fix: HMAC caching, rate limiting, review round 4 fixes

- Precompute HMACs at module load for sync cookie validation
- Add per-IP rate limiting (10 attempts/60s) on all login endpoints
- Remove dead /admin/login POST endpoint
- Show login/logout button regardless of event selection
- Nav logout works for both admin and viewer roles
- Add viewer logout + read-only e2e tests
- Fix test:integration:api glob, .gitignore, display.tsx auth state

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Rio517

.gitignore

@@ -3,6 +3,7 @@ node_modules
 
 *.db
 uploads/
+.derby_admin_key
 
 # output
 out

e2e/auth-private-mode.playwright.ts

@@ -42,4 +42,40 @@ test.describe('Private mode – login gate', () => {
     // Should see admin controls
     await expect(page.locator('button:has-text("New Event")')).toBeVisible();
   });
+
+  test('viewer logout restores login gate', async ({ page }) => {
+    // Login as viewer
+    await page.goto(baseUrl);
+    await page.fill('input[type="password"]', VIEWER_PASSWORD);
+    await page.click('button:has-text("Log In")');
+    await expect(page.locator('text=Event Password')).not.toBeVisible({ timeout: 3000 });
+
+    // Logout
+    await page.click('button:has-text("Logout")');
+
+    // Gate should reappear
+    await expect(page.locator('text=Event Password')).toBeVisible({ timeout: 3000 });
+  });
+
+  test('viewer cannot create events (read-only)', async ({ page }) => {
+    // Login as viewer
+    await page.goto(baseUrl);
+    await page.fill('input[type="password"]', VIEWER_PASSWORD);
+    await page.click('button:has-text("Log In")');
+    await expect(page.locator('text=No events yet')).toBeVisible({ timeout: 3000 });
+
+    // "New Event" button should not be visible for viewer
+    await expect(page.locator('button:has-text("New Event")')).toHaveCount(0);
+
+    // Direct API call should be rejected
+    const res = await page.evaluate(async () => {
+      const r = await fetch('/api/events', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ name: 'Hack', date: '2026-01-01' }),
+      });
+      return r.status;
+    });
+    expect(res).toBe(401);
+  });
 });

e2e/auth-ui-gating.playwright.ts

@@ -6,11 +6,10 @@ const ADMIN_PASSWORD = 'test-secret';
 
 /** Login and return the cookie string for admin API calls. */
 async function getAdminCookie(): Promise<string> {
-  const res = await fetch(`${baseUrl}/admin/login`, {
+  const res = await fetch(`${baseUrl}/auth/login`, {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify({ password: ADMIN_PASSWORD }),
-    redirect: 'manual',
   });
   const setCookie = res.headers.get('set-cookie') ?? '';
   return setCookie.split(';')[0]; // "derby_admin=<hmac>"

package.json

@@ -16,7 +16,7 @@
     "test:all": "bun run test && bun run test:ui && bun run test:ui:auth && bun run test:ui:private",
     "test:unit": "bun test ./tests",
     "test:integration": "bun run test:integration:api && bun run test:integration:auth",
-    "test:integration:api": "DERBY_DB_PATH=test-integration.db PORT=3099 bun src/index.ts & until curl -sf http://localhost:3099/api/events > /dev/null; do sleep 0.2; done && PORT=3099 bun test ./tests/api.integration.ts; EXIT_CODE=$?; kill $!; rm -f test-integration.db; exit $EXIT_CODE",
+    "test:integration:api": "DERBY_DB_PATH=test-integration.db PORT=3099 bun src/index.ts & until curl -sf http://localhost:3099/api/events > /dev/null; do sleep 0.2; done && PORT=3099 bun test $(find ./tests -name '*.integration.ts' ! -name 'auth.integration.ts'); EXIT_CODE=$?; kill $!; rm -f test-integration.db; exit $EXIT_CODE",
     "test:integration:auth": "DERBY_DB_PATH=test-auth.db DERBY_ADMIN_KEY=test-secret DERBY_VIEWER_KEY=test-viewer PORT=3098 bun src/index.ts & until curl -sf http://localhost:3098/admin/status > /dev/null; do sleep 0.2; done && PORT=3098 bun test ./tests/auth.integration.ts; EXIT_CODE=$?; kill $!; rm -f test-auth.db; exit $EXIT_CODE",
     "test:ui": "DERBY_DB_PATH=test-ui.db PORT=3001 bun src/index.ts & until curl -sf http://localhost:3001/api/events > /dev/null; do sleep 0.2; done && bunx playwright test --project=chromium; EXIT_CODE=$?; kill $!; rm -f test-ui.db; exit $EXIT_CODE",
     "test:ui:auth": "DERBY_DB_PATH=test-ui-auth.db DERBY_ADMIN_KEY=test-secret PORT=3002 bun src/index.ts & until curl -sf http://localhost:3002/admin/status > /dev/null; do sleep 0.2; done && bunx playwright test --project=auth; EXIT_CODE=$?; kill $!; rm -f test-ui-auth.db; exit $EXIT_CODE",

