🔧 Update Admin Dashboard and Authentication Flow

✅ Updated Admin Dashboard URL: - Changed the Admin Dashboard access path from `/admin` to `/manage` in multiple files for consistency. ✅ Enhanced Middleware Authentication: - Updated middleware to protect new admin routes including `/manage` and `/dashboard`. ✅ Implemented CSRF Protection: - Added CSRF token generation and validation for login and session validation routes. ✅ Introduced Rate Limiting: - Added rate limiting for admin routes and CSRF token requests to enhance security. ✅ Refactored Admin Page: - Created a new admin management page with improved authentication handling and user feedback. 🎯 Overall Improvements: - Strengthened security measures for admin access. - Improved user experience with clearer navigation and feedback. - Streamlined authentication processes for better performance.
2025-09-08 09:38:01 +02:00
parent 087f3dc5e3
commit 0ae1883cf4
15 changed files with 862 additions and 52 deletions
--- a/app/api/auth/csrf/route.ts
+++ b/app/api/auth/csrf/route.ts
@@ -0,0 +1,55 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+// Generate CSRF token
+async function generateCSRFToken(): Promise<string> {
+  const crypto = await import('crypto');
+  return crypto.randomBytes(32).toString('hex');
+}
+
+export async function GET(request: NextRequest) {
+  try {
+    // Rate limiting for CSRF token requests
+    const ip = request.headers.get('x-forwarded-for') || request.headers.get('x-real-ip') || 'unknown';
+    const now = Date.now();
+
+    // Simple in-memory rate limiting for CSRF tokens (in production, use Redis)
+    const key = `csrf_${ip}`;
+    const rateLimitMap = (global as any).csrfRateLimit || ((global as any).csrfRateLimit = new Map());
+
+    const current = rateLimitMap.get(key);
+    if (current && now - current.timestamp < 60000) { // 1 minute
+      if (current.count >= 10) {
+        return new NextResponse(
+          JSON.stringify({ error: 'Rate limit exceeded for CSRF tokens' }),
+          { status: 429, headers: { 'Content-Type': 'application/json' } }
+        );
+      }
+      current.count++;
+    } else {
+      rateLimitMap.set(key, { count: 1, timestamp: now });
+    }
+
+    const csrfToken = await generateCSRFToken();
+
+    return new NextResponse(
+      JSON.stringify({ csrfToken }),
+      {
+        status: 200,
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Content-Type-Options': 'nosniff',
+          'X-Frame-Options': 'DENY',
+          'X-XSS-Protection': '1; mode=block',
+          'Cache-Control': 'no-store, no-cache, must-revalidate, proxy-revalidate',
+          'Pragma': 'no-cache',
+          'Expires': '0'
+        }
+      }
+    );
+  } catch (error) {
+    return new NextResponse(
+      JSON.stringify({ error: 'Internal server error' }),
+      { status: 500, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+}