Licensing/Auth System and API Development

If you vibe code, do not apply. We are strictly looking for developers who can use their own brain to think & program. I have a working Node.js/Express authentication and licensing API that I want to improve. The core functionality is already live — user auth, hardware-bound sessions, encrypted file delivery via Cloudflare R2, and a Discord bot integration. I'm looking for a developer to come in, understand the existing code-base, and make it better. I'll share the full code-base privately. Everything is documented and the existing logic is semi-decent. What the API does today - App/license key management — create apps, generate keys, assign subscription tiers - Hardware-bound user auth — users authenticate with username + password + HWID; sessions are tied to their hardware - Encrypted file hosting — files are AES-256-GCM encrypted server-side before upload to Cloudflare R2; clients receive a one-time download ticket + per-file key; decryption happens client-side only - Discord bot webhooks — bots receive event notifications (new login, key used, ban, etc.) - Admin panel routes — JWT-protected management endpoints - Runs on a Windows VPS. What I want improved I'm open to your suggestions after reviewing the code, but areas I have in mind are: - Rate limiting & abuse prevention — brute-force protection on auth endpoints, session abuse detection - Subscription/expiry enforcement — tighten how subscription tiers gate downloads and enforce expiry dates - Logging & audit trail — structured logs for auth events, file downloads, failed attempts - Error handling consistency — standardise error responses across all routes - Performance — review DB query patterns, add indexes where missing, reduce round-trips on the download flow - Security - While our current flow is pretty secure (USING HTTPS for certain endpoints), however some of it is still under HTTP & using our direct IP, we'd like to transfer everything to under CloudFlare protected domains using HTTPS or alternatively, TLS. Make the API sit behind CF & only trust CF IP's to prevent IP spoofing attempts. - Anything you spot — if you see something that should be done differently, I want to hear it