add registration security: bcrypt secret key, length validation, duplicate check, rate limiting

bin/routes/auth_routes.dart

@@ -1,8 +1,8 @@
+import 'package:bcrypt/bcrypt.dart';
+import 'package:dotenv/dotenv.dart';
+import 'package:dart_jsonwebtoken/dart_jsonwebtoken.dart';
 import 'package:shelf/shelf.dart';
 import 'package:shelf_router/shelf_router.dart';
-import 'package:bcrypt/bcrypt.dart';
-import 'package:dart_jsonwebtoken/dart_jsonwebtoken.dart';
-import 'package:dotenv/dotenv.dart';
 import '../database/database_provider.dart';
 import '../middleware/auth_middleware.dart';
 import '../middleware/request_logger.dart';
@@ -11,6 +11,7 @@ import 'dart:io';
 
 class AuthRoutes {
   final DatabaseProvider database;
+  final Map<String, DateTime> _lastRequest = {};
 
   AuthRoutes(this.database);
 
@@ -23,7 +24,34 @@ class AuthRoutes {
     return router;
   }
 
+  String _getClientIp(Request request) {
+    final forwarded = request.headers['x-forwarded-for'];
+    if (forwarded != null) {
+      return forwarded.split(',').first.trim();
+    }
+    final xRealIp = request.headers['x-real-ip'];
+    if (xRealIp != null) {
+      return xRealIp;
+    }
+    return '127.0.0.1';
+  }
+
+  Future<Response?> _rateLimitCheck(Request request, String key) async {
+    final ip = _getClientIp(request);
+    final rateKey = '$key:$ip';
+    final now = DateTime.now();
+    final lastRequest = _lastRequest[rateKey];
+    if (lastRequest != null && now.difference(lastRequest).inSeconds < 10) {
+      return Response(429, body: jsonEncode({'error': 'Too many requests. Please wait 10 seconds.'}), headers: {'Content-Type': 'application/json'});
+    }
+    _lastRequest[rateKey] = now;
+    return null;
+  }
+
   Future<Response> _login(Request request) async {
+    final rateLimit = await _rateLimitCheck(request, 'login');
+    if (rateLimit != null) return rateLimit;
+
     final body = await request.readAsString();
     final data = jsonDecode(body);
 
@@ -58,6 +86,9 @@ class AuthRoutes {
   }
 
   Future<Response> _register(Request request) async {
+    final rateLimit = await _rateLimitCheck(request, 'reg');
+    if (rateLimit != null) return rateLimit;
+
     final stopwatch = Stopwatch()..start();
     final body = await request.readAsString();
     logRequest(method: 'POST', url: '/reg', status: 444, duration: stopwatch.elapsed, body: body);
@@ -65,9 +96,41 @@ class AuthRoutes {
 
     final login = data['login'];
     final password = data['password'];
+    final secretKey = data['secret_key'];
 
-    await database.createUser(login, password);
-    await database.createLog(login, 'User registration');
+    if (login is! String || login.length <= 4) {
+      stopwatch.stop();
+      final response = Response(400, body: jsonEncode({'error': 'Login must be more than 4 characters'}), headers: {'Content-Type': 'application/json'});
+      logRequest(method: 'POST', url: '/reg', status: 400, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
+      return response;
+    }
+
+    if (password is! String || password.length <= 8) {
+      stopwatch.stop();
+      final response = Response(400, body: jsonEncode({'error': 'Password must be more than 8 characters'}), headers: {'Content-Type': 'application/json'});
+      logRequest(method: 'POST', url: '/reg', status: 400, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
+      return response;
+    }
+
+    final envDotenv = DotEnv();
+    final storedHash = envDotenv['REGISTRATION_SECRET_KEY'] ?? '';
+
+    if (!BCrypt.checkpw(secretKey, storedHash)) {
+      stopwatch.stop();
+      final response = Response(403, body: jsonEncode({'error': 'Invalid registration key'}), headers: {'Content-Type': 'application/json'});
+      logRequest(method: 'POST', url: '/reg', status: 403, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
+      return response;
+    }
+
+    try {
+      await database.createUser(login, password);
+      await database.createLog(login, 'User registration');
+    } catch (e) {
+      stopwatch.stop();
+      final response = Response(400, body: jsonEncode({'error': e.toString()}), headers: {'Content-Type': 'application/json'});
+      logRequest(method: 'POST', url: '/reg', status: 400, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
+      return response;
+    }
     stopwatch.stop();
     final response = Response(201, body: jsonEncode({'message': 'User registered'}), headers: {'Content-Type': 'application/json'});
     logRequest(method: 'POST', url: '/reg', status: 201, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
@@ -123,4 +186,4 @@ class AuthRoutes {
     final response = Response(200, body: html, headers: {'Content-Type': 'text/html'});
     return response;
   }
-}
+}