Remove hsts from helmet and apply new pin status check limits

src/app.js

@@ -17,7 +17,7 @@ const logger = require('./utils/logger');
 const { ensureDirectoryExists } = require('./utils/fileUtils');
 const { getHelmetConfig, requirePin } = require('./middleware/security');
 const { safeCompare } = require('./utils/security');
-const { initUploadLimiter, pinVerifyLimiter, downloadLimiter } = require('./middleware/rateLimiter');
+const { initUploadLimiter, pinVerifyLimiter, pinStatusLimiter, downloadLimiter } = require('./middleware/rateLimiter');
 const { injectDemoBanner, demoMiddleware } = require('./utils/demoMode');
 const { originValidationMiddleware, getCorsOptions } = require('./middleware/cors');
 
@@ -41,6 +41,7 @@ app.use((req, res, next) => {
   const publicPaths = [
     '/login',
     '/login.html',
+    '/api/auth/logout',
     '/api/auth/verify-pin',
     '/api/auth/pin-required',
     '/api/auth/pin-length',
@@ -71,6 +72,9 @@ const fileRoutes = require('./routes/files');
 const authRoutes = require('./routes/auth');
 
 // Use routes with appropriate middleware
+// Apply strict rate limiting to PIN verification, but more permissive to status checks
+app.use('/api/auth/pin-required', pinStatusLimiter);
+app.use('/api/auth/logout', pinStatusLimiter);
 app.use('/api/auth', pinVerifyLimiter, authRoutes);
 app.use('/api/upload', requirePin(config.pin), initUploadLimiter, uploadRouter);
 app.use('/api/files', requirePin(config.pin), downloadLimiter, fileRoutes);

src/middleware/rateLimiter.js

@@ -48,7 +48,7 @@ const chunkUploadLimiter = createLimiter({
 
 /**
  * Rate limiter for PIN verification attempts
- * Prevents brute force attacks
+ * Prevents brute force attacks on actual PIN verification
  */
 const pinVerifyLimiter = createLimiter({
   windowMs: 15 * 60 * 1000, // 15 minutes
@@ -57,6 +57,24 @@ const pinVerifyLimiter = createLimiter({
     error: 'Too many PIN verification attempts. Please try again later.'
   },
   standardHeaders: true,
+  legacyHeaders: false,
+  // Apply strict rate limiting only to PIN verification, not PIN status checks
+  skip: (req) => {
+    return req.path === '/pin-required'; // Skip rate limiting for PIN requirement checks
+  }
+});
+
+/**
+ * Rate limiter for PIN status checks
+ * More permissive for checking if PIN is required
+ */
+const pinStatusLimiter = createLimiter({
+  windowMs: 60 * 1000, // 1 minute window
+  max: 30, // 30 requests per minute
+  message: {
+    error: 'Too many requests. Please wait before trying again.'
+  },
+  standardHeaders: true,
   legacyHeaders: false
 });
 
@@ -78,5 +96,6 @@ module.exports = {
   initUploadLimiter,
   chunkUploadLimiter,
   pinVerifyLimiter,
+  pinStatusLimiter,
   downloadLimiter
 }; 

src/middleware/security.js

@@ -48,16 +48,19 @@ const BASE_URL = process.env.BASE_URL || `http://localhost:${PORT}`;
 // }
 
 function getHelmetConfig() {
+  // const isSecure = BASE_URL.startsWith('https://');
+  
   return {
     noSniff: true, // Prevent MIME type sniffing
     frameguard: { action: 'deny' }, // Prevent clickjacking
-    hsts: { maxAge: 31536000, includeSubDomains: true }, // Enforce HTTPS for one year
+    crossOriginEmbedderPolicy: false, // Disable for local network access
-    crossOriginEmbedderPolicy: true,
+    crossOriginOpenerPolicy: false, // Disable to prevent warnings on HTTP
-    crossOriginOpenerPolicy: { policy: 'same-origin-allow-popups' },
+    crossOriginResourcePolicy: { policy: 'cross-origin' }, // Allow cross-origin for local network
-    crossOriginResourcePolicy: { policy: 'same-origin' },
     referrerPolicy: { policy: 'no-referrer-when-downgrade' }, // Set referrer policy
     ieNoOpen: true, // Prevent IE from executing downloads
+    // hsts: isSecure ? { maxAge: 31536000, includeSubDomains: true } : false, // Only enforce HTTPS if using HTTPS
     // Disabled Helmet middlewares:
+    hsts: false,
     contentSecurityPolicy: false, // Disable CSP for now
     dnsPrefetchControl: true, // Disable DNS prefetching
     permittedCrossDomainPolicies: false,