Production hardening: rate limiting, chain defaults, one-click deploy

[Copilot]

Hardens production deployment with per-route rate limiting, updates chain selection to match APIV2 support status, and adds server-side deployment automation.

Rate Limiting

Per-route limits with Redis fallback:

• /api/auth/login: 5/min per IP → {"error": "rate_limited"}
• /api/admin/*: 60/min per IP (unified across all admin routes)
• /api/auth/me: 30/min per IP

// Auto-detects Redis, falls back to in-memory
function getRedisStore() {
  const client = redis.getClient();
  return client?.isOpen ? new RedisStore({ sendCommand: (...args) => client.sendCommand(args) }) : undefined;
}

Test coverage:

• Rate limit enforcement and 429 responses
• HEAD /api/admin/settings → 401 without auth (not 500)

Chain Configuration

9 APIV2-supported chains by default:

• [1, 10, 56, 137, 42161, 43114, 8453, 324, 5000]
• Excludes Linea (59144) pending full vendor support
• Cronos (25) visible with disabled checkbox + "unsupported" badge

One-Click Deploy

~/.deploy/deploy-frontend.sh:

• Detects Nginx web root via nginx -T | awk parsing
• Timestamped backup of current deployment
• rsync --delete to web root
• Sanity checks: curl -I https://haswork.dev{,/api/chains} → 200

VS Code task: Deploy: ExplorerToken frontend

{
  "label": "Deploy: ExplorerToken frontend",
  "command": "bash ~/.deploy/deploy-frontend.sh",
  "presentation": { "reveal": "always", "panel": "dedicated" }
}

README: Deploy instructions, expected success signals, security checks.

Original prompt

You’re in the HasDevX/ExplorerToken repo connected to the server via VS Code Remote-SSH. PR “chains loader dual shape” is merged. Make the project production-ready with the smallest set of concrete changes and a one-click FE deploy. Do EVERYTHING below, then show me a concise diff summary and how to run the tasks.

Scope:

Backend security/rate limiting

Add per-route rate limits using express-rate-limit:

/api/auth/login: 5/min per IP (burst allowed up to 10), 429 JSON { "error": "rate_limited" }.

/api/admin/*: 60/min per IP, same 429 shape.

Use a Redis store if Redis is present; otherwise fall back to in-memory store without breaking.

Centralize in backend/src/middleware/rateLimiters.ts. Wire in backend/src/index.ts (or the router where those routes are mounted).

Add minimal tests (or integration checks) to assert 429 is returned under load.

Keep Prettier/ESLint passing.

Admin HEAD hardening check (already fixed)

Add a tiny test that unauthenticated HEAD /api/admin/settings → 401 (or 403, whichever we return), not 500.

Frontend polish to match product state

In the chain selector / dashboard state, default selectedChainIds to the 9 supported APIV2 chains:

1, 10, 56, 137, 42161, 43114, 8453, 324, 5000

Display Cronos (25) with a small unsupported badge but don’t include it by default.

Ensure FE continues to tolerate both /api/chains shapes (already merged), do not regress that.

One-click Frontend Deploy (server-side)

Create ~/.deploy/deploy-frontend.sh (bash) on the server with:

set -euo pipefail

From repo root: build FE (cd frontend && npm ci && npm run build).

Detect Nginx web root for haswork.dev via sudo nginx -T | awk (find the server_name haswork.dev; block and get its root directive). If multiple, pick the one serving / with index defined.

Backup current web root to root_backup_ (only the existing static assets directory, not all of /var/www), then rsync frontend/dist/ into the web root (preserve dirs, delete removed files).

curl -I https://haswork.dev and curl -I https://haswork.dev/api/chains sanity: expect HTTP/2 200.

Print a final “✅ Frontend deploy done.”

Make sure the script doesn’t require password prompts during deploy. If needed, print a one-line visudo snippet for the operator:

deploy ALL=(ALL) NOPASSWD:/usr/sbin/nginx

(We don’t need a reload for static file swaps, but include the note.)

VS Code task: one-click FE deploy

In ~/ExplorerToken/.vscode/tasks.json, append a new task:

label: “Deploy: ExplorerToken frontend”

command: bash ~/.deploy/deploy-frontend.sh

dedicated panel, reveal always.

Do not remove the backend deploy task.

Docs

In README.md, add a short “Deploy from VS Code (Remote-SSH)” section with:

Backend task name and what it does.

Frontend task name and what it does.

Expected success signals (status shows active (running); curl -I / and curl -I /api/chains → 200; unauth HEAD /api/admin/settings → 401/403; no 500s).

Acceptance Criteria (must pass):

Backend builds (npm run build).

Hitting /api/auth/login rapidly triggers 429 with the specified JSON.

Hitting /api/admin/settings rapidly triggers 429 with the specified JSON when exceeding the limit.

HEAD /api/admin/settings without auth returns 401/403, not 500.

FE builds; running the “Deploy: ExplorerToken frontend” task copies dist/ to the correct Nginx root and curl -I https://haswork.dev returns 200.

Chain selector shows the 9 supported chains selected by default, and Cronos (25) visible with an unsupported badge.

Deliverables to show me:

List of files changed/added.

Any environment variables added (if Redis store needs configuration).

Exact commands or VS Code tasks to run (backend deploy already exists; include the new frontend task).

The output snippet from a sample rate-limit 429 (one line).

The output of curl -I https://haswork.dev and curl -I https://haswork.dev/api/chains after FE deploy.

Make minimal, targeted diffs. Don’t widen scope. When finished, summarize in ≤10 lines.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.