commit all

src/app.ts

@@ -19,7 +19,9 @@ import adminRoutes from './routes/adminRoutes';
 
 const app: Application = express();
 
-app.set('trust proxy', true);
+// Configure trust proxy securely for Hugging Face Spaces
+// Only trust the first proxy (Hugging Face Spaces proxy)
+app.set('trust proxy', 1);
 
 app.use(helmet({
   contentSecurityPolicy: {

src/middlewares/security.ts

@@ -51,6 +51,17 @@ export const createStrictRateLimiter = (windowMs: number, max: number) => {
     message: 'Too many requests from this IP, please try again later.',
     standardHeaders: true,
     legacyHeaders: false,
+    // Use a custom key generator that respects trust proxy setting
+    keyGenerator: (req) => {
+      // Trust proxy is set to 1, so we trust the first proxy
+      // X-Forwarded-For header format: "client, proxy1, proxy2"
+      const forwarded = req.headers['x-forwarded-for'];
+      if (forwarded && typeof forwarded === 'string') {
+        const ips = forwarded.split(',').map(ip => ip.trim());
+        return ips[0] || req.ip || 'unknown';
+      }
+      return req.ip || 'unknown';
+    },
     skip: (req) => {
       return process.env.NODE_ENV === 'development' && req.ip === '::1';
     },

src/routes/agentRoutes.ts

@@ -1,4 +1,4 @@
-import { Router, Request } from 'express';
+import { Router, Request, Response, NextFunction } from 'express';
 import multer, { FileFilterCallback } from 'multer';
 import { AgentController } from '../controllers/agentController';
 import { authenticate, optionalAuth, requireAdmin } from '../middlewares/auth';
@@ -104,6 +104,73 @@ const avatarUpload = multer({
 // Public routes
 router.get('/', optionalAuth, agentController.listAgents.bind(agentController));
 
+// Specific routes must come BEFORE /:id to avoid route conflicts
+// These routes are matched first to prevent conflicts with /:id
+
+/**
+ * @swagger
+ * /agents/my/list:
+ *   get:
+ *     summary: Get my agents (creator)
+ *     tags: [Agents]
+ *     security:
+ *       - bearerAuth: []
+ *     responses:
+ *       200:
+ *         description: List of user's agents
+ *         content:
+ *           application/json:
+ *             schema:
+ *               type: array
+ *               items:
+ *                 $ref: '#/components/schemas/Agent'
+ *       401:
+ *         description: Unauthorized
+ */
+router.get('/my/list', authenticate, agentController.getMyAgents.bind(agentController));
+
+/**
+ * @swagger
+ * /agents/admin/pending:
+ *   get:
+ *     summary: Get pending agents (admin only)
+ *     tags: [Agents]
+ *     security:
+ *       - bearerAuth: []
+ *     responses:
+ *       200:
+ *         description: List of pending agents
+ *         content:
+ *           application/json:
+ *             schema:
+ *               type: array
+ *               items:
+ *                 $ref: '#/components/schemas/Agent'
+ *       401:
+ *         description: Unauthorized
+ *       403:
+ *         description: Admin access required
+ */
+router.get(
+  '/admin/pending',
+  authenticate,
+  requireAdmin,
+  async (req, res) => {
+    try {
+      const agentRepository = AppDataSource.getRepository(Agent);
+      const agents = await agentRepository.find({
+        where: { status: AgentStatus.PENDING },
+        order: { createdAt: 'ASC' },
+      });
+
+      res.json(agents);
+    } catch (error) {
+      console.error('Get pending agents error:', error);
+      res.status(500).json({ error: 'Failed to get pending agents' });
+    }
+  }
+);
+
 /**
  * @swagger
  * /agents/{id}:
@@ -126,10 +193,22 @@ router.get('/', optionalAuth, agentController.listAgents.bind(agentController));
  *           application/json:
  *             schema:
  *               $ref: '#/components/schemas/Agent'
+ *       400:
+ *         description: Invalid agent ID format
  *       404:
  *         description: Agent not found
  */
-router.get('/:id', optionalAuth, agentController.getAgent.bind(agentController));
+// UUID validation middleware
+const validateUUID = (req: Request, res: Response, next: NextFunction) => {
+  const { id } = req.params;
+  const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+  if (!uuidRegex.test(id)) {
+    return res.status(400).json({ error: 'Invalid agent ID format. Must be a valid UUID.' });
+  }
+  next();
+};
+
+router.get('/:id', optionalAuth, validateUUID, agentController.getAgent.bind(agentController));
 
