security improvements

server/api/auth/register.post.ts

@@ -1,7 +1,25 @@
-import { createUser, getUserByUsername, getUserByEmail } from '~/server/utils/database'
-import { setAuthCookie } from '~/server/utils/auth'
+import { createUser, getUserByUsername, getUserByEmail, checkRateLimit, createSession } from '~/server/utils/database'
+import { setAuthCookie, generateSessionToken } from '~/server/utils/auth'
 
 export default defineEventHandler(async (event) => {
+  // Get client IP for rate limiting
+  const clientIp = getRequestIP(event) || 'unknown'
+  
+  // Log IP for verification
+  console.log(`[REGISTER ATTEMPT] IP: ${clientIp}, Headers:`, {
+    'x-forwarded-for': getHeader(event, 'x-forwarded-for'),
+    'x-real-ip': getHeader(event, 'x-real-ip'),
+    'cf-connecting-ip': getHeader(event, 'cf-connecting-ip')
+  })
+  
+  // Check rate limit: 3 attempts per hour
+  if (!checkRateLimit(clientIp, 'register', 3, 60)) {
+    throw createError({
+      statusCode: 429,
+      message: 'Too many registration attempts. Please try again in 1 hour.'
+    })
+  }
+
   const body = await readBody(event)
   const { username, password, email, firstName, lastName } = body
 
@@ -80,8 +98,16 @@ export default defineEventHandler(async (event) => {
     // Create the new user with all fields
     createUser(username.toLowerCase(), password, email.toLowerCase(), firstName, lastName)
     
-    // Log them in automatically
-    setAuthCookie(event, username.toLowerCase())
+    // Generate session token and create session for auto-login
+    const sessionToken = generateSessionToken()
+    const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString() // 24 hours
+    createSession(sessionToken, username.toLowerCase(), expiresAt)
+    
+    // Set session cookie
+    setAuthCookie(event, sessionToken)
+    
+    // Log successful registration
+    console.log(`[REGISTER SUCCESS] User: ${username.toLowerCase()}, IP: ${clientIp}`)
 
     return {
       success: true,