src/auth.ts

@@ -113,6 +113,11 @@ export const VIEWER_PURPOSE = "derby_viewer_session";
 export const ADMIN_LOGIN_PURPOSE = "derby_admin_login";
 const COOKIE_MAX_AGE = 60 * 60 * 24 * 30; // 30 days
 
+// Precompute expected HMACs at startup — keys never change at runtime
+const _expectedAdminHmac = _adminKey ? await computeHmac(_adminKey, ADMIN_PURPOSE) : null;
+const _expectedViewerHmac = _viewerKey ? await computeHmac(_viewerKey, VIEWER_PURPOSE) : null;
+const _expectedAdminLoginHmac = _adminKey ? await computeHmac(_adminKey, ADMIN_LOGIN_PURPOSE) : null;
+
 export const isSecureRequest = (req: Request): boolean => {
   if (new URL(req.url).protocol === "https:") return true;
   const proto = req.headers.get("x-forwarded-proto");
@@ -131,16 +136,14 @@ const setCookie = (
   headers.append("Set-Cookie", cookie);
 };
 
-export const setAdminCookie = async (headers: Headers, secure: boolean = false): Promise<void> => {
-  if (!_adminKey) return;
-  const hmac = await computeHmac(_adminKey, ADMIN_PURPOSE);
-  setCookie(headers, ADMIN_COOKIE, hmac, COOKIE_MAX_AGE, secure);
+export const setAdminCookie = (headers: Headers, secure: boolean = false): void => {
+  if (!_expectedAdminHmac) return;
+  setCookie(headers, ADMIN_COOKIE, _expectedAdminHmac, COOKIE_MAX_AGE, secure);
 };
 
-export const setViewerCookie = async (headers: Headers, secure: boolean = false): Promise<void> => {
-  if (!_viewerKey) return;
-  const hmac = await computeHmac(_viewerKey, VIEWER_PURPOSE);
-  setCookie(headers, VIEWER_COOKIE, hmac, COOKIE_MAX_AGE, secure);
+export const setViewerCookie = (headers: Headers, secure: boolean = false): void => {
+  if (!_expectedViewerHmac) return;
+  setCookie(headers, VIEWER_COOKIE, _expectedViewerHmac, COOKIE_MAX_AGE, secure);
 };
 
 export const clearAdminCookie = (headers: Headers): void => {
@@ -153,32 +156,30 @@ export const clearViewerCookie = (headers: Headers): void => {
 
 // ===== COOKIE VALIDATION =====
 
-const validateAdminCookie = async (
+const validateAdminCookie = (
   cookies: Record<string, string>
-): Promise<boolean> => {
-  if (!_adminKey) return false;
+): boolean => {
+  if (!_expectedAdminHmac) return false;
   const cookie = cookies[ADMIN_COOKIE];
   if (!cookie) return false;
-  const expected = await computeHmac(_adminKey, ADMIN_PURPOSE);
-  return timingSafeEqual(cookie, expected);
+  return timingSafeEqual(cookie, _expectedAdminHmac);
 };
 
-const validateViewerCookie = async (
+const validateViewerCookie = (
   cookies: Record<string, string>
-): Promise<boolean> => {
-  if (!_viewerKey) return false;
+): boolean => {
+  if (!_expectedViewerHmac) return false;
   const cookie = cookies[VIEWER_COOKIE];
   if (!cookie) return false;
-  const expected = await computeHmac(_viewerKey, VIEWER_PURPOSE);
-  return timingSafeEqual(cookie, expected);
+  return timingSafeEqual(cookie, _expectedViewerHmac);
 };
 
