Harden external traffic and prevent private-site leakage in shared simulations

Author: wilhel1812

README.md

@@ -14,6 +14,13 @@ Independent web reimplementation inspired by Radio Mobile workflows.
 4. Cache archives in browser Cache Storage.
 5. Parse and use loaded SRTM tiles in propagation/profile/terrain overlay.
 
+## External Service Safeguards
+
+- Geocoding requests prefer `/api/geocode` (with per-IP rate limits + short-lived edge caching when running with Functions).
+- Geocode calls gracefully fall back to direct Nominatim in local runtimes without Functions.
+- Upstream proxy routes (`/meshmap/*`, `/ve2dbe/*`) are limited to `GET/HEAD` and include per-IP request caps in Functions.
+- Fallback map raster tiles use CARTO CDN attribution endpoints rather than direct OSM tile hosts.
+
 ## Runtime Proxy
 
 Vite proxy is used for browser CORS compatibility in dev/preview:

functions/_lib/db.ts

@@ -1049,6 +1049,23 @@ type ActorPolicy = {
   isModerator: boolean;
 };
 
+const referencedLibrarySiteIdsFromSimulation = (item: CloudResourceRecord): string[] => {
+  const snapshot = (item as { snapshot?: unknown }).snapshot;
+  if (!snapshot || typeof snapshot !== "object") return [];
+  const rawSites = (snapshot as { sites?: unknown }).sites;
+  if (!Array.isArray(rawSites)) return [];
+  const ids = new Set<string>();
+  for (const site of rawSites) {
+    if (!site || typeof site !== "object") continue;
+    const libraryEntryId = (site as { libraryEntryId?: unknown }).libraryEntryId;
+    if (typeof libraryEntryId !== "string") continue;
+    const trimmed = libraryEntryId.trim();
+    if (!trimmed) continue;
+    ids.add(trimmed);
+  }
+  return [...ids];
+};
+
 const canReadResource = (
   actor: ActorPolicy,
   ownerUserId: string,
@@ -1113,6 +1130,25 @@ const upsertOwnedResource = async (
 
   const ownerId = existing?.owner_user_id ?? actor.id;
 
+  if (kind === "simulation" && visibility !== "private") {
+    const referencedSiteIds = referencedLibrarySiteIdsFromSimulation(item);
+    if (referencedSiteIds.length) {
+      const checks = await env.DB.batch(
+        referencedSiteIds.map((siteId) =>
+          env.DB.prepare("SELECT id, visibility FROM sites WHERE id = ?").bind(siteId),
+        ),
+      );
+      const hasPrivateReference = checks.some((check) => {
+        const row = check.results[0] as { visibility?: unknown } | undefined;
+        if (!row) return false;
+        return visibilityFromDbVisibility(row.visibility) === "private";
+      });
+      if (hasPrivateReference) {
+        return { ok: false, reason: "simulation_private_site_reference" };
+      }
+    }
+  }
+
   const isCreate = !existing;
   const changed =
     isCreate ||

functions/_lib/rateLimit.ts

@@ -0,0 +1,84 @@
+type RateLimitBucket = {
+  windowStartMs: number;
+  count: number;
+};
+
+type RateLimitInput = {
+  key: string;
+  limit: number;
+  windowMs?: number;
+  nowMs?: number;
+};
+
+type RateLimitResult = {
+  allowed: boolean;
+  remaining: number;
+  retryAfterSec: number;
+};
+
+const buckets = new Map<string, RateLimitBucket>();
+let callsSinceSweep = 0;
+
+const DEFAULT_WINDOW_MS = 60_000;
+
+const sweepExpiredBuckets = (nowMs: number) => {
+  for (const [key, bucket] of buckets.entries()) {
+    if (bucket.windowStartMs + DEFAULT_WINDOW_MS * 4 < nowMs) buckets.delete(key);
+  }
+};
+
+const toSafeLimit = (value: number): number => {
+  if (!Number.isFinite(value)) return 1;
+  return Math.max(1, Math.floor(value));
+};
+
+export const getClientAddress = (request: Request): string => {
+  const cfIp = (request.headers.get("cf-connecting-ip") ?? "").trim();
+  if (cfIp) return cfIp;
+  const forwarded = (request.headers.get("x-forwarded-for") ?? "").split(",")[0]?.trim();
+  if (forwarded) return forwarded;
+  return "unknown";
+};
+
+export const takeRateLimitToken = ({
+  key,
+  limit,
+  windowMs = DEFAULT_WINDOW_MS,
+  nowMs = Date.now(),
+}: RateLimitInput): RateLimitResult => {
+  const safeLimit = toSafeLimit(limit);
+  const safeWindowMs = Math.max(1_000, Math.floor(windowMs));
+
+  callsSinceSweep += 1;
+  if (callsSinceSweep >= 100) {
+    callsSinceSweep = 0;
+    sweepExpiredBuckets(nowMs);
+  }
+
+  const existing = buckets.get(key);
+  if (!existing || nowMs - existing.windowStartMs >= safeWindowMs) {
+    buckets.set(key, { windowStartMs: nowMs, count: 1 });
+    return {
+      allowed: true,
+      remaining: Math.max(0, safeLimit - 1),
+      retryAfterSec: 0,
+    };
+  }
+
+  if (existing.count >= safeLimit) {
+    const retryMs = Math.max(0, safeWindowMs - (nowMs - existing.windowStartMs));
+    return {
+      allowed: false,
+      remaining: 0,
+      retryAfterSec: Math.max(1, Math.ceil(retryMs / 1000)),
+    };
+  }
+
+  existing.count += 1;
+  buckets.set(key, existing);
+  return {
+    allowed: true,
+    remaining: Math.max(0, safeLimit - existing.count),
+    retryAfterSec: 0,
+  };
+};

