denshooter
9072faae43
- Update Content Security Policy (CSP) in next.config.ts to avoid `unsafe-eval` in production, improving security against XSS attacks. - Refactor API routes to enforce admin authentication and session validation, ensuring secure access to sensitive endpoints. - Optimize analytics data retrieval by using database aggregation instead of loading all records into memory, improving performance and reducing memory usage. - Implement session token creation and verification for better session management and security across the application. - Enhance error handling and input validation in various API routes to ensure robustness and prevent potential issues.
95 lines
3.2 KiB
TypeScript
95 lines
3.2 KiB
TypeScript
import { NextRequest, NextResponse } from 'next/server';
|
|
import { checkRateLimit, getRateLimitHeaders } from '@/lib/auth';
|
|
|
|
export async function POST(request: NextRequest) {
|
|
try {
|
|
// Rate limiting
|
|
const ip = request.headers.get('x-forwarded-for') || request.headers.get('x-real-ip') || 'unknown';
|
|
if (!checkRateLimit(ip, 20, 60000)) { // 20 login attempts per minute
|
|
return new NextResponse(
|
|
JSON.stringify({ error: 'Rate limit exceeded' }),
|
|
{
|
|
status: 429,
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
...getRateLimitHeaders(ip, 20, 60000)
|
|
}
|
|
}
|
|
);
|
|
}
|
|
|
|
const { password, csrfToken } = await request.json();
|
|
|
|
if (!password) {
|
|
return new NextResponse(
|
|
JSON.stringify({ error: 'Password required' }),
|
|
{ status: 400, headers: { 'Content-Type': 'application/json' } }
|
|
);
|
|
}
|
|
|
|
// CSRF Protection
|
|
const expectedCSRF = request.headers.get('x-csrf-token');
|
|
if (!csrfToken || !expectedCSRF || csrfToken !== expectedCSRF) {
|
|
return new NextResponse(
|
|
JSON.stringify({ error: 'CSRF token validation failed' }),
|
|
{ status: 403, headers: { 'Content-Type': 'application/json' } }
|
|
);
|
|
}
|
|
|
|
// Get admin credentials from environment
|
|
const adminAuth = process.env.ADMIN_BASIC_AUTH;
|
|
if (!adminAuth || adminAuth.trim() === '' || adminAuth === 'admin:default_password_change_me') {
|
|
return new NextResponse(
|
|
JSON.stringify({ error: 'Admin auth is not configured' }),
|
|
{ status: 503, headers: { 'Content-Type': 'application/json' } }
|
|
);
|
|
}
|
|
const [, expectedPassword] = adminAuth.split(':');
|
|
|
|
// Secure password comparison using constant-time comparison
|
|
const crypto = await import('crypto');
|
|
const passwordBuffer = Buffer.from(password, 'utf8');
|
|
const expectedBuffer = Buffer.from(expectedPassword, 'utf8');
|
|
|
|
// Use constant-time comparison to prevent timing attacks
|
|
if (passwordBuffer.length === expectedBuffer.length &&
|
|
crypto.timingSafeEqual(passwordBuffer, expectedBuffer)) {
|
|
const { createSessionToken } = await import('@/lib/auth');
|
|
const sessionToken = createSessionToken(request);
|
|
if (!sessionToken) {
|
|
return new NextResponse(
|
|
JSON.stringify({ error: 'Session secret not configured' }),
|
|
{ status: 503, headers: { 'Content-Type': 'application/json' } }
|
|
);
|
|
}
|
|
|
|
return new NextResponse(
|
|
JSON.stringify({
|
|
success: true,
|
|
message: 'Login successful',
|
|
sessionToken
|
|
}),
|
|
{
|
|
status: 200,
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'X-Content-Type-Options': 'nosniff',
|
|
'X-Frame-Options': 'DENY',
|
|
'X-XSS-Protection': '1; mode=block'
|
|
}
|
|
}
|
|
);
|
|
} else {
|
|
return new NextResponse(
|
|
JSON.stringify({ error: 'Invalid password' }),
|
|
{ status: 401, headers: { 'Content-Type': 'application/json' } }
|
|
);
|
|
}
|
|
} catch {
|
|
return new NextResponse(
|
|
JSON.stringify({ error: 'Internal server error' }),
|
|
{ status: 500, headers: { 'Content-Type': 'application/json' } }
|
|
);
|
|
}
|
|
}
|