-export const hasViewerAccess = async (req: Request): Promise<boolean> => {
+export const hasViewerAccess = (req: Request): boolean => {
   if (_publicMode) return true;
   if (!_privateMode) return true;
   const cookies = parseCookies(req);
-  if (await validateAdminCookie(cookies)) return true;
-  if (await validateViewerCookie(cookies)) return true;
+  if (validateAdminCookie(cookies)) return true;
+  if (validateViewerCookie(cookies)) return true;
   return false;
 };
 
@@ -193,8 +194,7 @@ export const adminOnly = (handler: Handler): Handler => {
     }
 
     const cookies = parseCookies(req);
-    const isAdmin = await validateAdminCookie(cookies);
-    if (!isAdmin) {
+    if (!validateAdminCookie(cookies)) {
       return respondJson({ error: "Unauthorized" }, 401);
     }
 
@@ -215,13 +215,11 @@ export const viewerRequired = (handler: Handler): Handler => {
     const cookies = parseCookies(req);
 
     // Admin cookie implicitly satisfies viewer check
-    const isAdmin = await validateAdminCookie(cookies);
-    if (isAdmin) {
+    if (validateAdminCookie(cookies)) {
       return handler(req, server);
     }
 
-    const isViewer = await validateViewerCookie(cookies);
-    if (isViewer) {
+    if (validateViewerCookie(cookies)) {
       return handler(req, server);
     }
 
@@ -231,29 +229,77 @@ export const viewerRequired = (handler: Handler): Handler => {
 
 // ===== AUTH STATUS =====
 
-export const getAuthStatus = async (
+export const getAuthStatus = (
   req: Request
-): Promise<{
+): {
   admin: boolean;
   viewer: boolean;
   publicMode: boolean;
   privateMode: boolean;
-}> => {
+} => {
   if (_publicMode) {
     return { admin: true, viewer: true, publicMode: true, privateMode: false };
   }
 
   const cookies = parseCookies(req);
-  const admin = await validateAdminCookie(cookies);
-  const viewer = admin || (_privateMode && (await validateViewerCookie(cookies)));
+  const admin = validateAdminCookie(cookies);
+  const viewer = admin || (_privateMode && validateViewerCookie(cookies));
 
   return { admin, viewer, publicMode: false, privateMode: _privateMode };
 };
 
+// ===== LOGIN TOKEN VALIDATION =====
+
+export const validateLoginToken = (token: string): boolean => {
+  if (!_expectedAdminLoginHmac) return false;
+  return timingSafeEqual(token, _expectedAdminLoginHmac);
+};
+
+// ===== LOGIN RATE LIMITING =====
+
+const LOGIN_RATE_LIMIT = 10;
+const LOGIN_RATE_WINDOW_MS = 60_000;
+const _loginAttempts = new Map<string, number[]>();
+
+const getClientIp = (req: Request): string => {
+  const forwarded = req.headers.get("x-forwarded-for");
+  if (forwarded) return forwarded.split(",")[0]!.trim();
+  return req.headers.get("x-real-ip") ?? "direct";
+};
+
+export const checkLoginRateLimit = (req: Request): boolean => {
+  const ip = getClientIp(req);
+  const now = Date.now();
+  const attempts = _loginAttempts.get(ip);
+  const recent = attempts ? attempts.filter((t) => now - t < LOGIN_RATE_WINDOW_MS) : [];
+
+  if (recent.length >= LOGIN_RATE_LIMIT) {
+    _loginAttempts.set(ip, recent);
+    return false;
+  }
+
+  recent.push(now);
+  _loginAttempts.set(ip, recent);
+  return true;
+};
+
+// Periodic cleanup to prevent unbounded memory growth
+setInterval(() => {
+  const now = Date.now();
+  for (const [ip, attempts] of _loginAttempts) {
+    const recent = attempts.filter((t) => now - t < LOGIN_RATE_WINDOW_MS);
+    if (recent.length === 0) _loginAttempts.delete(ip);
+    else _loginAttempts.set(ip, recent);
+  }
+}, LOGIN_RATE_WINDOW_MS).unref();
+
 // ===== STARTUP LOGGING =====
 
