security: audit rate limits, fix IDOR on deleteMemory, clean up phantom reads

van-reflect · van-reflect · commit faf417539d18 · 2026-03-22T20:19:16.000-07:00
Three-vulnerability audit based on common automated security mistakes:

1. RATE LIMITING - every route now has explicit per-route limits:
   Memory writes: 30/min, reads: 30-60/min, restore: 10/min,
   whoami/chat-models: 30/min, Stripe webhook: 100 to 30/min.

2. IDOR FIX - deleteMemory now verifies user_id ownership BEFORE
   deleting memory_versions. Previously an attacker could wipe
   another users version history by guessing a UUID.

3. ROW-LEVEL SECURITY - full audit confirmed all queries enforce
   WHERE user_id = ?. No cross-user data access possible.

4. MIGRATION 017 - resets phantom read counts for users with
   0 writes and 0 memories (inflated by idle dashboard polling).
diff --git a/src/index.ts b/src/index.ts
@@ -513,6 +513,43 @@ if (!db.prepare(`SELECT 1 FROM _migrations WHERE name = ?`).get(adminPlanMigrati
   console.log("[migration] Set admin users to admin plan (unlimited)");
 }
 
+const phantomReadsMigration = "017_reset_phantom_reads";
+if (!db.prepare(`SELECT 1 FROM _migrations WHERE name = ?`).get(phantomReadsMigration)) {
+  // Users with 0 writes and 0 memories had all reads generated by idle
+  // dashboard polling against empty accounts. Reset to accurate counts.
+  const result = db.prepare(`
+    UPDATE monthly_usage
+    SET reads = 0, total_ops = writes + queries
+    WHERE user_id IN (
+      SELECT mu.user_id FROM monthly_usage mu
+      JOIN users u ON u.id = mu.user_id
+      WHERE mu.writes = 0
+        AND (SELECT COUNT(*) FROM memories m WHERE m.user_id = mu.user_id AND m.deleted_at IS NULL) = 0
+        AND mu.reads > 0
+    )
+  `).run();
+  if (result.changes > 0) {
+    console.log(`[migration] Reset phantom reads for ${result.changes} monthly_usage rows`);
+  }
+  // Also clean the usage_events table for accuracy
+  const evtResult = db.prepare(`
+    DELETE FROM usage_events
+    WHERE operation = 'memory_read'
+      AND user_id IN (
+        SELECT u.id FROM users u
+        WHERE (SELECT COUNT(*) FROM memories m WHERE m.user_id = u.id AND m.deleted_at IS NULL) = 0
+          AND (SELECT COUNT(*) FROM usage_events ue WHERE ue.user_id = u.id AND ue.operation = 'memory_write') = 0
+      )
+  `).run();
+  if (evtResult.changes > 0) {
+    console.log(`[migration] Deleted ${evtResult.changes} phantom read events`);
+  }
+  db.prepare(`INSERT INTO _migrations (name, applied_at) VALUES (?, ?)`).run(
+    phantomReadsMigration,
+    new Date().toISOString(),
+  );
+}
+
 const ownerEmail = optionalEnv("RM_OWNER_EMAIL", "").toLowerCase();
 
 let userId: string;
diff --git a/src/memory-service.ts b/src/memory-service.ts
@@ -668,6 +668,13 @@ export function deleteMemory(
   memoryId: string,
 ): boolean {
   const txn = db.transaction(() => {
+    // Verify ownership BEFORE touching memory_versions to prevent
+    // cross-user version deletion via guessed memory_id (IDOR).
+    const owns = db
+      .prepare(`SELECT 1 FROM memories WHERE id = ? AND user_id = ?`)
+      .get(memoryId, userId);
+    if (!owns) return false;
+
     db.prepare(`DELETE FROM memory_versions WHERE memory_id = ?`).run(memoryId);
     const result = db
       .prepare(`DELETE FROM memories WHERE id = ? AND user_id = ?`)
diff --git a/src/server.ts b/src/server.ts
@@ -835,7 +835,7 @@ export async function createServer(config: ServerConfig): Promise<FastifyInstanc
   // No sensitive data. Just what the server sees for this key.
   // ===========================================================================
 
