fix:/ add api protections :3

This commit is contained in:
2026-05-14 16:02:56 +01:00
parent 0ca2dcdcf2
commit a4931d3bbc
4 changed files with 231 additions and 12 deletions
+27 -2
View File
@@ -33,8 +33,18 @@ npm run build
pm2 start ecosystem.config.cjs
```
The production server runs on <http://localhost:3001> and proxies `/api/*` plus
`/health` to `API_UPSTREAM`, which defaults to `http://127.0.0.1:6000`.
The production server runs on <http://localhost:3010>. It serves `/health`
locally and only proxies the API routes used by the app:
- `GET /api/tss/leaderboard/teams?limit=1..100`
- `GET /api/tss/teams/resolve?name=...`
- `GET /api/tss/teams/:team`
- `GET /api/tss/teams/:team/history`
- `GET /api/tss/teams/:team/games`
The proxy blocks cross-origin/API-navigation requests, strips CORS headers from
the upstream response, rate limits callers, and caches successful GET responses
briefly so public page traffic does not hammer the upstream API.
Override the API target before starting PM2 if needed:
@@ -42,6 +52,21 @@ Override the API target before starting PM2 if needed:
API_UPSTREAM=http://127.0.0.1:8080 pm2 start ecosystem.config.cjs
```
Set `PUBLIC_ORIGIN` to the public site origin in production, especially behind a
reverse proxy:
```sh
PUBLIC_ORIGIN=https://your-domain.example pm2 start ecosystem.config.cjs
```
Optional API protection tuning:
```sh
API_CACHE_TTL_MS=15000
API_RATE_LIMIT_WINDOW_MS=60000
API_RATE_LIMIT_MAX=120
```
## GitHub webhook
The webhook process listens on port `3011` at `/github`. Configure GitHub to send