 export const logAuthConfig = (): void => {
   if (!_adminKey) {
+    if (_viewerKey) {
+      console.warn("Auth: DERBY_VIEWER_KEY is set but DERBY_ADMIN_KEY is not — viewer key ignored");
+    }
     console.log("Auth: PUBLIC MODE (no DERBY_ADMIN_KEY set)");
     return;
   }

src/frontend/api.ts

@@ -201,7 +201,8 @@ export const api = {
     });
     if (!res.ok) return null;
     const data = await res.json() as { role: string };
-    return data.role as 'admin' | 'viewer';
+    if (data.role === 'admin' || data.role === 'viewer') return data.role;
+    return null;
   },
 
   async logout(): Promise<void> {

src/frontend/context.tsx

@@ -8,6 +8,7 @@ export interface AppContextType {
   standings: Standing[];
   // Auth status
   isAdmin: boolean;
+  isViewer: boolean;
   isPublicMode: boolean;
   isPrivateMode: boolean;
   /** True when the current user can perform mutations (admin or public mode). */

src/frontend/display.tsx

@@ -77,12 +77,14 @@ function DisplayApp() {
   const [loading, setLoading] = useState(true);
   const [error, setError] = useState<string | null>(null);
   const [needsLogin, setNeedsLogin] = useState(false);
+  const [authChecked, setAuthChecked] = useState(false);
   const [lastUpdated, setLastUpdated] = useState<Date>(new Date());
 
   const refreshData = async () => {
     try {
-      // On first load, check if private mode requires auth
-      if (loading) {
+      // Check auth once on first load
+      if (!authChecked) {
+        setAuthChecked(true);
         const auth = await api.checkAuth();
         if (auth.privateMode && !auth.authenticated) {
           setNeedsLogin(true);

src/frontend/main.tsx

@@ -169,6 +169,7 @@ function AppRoutes() {
     heats,
     standings,
     isAdmin: authStatus.admin,
+    isViewer: authStatus.viewer,
     isPublicMode: authStatus.publicMode,
     isPrivateMode: authStatus.privateMode,
     canEdit: authStatus.admin || authStatus.publicMode,
@@ -308,10 +309,15 @@ function PrivateLoginGate({ onAuth }: { onAuth: () => Promise<void> }) {
     e.preventDefault();
     setError(false);
     setSubmitting(true);
-    const role = await api.login(password);
-    if (role) {
-      await onAuth();
-    } else {
+    try {
+      const role = await api.login(password);
+      if (role) {
+        await onAuth();
+      } else {
+        setError(true);
+        setSubmitting(false);
+      }
+    } catch {
       setError(true);
       setSubmitting(false);
     }
@@ -368,7 +374,7 @@ function Navigation({
 }: {
   onGoHome: () => void;
 }) {
-  const { currentEvent, canEdit, isAdmin, isPublicMode, refreshAuth } = useApp();
+  const { currentEvent, canEdit, isAdmin, isViewer, isPublicMode, refreshAuth } = useApp();
   const navigate = useNavigate();
   const location = useLocation();
   const [showLogin, setShowLogin] = useState(false);
@@ -486,8 +492,8 @@ function Navigation({
                 )}
               </div>
 
-              {showAuthButton && !currentEvent && (
-                isAdmin ? (
+              {showAuthButton && (
+                (isAdmin || isViewer) ? (
                   <button
                     onClick={handleLogout}
                     className="h-11 shrink-0 flex items-center gap-2 px-3 py-2 rounded-lg font-semibold text-sm transition-all duration-200 cursor-pointer text-slate-600 hover:text-slate-900 hover:bg-slate-100 border-l border-slate-300 ml-1"

src/frontend/views/CertificateView.tsx

@@ -340,6 +340,9 @@ export function CertificateView() {
 
   useEffect(() => {
     (async () => {
+      setAuthDenied(false);
+      setNeedsLogin(false);
+      setError(null);
       try {
         // Check auth status — in private mode, viewer cookie is required
         try {