-  server.get("/whoami", async (request) => {
+  server.get("/whoami", { config: { rateLimit: { max: 30, timeWindow: "1 minute" } } }, async (request) => {
     return {
       role: request.role,
       vendor: request.vendor,
@@ -1138,6 +1138,7 @@ export async function createServer(config: ServerConfig): Promise<FastifyInstanc
       schema: {
         body: memoryBodySchema,
       },
+      config: { rateLimit: { max: 30, timeWindow: "1 minute" } },
     },
     async (request, reply) => {
       const body = request.body as {
@@ -1185,6 +1186,7 @@ export async function createServer(config: ServerConfig): Promise<FastifyInstanc
       schema: {
         body: agentMemoryBodySchema,
       },
+      config: { rateLimit: { max: 30, timeWindow: "1 minute" } },
     },
     async (request, reply) => {
       const body = request.body as {
@@ -1232,7 +1234,7 @@ export async function createServer(config: ServerConfig): Promise<FastifyInstanc
   // agent's own writes.
   // ===========================================================================
 
-  server.get("/agent/memories/latest", async (request, reply) => {
+  server.get("/agent/memories/latest", { config: { rateLimit: { max: 60, timeWindow: "1 minute" } } }, async (request, reply) => {
     const vendorFilter = request.vendor;
     const query = request.query as { tag?: string; origin?: string };
     const tag = query.tag?.trim();
@@ -1278,6 +1280,7 @@ export async function createServer(config: ServerConfig): Promise<FastifyInstanc
       schema: {
         params: memoryIdParamSchema,
       },
+      config: { rateLimit: { max: 60, timeWindow: "1 minute" } },
     },
     async (request, reply) => {
       const { id } = request.params as { id: string };
@@ -1328,6 +1331,7 @@ export async function createServer(config: ServerConfig): Promise<FastifyInstanc
           },
         },
       },
+      config: { rateLimit: { max: 30, timeWindow: "1 minute" } },
     },
     async (request) => {
       const { tags, limit, offset } = request.body as {
@@ -1381,6 +1385,7 @@ export async function createServer(config: ServerConfig): Promise<FastifyInstanc
       schema: {
         body: browseBodySchema,
       },
+      config: { rateLimit: { max: 30, timeWindow: "1 minute" } },
     },
     async (request) => {
       const { filter, limit, offset } = request.body as {
@@ -1419,6 +1424,7 @@ export async function createServer(config: ServerConfig): Promise<FastifyInstanc
       schema: {
         params: memoryIdParamSchema,
       },
+      config: { rateLimit: { max: 60, timeWindow: "1 minute" } },
     },
     async (request, reply) => {
       const { id } = request.params as { id: string };
@@ -1442,6 +1448,7 @@ export async function createServer(config: ServerConfig): Promise<FastifyInstanc
       schema: {
         body: listFilterBodySchema,
       },
+      config: { rateLimit: { max: 30, timeWindow: "1 minute" } },
     },
     async (request) => {
       const body = request.body as {
@@ -1478,6 +1485,7 @@ export async function createServer(config: ServerConfig): Promise<FastifyInstanc
         params: memoryIdParamSchema,
         body: updateMemoryBodySchema,
       },
+      config: { rateLimit: { max: 30, timeWindow: "1 minute" } },
     },
     async (request, reply) => {
       const { id } = request.params as { id: string };
@@ -1522,6 +1530,7 @@ export async function createServer(config: ServerConfig): Promise<FastifyInstanc
       schema: {
         params: memoryIdParamSchema,
       },
+      config: { rateLimit: { max: 30, timeWindow: "1 minute" } },
     },
     async (request, reply) => {
       const { id } = request.params as { id: string };
@@ -1544,6 +1553,7 @@ export async function createServer(config: ServerConfig): Promise<FastifyInstanc
       schema: {
         params: memoryIdParamSchema,
       },
+      config: { rateLimit: { max: 10, timeWindow: "1 minute" } },
     },
     async (request, reply) => {
       const { id } = request.params as { id: string };
@@ -1640,7 +1650,7 @@ export async function createServer(config: ServerConfig): Promise<FastifyInstanc
   // populate the model selector.
   // ===========================================================================
 
-  server.get("/chat/models", async () => {
+  server.get("/chat/models", { config: { rateLimit: { max: 30, timeWindow: "1 minute" } } }, async () => {
     const available = AVAILABLE_MODELS.filter((m) => {
       switch (m.id) {
         case "gpt-4o":
@@ -2304,7 +2314,7 @@ export async function createServer(config: ServerConfig): Promise<FastifyInstanc
     "/webhooks/stripe",
     {
       config: {
-        rateLimit: { max: 100, timeWindow: "1 minute" },
+        rateLimit: { max: 30, timeWindow: "1 minute" },
         rawBody: true,
       },
     },
