KL-S1

[mbecker20]

Changelog

Support CORS configuration

## Specifically set list of CORS allowed origins.
## If empty, allows all origins (`*`).
## Production setups should configure this explicitly.
## Env: KOMODO_CORS_ALLOWED_ORIGINS
## Default: empty
cors_allowed_origins = []

## Tell CORS to allow credentials in requests.
## Set true only if needed for authentication proxy.
## Env: KOMODO_CORS_ALLOW_CREDENTIALS
## Default: false
cors_allow_credentials = false

Authentication rate limiting by IP

Implements configurable, API-wide authentication rate limiting. If a user calls the API with invalid credentials, they will be warned with the number of attempts remaining. If they continue to call the API with failing credentials and run out of attempts, they will be blocked from further attempts until the window ends. This mitigates brute force credential attacks on publicly accessible instances.

The client IP is extracted from the header X-FORWARDED-FOR (for reverse proxy users) followed by X-REAL-IP -- You must ensure your reverse proxy adds this header, fortunately this is a default behavior on most reverse proxies and will probably just work.

It can be disabled if you would like, but was designed to have minimal impact outside of its security role, and is recommended to leave enabled even on non-publicly accessible production instances. It still provides significant brute force mitigation if your network is somehow compromised.

## Disable the auth rate limiting.
## Env: KOMODO_AUTH_RATE_LIMIT_DISABLED
## Default: false
auth_rate_limit_disabled = false

## Configure the max attempts allowed within the given 'window_seconds'.
## Env: KOMODO_AUTH_RATE_LIMIT_MAX_ATTEMPTS
## Default: 5
auth_rate_limit_max_attempts = 5

## Set the rate limiting window in seconds.
## Env: KOMODO_AUTH_RATE_LIMIT_WINDOW_SECONDS
## Default: 60
auth_rate_limit_window_seconds = 60

Other

• Remove revealing authentication response information in failing cases to improve the auth rate limiting effectiveness.
• Apply additional input validations consistently on critical endpoints, including user signup and api key creation.
• Apply token expiry clock skew tolerance where relevant, as generally recommended: https://curity.io/resources/learn/jwt-best-practices/#9-dealing-with-time-based-claims
• Improve error handling in startup and alerting paths.
• Improve typescript safety: Now enforcing "noImplicitAny": true in tsconfig.json.
• Improve internal comments on action state concurrency guards.