Add security middleware for logging, rate limiting, and concurrency control (issue #5)

Implements optional request logging, rate limiting, and concurrency limiting
middleware to prevent abuse and DoS attacks on server routes.

Features:
- LoggingMiddleware: Optional audit trail for all route invocations
- RateLimitMiddleware: Sliding window rate limiting per route
- ConcurrencyLimitMiddleware: Limits parallel handler execution

All middleware are optional and can be combined. Includes comprehensive tests
covering logging, rate enforcement, window expiration, concurrency limiting,
and middleware composition.

Security audit issue: fastmcpp #5 (minimal logging/limits on server hooks)

Author: 0xeb

CMakeLists.txt

@@ -25,6 +25,7 @@ add_library(fastmcpp_core
     src/server/server.cpp
     src/server/context.cpp
     src/server/middleware.cpp
+    src/server/security_middleware.cpp
     src/server/http_server.cpp
     src/server/stdio_server.cpp
     src/server/sse_server.cpp
@@ -262,6 +263,10 @@ if(FASTMCPP_BUILD_TESTS)
   target_link_libraries(fastmcpp_server_auth_cors_security PRIVATE fastmcpp_core)
   add_test(NAME fastmcpp_server_auth_cors_security COMMAND fastmcpp_server_auth_cors_security)
 
+  add_executable(fastmcpp_server_security_middleware tests/server/security_middleware.cpp)
+  target_link_libraries(fastmcpp_server_security_middleware PRIVATE fastmcpp_core)
+  add_test(NAME fastmcpp_server_security_middleware COMMAND fastmcpp_server_security_middleware)
+
   add_executable(fastmcpp_client_transports tests/client/transports.cpp)
   target_link_libraries(fastmcpp_client_transports PRIVATE fastmcpp_core)
   add_test(NAME fastmcpp_client_transports COMMAND fastmcpp_client_transports)

include/fastmcpp/server/security_middleware.hpp

@@ -0,0 +1,148 @@
+#pragma once
+#include "fastmcpp/server/middleware.hpp"
+#include "fastmcpp/types.hpp"
+
+#include <atomic>
+#include <chrono>
+#include <deque>
+#include <functional>
+#include <mutex>
+#include <string>
+#include <unordered_map>
+
+namespace fastmcpp::server
+{
+
+/// Log entry for a request
+struct RequestLogEntry
+{
+    std::chrono::system_clock::time_point timestamp;
+    std::string route;
+    size_t payload_size;
+    bool success;
+    std::string error_message; // Empty if success
+};
+
+/// Logging callback function type
+using LogCallback = std::function<void(const RequestLogEntry&)>;
+
+/// Logging middleware for audit trail (v2.13.0+)
+///
+/// Provides optional request logging to track all route/tool invocations.
+/// Can be used as both BeforeHook and AfterHook for comprehensive logging.
+///
+/// Usage:
+/// ```cpp
+/// auto logger = std::make_shared<LoggingMiddleware>(
+///     [](const RequestLogEntry& entry) {
+///         std::cout << entry.timestamp << " " << entry.route << std::endl;
+///     });
+/// srv.add_before(logger->create_before_hook());
+/// srv.add_after(logger->create_after_hook());
+/// ```
+class LoggingMiddleware
+{
+  public:
+    explicit LoggingMiddleware(LogCallback callback) : callback_(std::move(callback))
+    {
+    }
+
+    /// Create a BeforeHook that logs incoming requests
+    BeforeHook create_before_hook();
+
+    /// Create an AfterHook that logs completed requests
+    AfterHook create_after_hook();
+
+  private:
+    LogCallback callback_;
+    std::mutex mutex_;
+    std::unordered_map<std::string, size_t> request_sizes_; // Track sizes for after hook
+};
+
+/// Rate limiting middleware for DoS prevention (v2.13.0+)
+///
+/// Enforces per-route request limits using a sliding window algorithm.
+/// Rejects requests that exceed the configured rate.
+///
+/// Usage:
+/// ```cpp
+/// auto limiter = std::make_shared<RateLimitMiddleware>(
+///     100,  // max requests
+///     std::chrono::minutes(1)  // per time window
+/// );
+/// srv.add_before(limiter->create_hook());
+/// ```
+class RateLimitMiddleware
+{
+  public:
+    /// Construct rate limiter
+    /// @param max_requests Maximum requests allowed in time window
+    /// @param window Time window for rate limiting
+    RateLimitMiddleware(size_t max_requests,
+                        std::chrono::steady_clock::duration window = std::chrono::minutes(1))
+        : max_requests_(max_requests), window_(window)
+    {
+    }
+
+    /// Create a BeforeHook that enforces rate limits
+    BeforeHook create_hook();
+
+    /// Get current request count for a route
+    size_t get_request_count(const std::string& route);
+
+    /// Reset rate limit counters (for testing)
+    void reset();
+
+  private:
+    size_t max_requests_;
+    std::chrono::steady_clock::duration window_;
+    std::mutex mutex_;
+
+    struct RouteStats
+    {
+        std::deque<std::chrono::steady_clock::time_point> timestamps;
+    };
+
+    std::unordered_map<std::string, RouteStats> stats_;
+
+    void cleanup_old_entries(RouteStats& stats);
+};
+
+/// Concurrency limiting middleware for resource control (v2.13.0+)
+///
+/// Limits the number of concurrent route handler executions.
+/// Uses atomic counters for thread-safe tracking.
+///
+/// Usage:
+/// ```cpp
+/// auto limiter = std::make_shared<ConcurrencyLimitMiddleware>(10);  // Max 10 parallel
+/// srv.add_before(limiter->create_before_hook());
+/// srv.add_after(limiter->create_after_hook());
+/// ```
+class ConcurrencyLimitMiddleware
+{
+  public:
+    /// Construct concurrency limiter
+    /// @param max_concurrent Maximum number of concurrent handler executions
+    explicit ConcurrencyLimitMiddleware(size_t max_concurrent) : max_concurrent_(max_concurrent)
+    {
+    }
+
+    /// Create a BeforeHook that checks concurrency limit
+    BeforeHook create_before_hook();
+
+    /// Create an AfterHook that releases concurrency slot
+    AfterHook create_after_hook();
+
+    /// Get current concurrent request count
+    size_t get_current_count() const
+    {
+        return current_count_.load();
+    }
+
+  private:
+    size_t max_concurrent_;
+    std::atomic<size_t> current_count_{0};
+};
+
+} // namespace fastmcpp::server

