Fixed some bugs in api and auth services, completed auth cores.

stream/src/routes/connect.js

@@ -0,0 +1,44 @@
+import { Router } from 'express';
+import crypto from 'crypto';
+import { querySensors as sensors } from '../data/db.js';
+import { redis } from '../data/redis.js';
+import { verify } from '../core/securitycore.js';
+
+const router = Router();
+const rateLimiter = 10;
+const rateLimitWindow = 60;
+
+router.post('/connect', async (req, res) => {
+  const { sensorID, code } = req.body;
+
+  const ip = (req.headers['x-forwarded-for']?.split(',')[0]?.trim()) || req.socket.remoteAddress || 'unknown';
+  const tryKey = `streamconnect:fail:${ip}`;
+  const fails = Number(await redis.get(tryKey).catch(() => 0));
+  if (fails >= rateLimiter) {
+    return res.status(429).json({ error: 'Too many failed attempts' });
+  }
+
+  if (!sensorID || !code) {
+    await redis.multi().incr(tryKey).expire(tryKey, rateLimitWindow).exec().catch(() => { });
+    return res.status(400).json({ error: 'sensor and code are required' });
+  }
+
+  const { rows } = await sensors('select id, name, code_hash from sensors where id = $1', [sensorID]);
+  if (rows.length === 0) {
+    return res.status(404).json({ error: 'sensor not found' });
+  }
+  if (!rows[0] || !verify(code, rows[0].code_hash)) {
+    await redis.multi().incr(tryKey).expire(tryKey, rateLimitWindow).exec().catch(() => { });
+    return res.status(401).json({ error: 'invalid code' });
+  }
+
+  const token = crypto.randomUUID();
+  await redis.set(`sensor:pending:${token}`, rows[0].id, 'EX', 5);
+  res.json({
+    token,
+    expiresIn: 5
+  })
+  
+})
+
+export { router as connectsAPI }