denshooter/portfolio
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: enhance security and performance in configuration and API routes

Browse Source 
- Update Content Security Policy (CSP) in next.config.ts to avoid `unsafe-eval` in production, improving security against XSS attacks.
- Refactor API routes to enforce admin authentication and session validation, ensuring secure access to sensitive endpoints.
- Optimize analytics data retrieval by using database aggregation instead of loading all records into memory, improving performance and reducing memory usage.
- Implement session token creation and verification for better session management and security across the application.
- Enhance error handling and input validation in various API routes to ensure robustness and prevent potential issues.
This commit is contained in:
denshooter
2026-01-11 22:44:26 +01:00
parent 9cc03bc475
commit 9072faae43
28 changed files with 433 additions and 288 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
app/api/auth/validate/route.ts
View File

@@ -1,4 +1,5 @@
import { NextRequest, NextResponse } from 'next/server';
import { verifySessionToken } from '@/lib/auth';
export async function POST(request: NextRequest) {
try {
@@ -20,70 +21,26 @@ export async function POST(request: NextRequest) {
);
}
// Decode and validate session token
try {
const decodedJson = atob(sessionToken);
const sessionData = JSON.parse(decodedJson);
// Validate session data structure
if (!sessionData.timestamp || !sessionData.random || !sessionData.ip || !sessionData.userAgent) {
return new NextResponse(
JSON.stringify({ valid: false, error: 'Invalid session token structure' }),
{ status: 401, headers: { 'Content-Type': 'application/json' } }
);
}
// Check if session is still valid (2 hours)
const sessionTime = sessionData.timestamp;
const now = Date.now();
const sessionDuration = 2 * 60 * 60 * 1000; // 2 hours
if (now - sessionTime > sessionDuration) {
return new NextResponse(
JSON.stringify({ valid: false, error: 'Session expired' }),
{ status: 401, headers: { 'Content-Type': 'application/json' } }
);
}
// Validate IP address (optional, but good security practice)
const currentIp = request.headers.get('x-forwarded-for') || request.headers.get('x-real-ip') || 'unknown';
if (sessionData.ip !== currentIp) {
// Log potential session hijacking attempt
console.warn(`Session IP mismatch: expected ${sessionData.ip}, got ${currentIp}`);
return new NextResponse(
JSON.stringify({ valid: false, error: 'Session validation failed' }),
{ status: 401, headers: { 'Content-Type': 'application/json' } }
);
}
// Validate User-Agent (optional)
const currentUserAgent = request.headers.get('user-agent') || 'unknown';
if (sessionData.userAgent !== currentUserAgent) {
console.warn(`Session User-Agent mismatch`);
return new NextResponse(
JSON.stringify({ valid: false, error: 'Session validation failed' }),
{ status: 401, headers: { 'Content-Type': 'application/json' } }
);
}
const valid = verifySessionToken(request, sessionToken);
if (!valid) {
return new NextResponse(
JSON.stringify({ valid: true, message: 'Session valid' }),
{
status: 200,
headers: {
'Content-Type': 'application/json',
'X-Content-Type-Options': 'nosniff',
'X-Frame-Options': 'DENY',
'X-XSS-Protection': '1; mode=block'
}
}
);
} catch {
return new NextResponse(
JSON.stringify({ valid: false, error: 'Invalid session token format' }),
JSON.stringify({ valid: false, error: 'Session expired or invalid' }),
{ status: 401, headers: { 'Content-Type': 'application/json' } }
);
}
return new NextResponse(
JSON.stringify({ valid: true, message: 'Session valid' }),
{
status: 200,
headers: {
'Content-Type': 'application/json',
'X-Content-Type-Options': 'nosniff',
'X-Frame-Options': 'DENY',
'X-XSS-Protection': '1; mode=block'
}
}
);
} catch {
return new NextResponse(
JSON.stringify({ valid: false, error: 'Internal server error' }),