src/server/security_middleware.cpp

@@ -0,0 +1,160 @@
+#include "fastmcpp/server/security_middleware.hpp"
+
+#include "fastmcpp/exceptions.hpp"
+
+#include <algorithm>
+#include <sstream>
+
+namespace fastmcpp::server
+{
+
+// LoggingMiddleware implementation
+
+BeforeHook LoggingMiddleware::create_before_hook()
+{
+    return [this](const std::string& route, const Json& payload) -> std::optional<Json>
+    {
+        std::lock_guard<std::mutex> lock(mutex_);
+
+        // Store payload size for correlation with after hook
+        size_t payload_size = payload.dump().size();
+        request_sizes_[route] = payload_size;
+
+        // Log the incoming request
+        RequestLogEntry entry;
+        entry.timestamp = std::chrono::system_clock::now();
+        entry.route = route;
+        entry.payload_size = payload_size;
+        entry.success = true; // Will be updated in after hook if there's an error
+        entry.error_message = "";
+
+        if (callback_)
+            callback_(entry);
+
+        return std::nullopt; // Continue to normal handler
+    };
+}
+
+AfterHook LoggingMiddleware::create_after_hook()
+{
+    return [this](const std::string& route, const Json& /*payload*/, Json& response)
+    {
+        std::lock_guard<std::mutex> lock(mutex_);
+
+        // Log the completed request
+        RequestLogEntry entry;
+        entry.timestamp = std::chrono::system_clock::now();
+        entry.route = route;
+        entry.payload_size = request_sizes_[route]; // Get stored size
+        entry.success = !response.contains("error");
+        entry.error_message =
+            response.contains("error") ? response["error"].dump() : std::string();
+
+        if (callback_)
+            callback_(entry);
+
+        // Clean up stored size
+        request_sizes_.erase(route);
+    };
+}
+
+// RateLimitMiddleware implementation
+
+void RateLimitMiddleware::cleanup_old_entries(RouteStats& stats)
+{
+    auto now = std::chrono::steady_clock::now();
+    auto cutoff = now - window_;
+
+    // Remove timestamps older than the window
+    while (!stats.timestamps.empty() && stats.timestamps.front() < cutoff)
+    {
+        stats.timestamps.pop_front();
+    }
+}
+
+BeforeHook RateLimitMiddleware::create_hook()
+{
+    return [this](const std::string& route, const Json& /*payload*/) -> std::optional<Json>
+    {
+        std::lock_guard<std::mutex> lock(mutex_);
+
+        auto& stats = stats_[route];
+        cleanup_old_entries(stats);
+
+        // Check if rate limit exceeded
+        if (stats.timestamps.size() >= max_requests_)
+        {
+            // Return rate limit error
+            return Json{{"error",
+                         Json{{"code", -32000}, // JSON-RPC server error
+                              {"message", "Rate limit exceeded for route: " + route},
+                              {"data",
+                               Json{{"route", route},
+                                    {"limit", max_requests_},
+                                    {"window_seconds",
+                                     std::chrono::duration_cast<std::chrono::seconds>(window_).count()},
+                                    {"current_count", stats.timestamps.size()}}}}}};
+        }
+
+        // Record this request
+        stats.timestamps.push_back(std::chrono::steady_clock::now());
+
+        return std::nullopt; // Continue to normal handler
+    };
+}
+
+size_t RateLimitMiddleware::get_request_count(const std::string& route)
+{
+    std::lock_guard<std::mutex> lock(mutex_);
+    auto it = stats_.find(route);
+    if (it == stats_.end())
+        return 0;
+
+    cleanup_old_entries(it->second);
+    return it->second.timestamps.size();
+}
+
+void RateLimitMiddleware::reset()
+{
+    std::lock_guard<std::mutex> lock(mutex_);
+    stats_.clear();
+}
+
+// ConcurrencyLimitMiddleware implementation
+
+BeforeHook ConcurrencyLimitMiddleware::create_before_hook()
+{
+    return [this](const std::string& route, const Json& /*payload*/) -> std::optional<Json>
+    {
+        size_t current = current_count_.fetch_add(1);
+
+        // Check if we exceeded the limit
+        if (current >= max_concurrent_)
+        {
+            // Rollback the increment
+            current_count_.fetch_sub(1);
+
+            // Return concurrency limit error
+            return Json{{"error",
+                         Json{{"code", -32000}, // JSON-RPC server error
+                              {"message", "Concurrency limit exceeded"},
+                              {"data",
+                               Json{{"route", route},
+                                    {"limit", max_concurrent_},
+                                    {"current", current}}}}}};
+        }
+
+        return std::nullopt; // Continue to normal handler
+    };
+}
+
+AfterHook ConcurrencyLimitMiddleware::create_after_hook()
+{
+    return [this](const std::string& /*route*/, const Json& /*payload*/, Json& /*response*/)
+    {
+        // Decrement the counter when handler completes
+        current_count_.fetch_sub(1);
+    };
+}
+
+} // namespace fastmcpp::server