portfolio/app/api/auth/validate/route.ts

import { NextRequest, NextResponse } from 'next/server';

export async function POST(request: NextRequest) {
  try {
    const { sessionToken, csrfToken } = await request.json();

    if (!sessionToken) {
      return new NextResponse(
        JSON.stringify({ valid: false, error: 'No session token provided' }),
        { status: 400, headers: { 'Content-Type': 'application/json' } }
      );
    }

    // CSRF Protection
    const expectedCSRF = request.headers.get('x-csrf-token');
    if (!csrfToken || !expectedCSRF || csrfToken !== expectedCSRF) {
      return new NextResponse(
        JSON.stringify({ valid: false, error: 'CSRF token validation failed' }),
        { status: 403, headers: { 'Content-Type': 'application/json' } }
      );
    }

    // Decode and validate session token
    try {
      const decodedJson = atob(sessionToken);
      const sessionData = JSON.parse(decodedJson);

      // Validate session data structure
      if (!sessionData.timestamp || !sessionData.random || !sessionData.ip || !sessionData.userAgent) {
        return new NextResponse(
          JSON.stringify({ valid: false, error: 'Invalid session token structure' }),
          { status: 401, headers: { 'Content-Type': 'application/json' } }
        );
      }

      // Check if session is still valid (2 hours)
      const sessionTime = sessionData.timestamp;
      const now = Date.now();
      const sessionDuration = 2 * 60 * 60 * 1000; // 2 hours

      if (now - sessionTime > sessionDuration) {
        return new NextResponse(
          JSON.stringify({ valid: false, error: 'Session expired' }),
          { status: 401, headers: { 'Content-Type': 'application/json' } }
        );
      }

      // Validate IP address (optional, but good security practice)
      const currentIp = request.headers.get('x-forwarded-for') || request.headers.get('x-real-ip') || 'unknown';
      if (sessionData.ip !== currentIp) {
        // Log potential session hijacking attempt
        console.warn(`Session IP mismatch: expected ${sessionData.ip}, got ${currentIp}`);
        return new NextResponse(
          JSON.stringify({ valid: false, error: 'Session validation failed' }),
          { status: 401, headers: { 'Content-Type': 'application/json' } }
        );
      }

      // Validate User-Agent (optional)
      const currentUserAgent = request.headers.get('user-agent') || 'unknown';
      if (sessionData.userAgent !== currentUserAgent) {
        console.warn(`Session User-Agent mismatch`);
        return new NextResponse(
          JSON.stringify({ valid: false, error: 'Session validation failed' }),
          { status: 401, headers: { 'Content-Type': 'application/json' } }
        );
      }

      return new NextResponse(
        JSON.stringify({ valid: true, message: 'Session valid' }),
        {
          status: 200,
          headers: {
            'Content-Type': 'application/json',
            'X-Content-Type-Options': 'nosniff',
            'X-Frame-Options': 'DENY',
            'X-XSS-Protection': '1; mode=block'
          }
        }
      );
    } catch {
      return new NextResponse(
        JSON.stringify({ valid: false, error: 'Invalid session token format' }),
        { status: 401, headers: { 'Content-Type': 'application/json' } }
      );
    }
  } catch {
    return new NextResponse(
      JSON.stringify({ valid: false, error: 'Internal server error' }),
      { status: 500, headers: { 'Content-Type': 'application/json' } }
    );
  }
}