(s.handleDaemonHeartbeat))
+	mux.HandleFunc("POST /api/daemon/report", s.requireAdmin(s.handleDaemonReport))
 
 	// Static frontend
 	frontendDir := filepath.Join(dataDir, "..", "frontend", "dist")

internal/auth/auth.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"fmt"
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
@@ -28,6 +29,9 @@ func CreateToken(userID string, isAdmin bool, secret string) (string, error) {
 
 func ValidateToken(tokenStr, secret string) (userID string, isAdmin bool, err error) {
 	token, err := jwt.Parse(tokenStr, func(t *jwt.Token) (interface{}, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method")
+		}
 		return []byte(secret), nil
 	})
 	if err != nil || !token.Valid {

internal/collab/hub.go

@@ -2,11 +2,13 @@ package collab
 
 import (
 	"database/sql"
+	"fmt"
 	"log"
 	"net/http"
 	"strings"
 	"sync"
 
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/gorilla/websocket"
 )
 
@@ -61,7 +63,26 @@ func (h *Hub) removeClient(fileID string, conn *websocket.Conn) {
 
 // HandleWebSocket handles the Yjs WebSocket sync protocol.
 // Clients send binary Yjs update messages; the hub broadcasts to all others in the room.
-func (h *Hub) HandleWebSocket(w http.ResponseWriter, r *http.Request) {
+func (h *Hub) HandleWebSocket(w http.ResponseWriter, r *http.Request, secret string) {
+	// Authenticate via query param or cookie
+	tokenStr := r.URL.Query().Get("token")
+	if tokenStr == "" {
+		if c, err := r.Cookie("authToken"); err == nil {
+			tokenStr = c.Value
+		}
+	}
+	if tokenStr == "" {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+	// Validate token (import auth inline to avoid circular — just parse JWT here)
+	// We accept any valid token
+	_, _, err := parseToken(tokenStr, secret)
+	if err != nil {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
 	// Extract file ID from path: /ws/collab/{fileID}
 	path := r.URL.Path
 	parts := strings.Split(strings.TrimPrefix(path, "/ws/collab/"), "/")
@@ -131,3 +152,19 @@ func (h *Hub) ActiveUsers(fileID string) int {
 	}
 	return 0
 }
+
+func parseToken(tokenStr, secret string) (string, bool, error) {
+	token, err := jwt.Parse(tokenStr, func(t *jwt.Token) (interface{}, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method")
+		}
+		return []byte(secret), nil
+	})
+	if err != nil || !token.Valid {
+		return "", false, err
+	}
+	claims := token.Claims.(jwt.MapClaims)
+	userID, _ := claims["sub"].(string)
+	isAdmin, _ := claims["admin"].(bool)
+	return userID, isAdmin, nil
+}