functions/_lib/types.ts

@@ -32,6 +32,8 @@ export type Env = {
   DEV_AUTH_USER_ID?: string;
   ADMIN_USER_IDS?: string;
   REGISTRATION_MODE?: string;
+  GEOCODE_RATE_LIMIT_PER_MINUTE?: string;
+  PROXY_RATE_LIMIT_PER_MINUTE?: string;
 };
 
 export type AuthContext = {

functions/api/geocode.ts

@@ -0,0 +1,97 @@
+import { getClientAddress, takeRateLimitToken } from "../_lib/rateLimit";
+import { errorResponse, handleOptions, json, withCors } from "../_lib/http";
+import type { Env } from "../_lib/types";
+
+type NominatimResult = {
+  place_id: number;
+  display_name: string;
+  lat: string;
+  lon: string;
+};
+
+const parsePerMinuteLimit = (raw: string | undefined, fallback: number): number => {
+  const parsed = Number(raw ?? "");
+  if (!Number.isFinite(parsed)) return fallback;
+  return Math.max(1, Math.floor(parsed));
+};
+
+const CACHE_TTL_SEC = 300;
+
+export const onRequestOptions: PagesFunction<Env> = async ({ request }) => handleOptions(request);
+
+export const onRequestGet: PagesFunction<Env> = async ({ request, env }) => {
+  try {
+    const url = new URL(request.url);
+    const query = (url.searchParams.get("q") ?? "").trim();
+
+    if (!query) return withCors(request, json({ results: [] }));
+    if (query.length < 3) {
+      return withCors(request, json({ error: "Search query must be at least 3 characters." }, { status: 400 }));
+    }
+
+    const limitPerMinute = parsePerMinuteLimit(env.GEOCODE_RATE_LIMIT_PER_MINUTE, 20);
+    const address = getClientAddress(request);
+    const limiter = takeRateLimitToken({ key: `geocode:${address}`, limit: limitPerMinute });
+    if (!limiter.allowed) {
+      return withCors(
+        request,
+        json(
+          { error: "Geocode rate limit reached. Please wait and try again." },
+          {
+            status: 429,
+            headers: {
+              "retry-after": String(limiter.retryAfterSec),
+            },
+          },
+        ),
+      );
+    }
+
+    const normalized = query.toLowerCase();
+    const cacheUrl = new URL(request.url);
+    cacheUrl.search = "";
+    cacheUrl.searchParams.set("q", normalized);
+    const cacheKey = new Request(cacheUrl.toString(), { method: "GET" });
+    const cache = caches.default;
+    const cached = await cache.match(cacheKey);
+    if (cached) return withCors(request, cached);
+
+    const upstream = new URL("https://nominatim.openstreetmap.org/search");
+    upstream.searchParams.set("q", query);
+    upstream.searchParams.set("format", "jsonv2");
+    upstream.searchParams.set("limit", "6");
+    upstream.searchParams.set("addressdetails", "0");
+
+    const response = await fetch(upstream.toString(), {
+      headers: {
+        accept: "application/json",
+      },
+    });
+    if (!response.ok) {
+      throw new Error(`Geocode lookup failed (${response.status})`);
+    }
+
+    const payload = (await response.json()) as NominatimResult[];
+    const results = payload
+      .map((item) => ({
+        id: String(item.place_id),
+        label: item.display_name,
+        lat: Number(item.lat),
+        lon: Number(item.lon),
+      }))
+      .filter((item) => Number.isFinite(item.lat) && Number.isFinite(item.lon));
+
+    const apiResponse = json(
+      { results },
+      {
+        headers: {
+          "cache-control": `public, max-age=${CACHE_TTL_SEC}`,
+        },
+      },
+    );
+    await cache.put(cacheKey, apiResponse.clone());
+    return withCors(request, apiResponse);
+  } catch (error) {
+    return errorResponse(request, error, 500);
+  }
+};

functions/meshmap/[[path]].ts

@@ -1,17 +1,43 @@
 import { handleOptions } from "../_lib/http";
+import { getClientAddress, takeRateLimitToken } from "../_lib/rateLimit";
 import type { Env } from "../_lib/types";
 
 export const onRequestOptions: PagesFunction<Env> = async ({ request }) => handleOptions(request);
 
