fix: session limits, Secure cookies, credential storage bounds

HIGH fixes:
- Session and magic link maps bounded (10k max) with TTL-based cleanup
  and automatic eviction of expired entries
- setCookie() now includes Secure flag (HTTPS-only transport)
- WebAuthn credential storage bounded: 10 per user, 50k total users
- Added createdAt tracking to SessionToken for TTL enforcement

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: vveerrgg

src/server/index.ts

@@ -9,6 +9,15 @@ import type {
 } from '../types/auth';
 
 export class NostrBiometricServer {
+  /** Maximum number of concurrent sessions before cleanup is triggered */
+  private static readonly MAX_SESSIONS = 10000;
+  /** Session time-to-live: 24 hours */
+  private static readonly SESSION_TTL = 24 * 60 * 60 * 1000;
+  /** Maximum number of concurrent magic links before cleanup is triggered */
+  private static readonly MAX_MAGIC_LINKS = 10000;
+  /** Magic link time-to-live: 1 hour */
+  private static readonly MAGIC_LINK_TTL = 60 * 60 * 1000;
+
   private options: AuthenticationOptions;
   private magicLinks: Map<string, MagicLinkPayload>;
   private sessions: Map<string, SessionToken>;
@@ -19,11 +28,62 @@ export class NostrBiometricServer {
     this.sessions = new Map();
   }
 
+  /**
+   * Remove expired sessions to free up space
+   */
+  private cleanupExpiredSessions(): void {
+    const now = Date.now();
+    for (const [key, session] of this.sessions) {
+      if (now - session.createdAt > NostrBiometricServer.SESSION_TTL || now > session.expiresAt) {
+        this.sessions.delete(key);
+      }
+    }
+  }
+
+  /**
+   * Remove expired magic links to free up space
+   */
+  private cleanupExpiredMagicLinks(): void {
+    const now = Date.now();
+    for (const [key, link] of this.magicLinks) {
+      if (now - link.createdAt > NostrBiometricServer.MAGIC_LINK_TTL || now > link.expiresAt) {
+        this.magicLinks.delete(key);
+      }
+    }
+  }
+
+  /**
+   * Enforce session map size limit, cleaning up expired entries first
+   * @throws Error if limit is still exceeded after cleanup
+   */
+  private enforceSessionLimit(): void {
+    if (this.sessions.size >= NostrBiometricServer.MAX_SESSIONS) {
+      this.cleanupExpiredSessions();
+      if (this.sessions.size >= NostrBiometricServer.MAX_SESSIONS) {
+        throw new Error('Session limit reached');
+      }
+    }
+  }
+
+  /**
+   * Enforce magic link map size limit, cleaning up expired entries first
+   * @throws Error if limit is still exceeded after cleanup
+   */
+  private enforceMagicLinkLimit(): void {
+    if (this.magicLinks.size >= NostrBiometricServer.MAX_MAGIC_LINKS) {
+      this.cleanupExpiredMagicLinks();
+      if (this.magicLinks.size >= NostrBiometricServer.MAX_MAGIC_LINKS) {
+        throw new Error('Magic link limit reached');
+      }
+    }
+  }
+
   /**
    * Create and send a magic link for the given npub
    * @param npub The user's npub to authenticate
    */
   async createMagicLink(npub: string): Promise<void> {
+    this.enforceMagicLinkLimit();
     // TODO: Implement magic link creation and sending
   }
 
@@ -51,9 +111,10 @@ export class NostrBiometricServer {
    * @param response The WebAuthn response
    */
   async verifyWebAuthnAndCreateSession(
-    npub: string, 
+    npub: string,
     response: any
   ): Promise<SessionToken> {
+    this.enforceSessionLimit();
     // TODO: Implement WebAuthn verification and session creation
     throw new Error('Not implemented');
   }

src/server/webauthn.ts

@@ -22,7 +22,17 @@ import type {
   AuthenticatorTransportFuture,
 } from '@simplewebauthn/types';
 
+/**
+ * NOTE: The in-memory credential store is suitable for development and testing only.
+ * Production deployments should use a persistent database (e.g., PostgreSQL, SQLite)
+ * for credential storage to survive server restarts and support horizontal scaling.
+ */
 export class WebAuthnServer {
+  /** Maximum number of WebAuthn credentials a single user may register */
+  private static readonly MAX_CREDENTIALS_PER_USER = 10;
+  /** Maximum number of distinct users with stored credentials */
+  private static readonly MAX_TOTAL_USERS = 50000;
+
   private options: WebAuthnOptions;
   private challenges: Map<string, { challenge: string; timestamp: number }>;
   private credentials: Map<string, StoredCredential[]>;
@@ -125,6 +135,15 @@ export class WebAuthnServer {
       const { verified, registrationInfo } = verification;
 
       if (verified && registrationInfo) {
+        // Enforce credential limits to prevent unbounded memory growth
+        const userCreds = this.credentials.get(userId) || [];
+        if (userCreds.length >= WebAuthnServer.MAX_CREDENTIALS_PER_USER) {
+          throw new Error('Maximum credentials per user reached');
+        }
+        if (!this.credentials.has(userId) && this.credentials.size >= WebAuthnServer.MAX_TOTAL_USERS) {
+          throw new Error('Maximum registered users reached');
+        }
+
         // Store the credential with its public key for future authentication
         const storedCredential: StoredCredential = {
           credentialID: Buffer.from(registrationInfo.credentialID).toString('base64url'),
@@ -135,7 +154,7 @@ export class WebAuthnServer {
           transports: credential.response.transports as AuthenticatorTransportFuture[] | undefined,
         };
 
-        this.credentials.set(userId, [storedCredential]);
+        this.credentials.set(userId, [...userCreds, storedCredential]);
       }
 
       return verified;

src/types/auth.ts

@@ -89,6 +89,8 @@ export interface MagicLinkPayload {
 export interface SessionToken {
   /** The actual session token */
   token: string;
+  /** Timestamp when the session was created */
+  createdAt: number;
   /** Timestamp when the session expires */
   expiresAt: number;
   /** Public key of the authenticated user */

src/utils/index.ts

@@ -58,16 +58,21 @@ export function isBrowser(): boolean {
 
 /**
  * Set a cookie in the browser
+ *
+ * NOTE: HttpOnly cannot be set via document.cookie — it can only be set via
+ * a server-side Set-Cookie header. Session cookies should be set server-side
+ * with the HttpOnly flag to prevent client-side script access.
+ *
  * @param name Cookie name
  * @param value Cookie value
  * @param days Days until expiry
  */
 export function setCookie(name: string, value: string, days: number): void {
   if (!isBrowser()) return;
-  
+
   const expires = new Date();
   expires.setTime(expires.getTime() + days * 24 * 60 * 60 * 1000);
-  document.cookie = `${name}=${value};expires=${expires.toUTCString()};path=/;SameSite=Strict`;
+  document.cookie = `${name}=${value};expires=${expires.toUTCString()};path=/;SameSite=Strict;Secure`;
 }
 
 /**