🔧 Update Admin Dashboard and Authentication Flow

✅ Updated Admin Dashboard URL:
- Changed the Admin Dashboard access path from `/admin` to `/manage` in multiple files for consistency.

✅ Enhanced Middleware Authentication:
- Updated middleware to protect new admin routes including `/manage` and `/dashboard`.

✅ Implemented CSRF Protection:
- Added CSRF token generation and validation for login and session validation routes.

✅ Introduced Rate Limiting:
- Added rate limiting for admin routes and CSRF token requests to enhance security.

✅ Refactored Admin Page:
- Created a new admin management page with improved authentication handling and user feedback.

🎯 Overall Improvements:
- Strengthened security measures for admin access.
- Improved user experience with clearer navigation and feedback.
- Streamlined authentication processes for better performance.

app/api/auth/validate/route.ts

@@ -0,0 +1,93 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+export async function POST(request: NextRequest) {
+  try {
+    const { sessionToken, csrfToken } = await request.json();
+
+    if (!sessionToken) {
+      return new NextResponse(
+        JSON.stringify({ valid: false, error: 'No session token provided' }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    // CSRF Protection
+    const expectedCSRF = request.headers.get('x-csrf-token');
+    if (!csrfToken || !expectedCSRF || csrfToken !== expectedCSRF) {
+      return new NextResponse(
+        JSON.stringify({ valid: false, error: 'CSRF token validation failed' }),
+        { status: 403, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    // Decode and validate session token
+    try {
+      const decodedJson = atob(sessionToken);
+      const sessionData = JSON.parse(decodedJson);
+
+      // Validate session data structure
+      if (!sessionData.timestamp || !sessionData.random || !sessionData.ip || !sessionData.userAgent) {
+        return new NextResponse(
+          JSON.stringify({ valid: false, error: 'Invalid session token structure' }),
+          { status: 401, headers: { 'Content-Type': 'application/json' } }
+        );
+      }
+
+      // Check if session is still valid (2 hours)
+      const sessionTime = sessionData.timestamp;
+      const now = Date.now();
+      const sessionDuration = 2 * 60 * 60 * 1000; // 2 hours
+
+      if (now - sessionTime > sessionDuration) {
+        return new NextResponse(
+          JSON.stringify({ valid: false, error: 'Session expired' }),
+          { status: 401, headers: { 'Content-Type': 'application/json' } }
+        );
+      }
+
+      // Validate IP address (optional, but good security practice)
+      const currentIp = request.headers.get('x-forwarded-for') || request.headers.get('x-real-ip') || 'unknown';
+      if (sessionData.ip !== currentIp) {
+        // Log potential session hijacking attempt
+        console.warn(`Session IP mismatch: expected ${sessionData.ip}, got ${currentIp}`);
+        return new NextResponse(
+          JSON.stringify({ valid: false, error: 'Session validation failed' }),
+          { status: 401, headers: { 'Content-Type': 'application/json' } }
+        );
+      }
+
+      // Validate User-Agent (optional)
+      const currentUserAgent = request.headers.get('user-agent') || 'unknown';
+      if (sessionData.userAgent !== currentUserAgent) {
+        console.warn(`Session User-Agent mismatch`);
+        return new NextResponse(
+          JSON.stringify({ valid: false, error: 'Session validation failed' }),
+          { status: 401, headers: { 'Content-Type': 'application/json' } }
+        );
+      }
+
+      return new NextResponse(
+        JSON.stringify({ valid: true, message: 'Session valid' }),
+        {
+          status: 200,
+          headers: {
+            'Content-Type': 'application/json',
+            'X-Content-Type-Options': 'nosniff',
+            'X-Frame-Options': 'DENY',
+            'X-XSS-Protection': '1; mode=block'
+          }
+        }
+      );
+    } catch (error) {
+      return new NextResponse(
+        JSON.stringify({ valid: false, error: 'Invalid session token format' }),
+        { status: 401, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+  } catch (error) {
+    return new NextResponse(
+      JSON.stringify({ valid: false, error: 'Internal server error' }), 
+      { status: 500, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+}