-export const onRequest: PagesFunction<Env> = async ({ request }) => {
+const parsePerMinuteLimit = (raw: string | undefined, fallback: number): number => {
+  const parsed = Number(raw ?? "");
+  if (!Number.isFinite(parsed)) return fallback;
+  return Math.max(1, Math.floor(parsed));
+};
+
+export const onRequest: PagesFunction<Env> = async ({ request, env }) => {
+  if (request.method !== "GET" && request.method !== "HEAD") {
+    return new Response("Method not allowed", { status: 405 });
+  }
+
+  const ip = getClientAddress(request);
+  const limiter = takeRateLimitToken({
+    key: `proxy:meshmap:${ip}`,
+    limit: parsePerMinuteLimit(env.PROXY_RATE_LIMIT_PER_MINUTE, 120),
+  });
+  if (!limiter.allowed) {
+    return new Response("Rate limit reached", {
+      status: 429,
+      headers: {
+        "retry-after": String(limiter.retryAfterSec),
+      },
+    });
+  }
+
   const url = new URL(request.url);
   const upstreamPath = url.pathname.replace(/^\/meshmap/, "");
   const upstream = new URL(`https://meshmap.net${upstreamPath}${url.search}`);
 
   const response = await fetch(upstream.toString(), {
     method: request.method,
-    headers: request.headers,
-    body: request.method === "GET" || request.method === "HEAD" ? undefined : request.body,
+    headers: {
+      accept: request.headers.get("accept") ?? "*/*",
+    },
   });
 
   return new Response(response.body, {

functions/ve2dbe/[[path]].ts

@@ -1,17 +1,43 @@
 import { handleOptions } from "../_lib/http";
+import { getClientAddress, takeRateLimitToken } from "../_lib/rateLimit";
 import type { Env } from "../_lib/types";
 
 export const onRequestOptions: PagesFunction<Env> = async ({ request }) => handleOptions(request);
 
-export const onRequest: PagesFunction<Env> = async ({ request }) => {
+const parsePerMinuteLimit = (raw: string | undefined, fallback: number): number => {
+  const parsed = Number(raw ?? "");
+  if (!Number.isFinite(parsed)) return fallback;
+  return Math.max(1, Math.floor(parsed));
+};
+
+export const onRequest: PagesFunction<Env> = async ({ request, env }) => {
+  if (request.method !== "GET" && request.method !== "HEAD") {
+    return new Response("Method not allowed", { status: 405 });
+  }
+
+  const ip = getClientAddress(request);
+  const limiter = takeRateLimitToken({
+    key: `proxy:ve2dbe:${ip}`,
+    limit: parsePerMinuteLimit(env.PROXY_RATE_LIMIT_PER_MINUTE, 120),
+  });
+  if (!limiter.allowed) {
+    return new Response("Rate limit reached", {
+      status: 429,
+      headers: {
+        "retry-after": String(limiter.retryAfterSec),
+      },
+    });
+  }
+
   const url = new URL(request.url);
   const upstreamPath = url.pathname.replace(/^\/ve2dbe/, "");
   const upstream = new URL(`https://www.ve2dbe.com${upstreamPath}${url.search}`);
 
   const response = await fetch(upstream.toString(), {
     method: request.method,
-    headers: request.headers,
-    body: request.method === "GET" || request.method === "HEAD" ? undefined : request.body,
+    headers: {
+      accept: request.headers.get("accept") ?? "*/*",
+    },
   });
 
   return new Response(response.body, {

src/components/MapView.tsx

@@ -63,12 +63,12 @@ const fallbackStyle = {
     osm: {
       type: "raster",
       tiles: [
-        "https://tile.openstreetmap.org/{z}/{x}/{y}.png",
-        "https://a.tile.openstreetmap.org/{z}/{x}/{y}.png",
+        "https://a.basemaps.cartocdn.com/light_all/{z}/{x}/{y}.png",
+        "https://b.basemaps.cartocdn.com/light_all/{z}/{x}/{y}.png",
       ],
       tileSize: 256,
       attribution:
-        '<a href="https://www.openstreetmap.org/copyright" target="_blank" rel="noreferrer">© OpenStreetMap contributors</a>',
+        '<a href="https://www.openstreetmap.org/copyright" target="_blank" rel="noreferrer">© OpenStreetMap contributors</a> <a href="https://carto.com/attributions" target="_blank" rel="noreferrer">© CARTO</a>',
     },
   },
   layers: [

src/components/Sidebar.tsx

@@ -1055,6 +1055,11 @@ export function Sidebar() {
     setEditingLibraryStatus(`Ground elevation set from loaded terrain: ${elevation} m`);
   };
   const runLibrarySearch = async () => {
+    if (librarySearchQuery.trim().length < 3) {
+      setLibrarySearchResults([]);
+      setLibrarySearchStatus("Enter at least 3 characters to search.");
+      return;
+    }
     setLibrarySearchStatus("Searching...");
     try {
       const results = await searchLocations(librarySearchQuery);