denshooter/portfolio
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0ae1883cf4b19f8938a6e7d98bf80f489390f35a
portfolio/app/api/auth/validate/route.ts
denshooter 0ae1883cf4 🔧 Update Admin Dashboard and Authentication Flow 
 Updated Admin Dashboard URL:
- Changed the Admin Dashboard access path from `/admin` to `/manage` in multiple files for consistency.

 Enhanced Middleware Authentication:
- Updated middleware to protect new admin routes including `/manage` and `/dashboard`.

 Implemented CSRF Protection:
- Added CSRF token generation and validation for login and session validation routes.

 Introduced Rate Limiting:
- Added rate limiting for admin routes and CSRF token requests to enhance security.

 Refactored Admin Page:
- Created a new admin management page with improved authentication handling and user feedback.

🎯 Overall Improvements:
- Strengthened security measures for admin access.
- Improved user experience with clearer navigation and feedback.
- Streamlined authentication processes for better performance.
2025-09-08 09:38:01 +02:00

94 lines
3.4 KiB
TypeScript
Raw Blame History

import { NextRequest, NextResponse } from 'next/server';
export async function POST(request: NextRequest) {
try {
const { sessionToken, csrfToken } = await request.json();
if (!sessionToken) {
return new NextResponse(
JSON.stringify({ valid: false, error: 'No session token provided' }),
{ status: 400, headers: { 'Content-Type': 'application/json' } }
);
}
// CSRF Protection
const expectedCSRF = request.headers.get('x-csrf-token');
if (!csrfToken || !expectedCSRF || csrfToken !== expectedCSRF) {
return new NextResponse(
JSON.stringify({ valid: false, error: 'CSRF token validation failed' }),
{ status: 403, headers: { 'Content-Type': 'application/json' } }
);
}
// Decode and validate session token
try {
const decodedJson = atob(sessionToken);
const sessionData = JSON.parse(decodedJson);
// Validate session data structure
if (!sessionData.timestamp || !sessionData.random || !sessionData.ip || !sessionData.userAgent) {
return new NextResponse(
JSON.stringify({ valid: false, error: 'Invalid session token structure' }),
{ status: 401, headers: { 'Content-Type': 'application/json' } }
);
}
// Check if session is still valid (2 hours)
const sessionTime = sessionData.timestamp;
const now = Date.now();
const sessionDuration = 2 * 60 * 60 * 1000; // 2 hours
if (now - sessionTime > sessionDuration) {
return new NextResponse(
JSON.stringify({ valid: false, error: 'Session expired' }),
{ status: 401, headers: { 'Content-Type': 'application/json' } }
);
}
// Validate IP address (optional, but good security practice)
const currentIp = request.headers.get('x-forwarded-for') || request.headers.get('x-real-ip') || 'unknown';
if (sessionData.ip !== currentIp) {
// Log potential session hijacking attempt
console.warn(`Session IP mismatch: expected ${sessionData.ip}, got ${currentIp}`);
return new NextResponse(
JSON.stringify({ valid: false, error: 'Session validation failed' }),
{ status: 401, headers: { 'Content-Type': 'application/json' } }
);
}
// Validate User-Agent (optional)
const currentUserAgent = request.headers.get('user-agent') || 'unknown';
if (sessionData.userAgent !== currentUserAgent) {
console.warn(`Session User-Agent mismatch`);
return new NextResponse(
JSON.stringify({ valid: false, error: 'Session validation failed' }),
{ status: 401, headers: { 'Content-Type': 'application/json' } }
);
}
return new NextResponse(
JSON.stringify({ valid: true, message: 'Session valid' }),
{
status: 200,
headers: {
'Content-Type': 'application/json',
'X-Content-Type-Options': 'nosniff',
'X-Frame-Options': 'DENY',
'X-XSS-Protection': '1; mode=block'
}
}
);
} catch (error) {
return new NextResponse(
JSON.stringify({ valid: false, error: 'Invalid session token format' }),
{ status: 401, headers: { 'Content-Type': 'application/json' } }
);
}
} catch (error) {
return new NextResponse(
JSON.stringify({ valid: false, error: 'Internal server error' }),
{ status: 500, headers: { 'Content-Type': 'application/json' } }
);
}
}
Reference in New Issue View Git Blame Copy Permalink