🔧 Update Admin Dashboard and Authentication Flow

✅ Updated Admin Dashboard URL: - Changed the Admin Dashboard access path from `/admin` to `/manage` in multiple files for consistency. ✅ Enhanced Middleware Authentication: - Updated middleware to protect new admin routes including `/manage` and `/dashboard`. ✅ Implemented CSRF Protection: - Added CSRF token generation and validation for login and session validation routes. ✅ Introduced Rate Limiting: - Added rate limiting for admin routes and CSRF token requests to enhance security. ✅ Refactored Admin Page: - Created a new admin management page with improved authentication handling and user feedback. 🎯 Overall Improvements: - Strengthened security measures for admin access. - Improved user experience with clearer navigation and feedback. - Streamlined authentication processes for better performance.
2025-09-08 09:38:01 +02:00
parent 087f3dc5e3
commit 0ae1883cf4
15 changed files with 862 additions and 52 deletions
--- a/app/api/analytics/dashboard/route.ts
+++ b/app/api/analytics/dashboard/route.ts
@@ -1,27 +1,29 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { projectService } from '@/lib/prisma';
 import { analyticsCache } from '@/lib/redis';
+import { requireAdminAuth, checkRateLimit, getRateLimitHeaders } from '@/lib/auth';

 export async function GET(request: NextRequest) {
  try {
+    // Rate limiting
+    const ip = request.headers.get('x-forwarded-for') || request.headers.get('x-real-ip') || 'unknown';
+    if (!checkRateLimit(ip, 5, 60000)) { // 5 requests per minute
+      return new NextResponse(
+        JSON.stringify({ error: 'Rate limit exceeded' }), 
+        { 
+          status: 429, 
+          headers: { 
+            'Content-Type': 'application/json',
+            ...getRateLimitHeaders(ip, 5, 60000)
+          } 
+        }
+      );
+    }
+
    // Check admin authentication
-    const authHeader = request.headers.get('authorization');
-    const basicAuth = process.env.ADMIN_BASIC_AUTH;
-    
-    if (!basicAuth) {
-      return new NextResponse('Admin access not configured', { status: 500 });
-    }
-
-    if (!authHeader || !authHeader.startsWith('Basic ')) {
-      return new NextResponse('Authentication required', { status: 401 });
-    }
-
-    const credentials = authHeader.split(' ')[1];
-    const [username, password] = Buffer.from(credentials, 'base64').toString().split(':');
-    const [expectedUsername, expectedPassword] = basicAuth.split(':');
-
-    if (username !== expectedUsername || password !== expectedPassword) {
-      return new NextResponse('Invalid credentials', { status: 401 });
+    const authError = requireAdminAuth(request);
+    if (authError) {
+      return authError;
    }

    // Check cache first