 /**
  * @swagger
@@ -270,6 +349,7 @@ router.post(
 router.put(
   '/:id',
   authenticate,
+  validateUUID,
   avatarUpload.single('avatar'), // Accept avatar as single file
   agentController.updateAgent.bind(agentController)
 );
@@ -308,36 +388,7 @@ router.put(
  *       404:
  *         description: Agent not found
  */
-router.delete('/:id', authenticate, agentController.deleteAgent.bind(agentController));
-
-/**
- * @swagger
- * /agents/my/list:
- *   get:
- *     summary: Get my agents (creator's agents)
- *     tags: [Agents]
- *     security:
- *       - bearerAuth: []
- *     parameters:
- *       - in: query
- *         name: status
- *         schema:
- *           type: string
- *           enum: [pending, approved, rejected]
- *         description: Filter by status
- *     responses:
- *       200:
- *         description: List of user's agents
- *         content:
- *           application/json:
- *             schema:
- *               type: array
- *               items:
- *                 $ref: '#/components/schemas/Agent'
- *       401:
- *         description: Unauthorized
- */
-router.get('/my/list', authenticate, agentController.getMyAgents.bind(agentController));
+router.delete('/:id', authenticate, validateUUID, agentController.deleteAgent.bind(agentController));
 
 /**
  * @swagger
@@ -373,6 +424,7 @@ router.get('/my/list', authenticate, agentController.getMyAgents.bind(agentContr
 router.patch(
   '/:id/delist',
   authenticate,
+  validateUUID,
   async (req, res) => {
     try {
       const { id } = req.params;
@@ -436,6 +488,7 @@ router.patch(
 router.patch(
   '/:id/relist',
   authenticate,
+  validateUUID,
   async (req, res) => {
     try {
       const { id } = req.params;
@@ -503,6 +556,7 @@ router.patch(
   '/:id/approve',
   authenticate,
   requireAdmin,
+  validateUUID,
   async (req, res) => {
     try {
       const { id } = req.params;
@@ -561,6 +615,7 @@ router.patch(
   '/:id/reject',
   authenticate,
   requireAdmin,
+  validateUUID,
   async (req, res) => {
     try {
       const { id } = req.params;
@@ -584,46 +639,4 @@ router.patch(
   }
 );
 
-/**
- * @swagger
- * /agents/admin/pending:
- *   get:
- *     summary: Get pending agents (admin only)
- *     tags: [Agents]
- *     security:
- *       - bearerAuth: []
- *     responses:
- *       200:
- *         description: List of pending agents
- *         content:
- *           application/json:
- *             schema:
- *               type: array
- *               items:
- *                 $ref: '#/components/schemas/Agent'
- *       401:
- *         description: Unauthorized
- *       403:
- *         description: Admin access required
- */
-router.get(
-  '/admin/pending',
-  authenticate,
-  requireAdmin,
-  async (req, res) => {
-    try {
-      const agentRepository = AppDataSource.getRepository(Agent);
-      const agents = await agentRepository.find({
-        where: { status: AgentStatus.PENDING },
-        order: { createdAt: 'ASC' },
-      });
-
-      res.json(agents);
-    } catch (error) {
-      console.error('Get pending agents error:', error);
-      res.status(500).json({ error: 'Failed to get pending agents' });
-    }
-  }
-);
-
 export default router;

zurri-mock-frontend

@@ -0,0 +1 @@
+Subproject commit 4f5001f220128730d26e39e3faccf5f32dd8b734