feat(security): apply rate limiting to OAuth endpoints

nickytonline · claude · nickytonline · commit cf39df241abf · 2025-10-08T11:18:12.000-04:00
- Apply comprehensive rate limiting to /oauth/authorize and callback endpoints (100 req/15min) - Apply stricter rate limiting to /oauth/token endpoint (10 req/15min) - Include structured logging for rate limit violations with IP and user agent tracking - Use JSON-RPC 2.0 compliant error responses for rate limit exceeded scenarios - Protect against OAuth abuse and brute force attacks 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/index.ts b/src/index.ts
@@ -1,4 +1,5 @@
 import express from "express";
+import rateLimit from "express-rate-limit";
 import { randomUUID } from "node:crypto";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
@@ -151,6 +152,68 @@ const mcpHandler = async (req: express.Request, res: express.Response) => {
 const config = getConfig();
 let oauthProvider: OAuthProvider | null = null;
 
+// Rate limiting for OAuth endpoints
+const oauthRateLimit = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // Limit each IP to 100 requests per windowMs
+  message: {
+    jsonrpc: "2.0",
+    id: null,
+    error: {
+      code: -32000,
+      message: "Too many requests, please try again later"
+    }
+  },
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: (req, res) => {
+    logger.warn("Rate limit exceeded for OAuth endpoint", {
+      ip: req.ip,
+      path: req.path,
+      userAgent: req.get('User-Agent')
+    });
+    res.status(429).json({
+      jsonrpc: "2.0",
+      id: null,
+      error: {
+        code: -32000,
+        message: "Too many requests, please try again later"
+      }
+    });
+  }
+});
+
+// Stricter rate limiting for token endpoint
+const tokenRateLimit = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 10, // Limit each IP to 10 token requests per windowMs
+  message: {
+    jsonrpc: "2.0",
+    id: null,
+    error: {
+      code: -32000,
+      message: "Too many token requests, please try again later"
+    }
+  },
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: (req, res) => {
+    logger.warn("Rate limit exceeded for token endpoint", {
+      ip: req.ip,
+      path: req.path,
+      userAgent: req.get('User-Agent')
+    });
+    res.status(429).json({
+      jsonrpc: "2.0",
+      id: null,
+      error: {
+        code: -32000,
+        message: "Too many token requests, please try again later"
+      }
+    });
+  }
+});
+
 // Setup OAuth endpoints and provider when authentication is enabled
 if (config.ENABLE_AUTH) {
   const baseUrl = config.BASE_URL;
@@ -170,9 +233,9 @@ if (config.ENABLE_AUTH) {
   // Extract path from redirect URI for route registration
   const redirectPath = new URL(config.OAUTH_REDIRECT_URI!).pathname;
   
-  app.get("/oauth/authorize", createAuthorizeHandler());
-  app.get(redirectPath, createCallbackHandler(oauthProvider));
-  app.post("/oauth/token", express.urlencoded({ extended: true }), createTokenHandler(oauthProvider));
+  app.get("/oauth/authorize", oauthRateLimit, createAuthorizeHandler());
+  app.get(redirectPath, oauthRateLimit, createCallbackHandler(oauthProvider));
+  app.post("/oauth/token", tokenRateLimit, express.urlencoded({ extended: true }), createTokenHandler(oauthProvider));
   
   logger.info("OAuth 2.1 endpoints registered", { 
     discovery: [
