kjanat/livedash-node
1
0
Fork 0
mirror of https://github.com/kjanat/livedash-node.git synced 2026-01-16 14:12:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

refactor: fix biome linting issues and update project documentation

Browse Source 
- Fix 36+ biome linting issues reducing errors/warnings from 227 to 191
- Replace explicit 'any' types with proper TypeScript interfaces
- Fix React hooks dependencies and useCallback patterns
- Resolve unused variables and parameter assignment issues
- Improve accessibility with proper label associations
- Add comprehensive API documentation for admin and security features
- Update README.md with accurate PostgreSQL setup and current tech stack
- Create complete documentation for audit logging, CSP monitoring, and batch processing
- Fix outdated project information and missing developer workflows
This commit is contained in:
Kaj Kowalski
2025-07-11 21:50:53 +02:00
committed by Kaj Kowalski
parent 3e9e75e854
commit 1eea2cc3e4
121 changed files with 28687 additions and 4895 deletions
Download Patch File Download Diff File Expand all files Collapse all files

220
app/api/admin/audit-logs/retention/route.ts Normal file
View File

@ -0,0 +1,220 @@
import { type NextRequest, NextResponse } from "next/server";
import { getServerSession } from "next-auth/next";
import {
AuditLogRetentionManager,
DEFAULT_RETENTION_POLICIES,
executeScheduledRetention,
} from "../../../../../lib/auditLogRetention";
import { auditLogScheduler } from "../../../../../lib/auditLogScheduler";
import { authOptions } from "../../../../../lib/auth";
import { extractClientIP } from "../../../../../lib/rateLimiter";
import {
AuditOutcome,
createAuditMetadata,
securityAuditLogger,
} from "../../../../../lib/securityAuditLogger";
// GET /api/admin/audit-logs/retention - Get retention statistics and policy status
export async function GET(request: NextRequest) {
try {
const session = await getServerSession(authOptions);
const ip = extractClientIP(request);
const userAgent = request.headers.get("user-agent") || undefined;
if (!session?.user) {
await securityAuditLogger.logAuthorization(
"audit_retention_unauthorized_access",
AuditOutcome.BLOCKED,
{
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
error: "no_session",
}),
},
"Unauthorized attempt to access audit retention management"
);
return NextResponse.json(
{ success: false, error: "Unauthorized" },
{ status: 401 }
);
}
// Only allow ADMIN users to manage audit log retention
if (session.user.role !== "ADMIN") {
await securityAuditLogger.logAuthorization(
"audit_retention_insufficient_permissions",
AuditOutcome.BLOCKED,
{
userId: session.user.id,
companyId: session.user.companyId,
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
userRole: session.user.role,
requiredRole: "ADMIN",
}),
},
"Insufficient permissions to access audit retention management"
);
return NextResponse.json(
{ success: false, error: "Insufficient permissions" },
{ status: 403 }
);
}
const manager = new AuditLogRetentionManager();
// Get retention statistics and policy information
const [statistics, policyValidation, schedulerStatus] = await Promise.all([
manager.getRetentionStatistics(),
manager.validateRetentionPolicies(),
Promise.resolve(auditLogScheduler.getStatus()),
]);
// Log successful retention info access
await securityAuditLogger.logDataPrivacy(
"audit_retention_info_accessed",
AuditOutcome.SUCCESS,
{
userId: session.user.id,
companyId: session.user.companyId,
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
totalLogs: statistics.totalLogs,
schedulerRunning: schedulerStatus.isRunning,
}),
},
"Audit retention information accessed by admin"
);
return NextResponse.json({
success: true,
data: {
statistics,
policies: DEFAULT_RETENTION_POLICIES,
policyValidation,
scheduler: schedulerStatus,
},
});
} catch (error) {
console.error("Error fetching audit retention info:", error);
await securityAuditLogger.logDataPrivacy(
"audit_retention_info_error",
AuditOutcome.FAILURE,
{
userId: session?.user?.id,
companyId: session?.user?.companyId,
ipAddress: extractClientIP(request),
userAgent: request.headers.get("user-agent") || undefined,
metadata: createAuditMetadata({
error: "server_error",
}),
},
`Server error while fetching audit retention info: ${error}`
);
return NextResponse.json(
{ success: false, error: "Internal server error" },
{ status: 500 }
);
}
}
// POST /api/admin/audit-logs/retention - Execute retention policies manually
export async function POST(request: NextRequest) {
try {
const session = await getServerSession(authOptions);
const ip = extractClientIP(request);
const userAgent = request.headers.get("user-agent") || undefined;
if (!session?.user || session.user.role !== "ADMIN") {
await securityAuditLogger.logAuthorization(
"audit_retention_execute_unauthorized",
AuditOutcome.BLOCKED,
{
userId: session?.user?.id,
companyId: session?.user?.companyId,
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
error: "insufficient_permissions",
}),
},
"Unauthorized attempt to execute audit retention"
);
return NextResponse.json(
{ success: false, error: "Unauthorized" },
{ status: 401 }
);
}
const body = await request.json();
const { action, isDryRun = true } = body;
if (action !== "execute") {
return NextResponse.json(
{ success: false, error: "Invalid action. Use 'execute'" },
{ status: 400 }
);
}
// Log retention execution attempt
await securityAuditLogger.logDataPrivacy(
"audit_retention_manual_execution",
AuditOutcome.SUCCESS,
{
userId: session.user.id,
companyId: session.user.companyId,
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
isDryRun,
triggerType: "manual_admin",
}),
},
`Admin manually triggered audit retention (dry run: ${isDryRun})`
);
// Execute retention policies
const results = await executeScheduledRetention(isDryRun);
return NextResponse.json({
success: true,
data: {
message: isDryRun
? "Dry run completed successfully"
: "Retention policies executed successfully",
isDryRun,
results,
},
});
} catch (error) {
console.error("Error executing audit retention:", error);
await securityAuditLogger.logDataPrivacy(
"audit_retention_execution_error",
AuditOutcome.FAILURE,
{
userId: session?.user?.id,
companyId: session?.user?.companyId,
ipAddress: extractClientIP(request),
userAgent: request.headers.get("user-agent") || undefined,
metadata: createAuditMetadata({
error: "server_error",
}),
},
`Server error while executing audit retention: ${error}`
);
return NextResponse.json(
{ success: false, error: "Internal server error" },
{ status: 500 }
);
}
}

208
app/api/admin/audit-logs/route.ts Normal file
View File

@ -0,0 +1,208 @@
import { type NextRequest, NextResponse } from "next/server";
import { getServerSession } from "next-auth/next";
import { authOptions } from "../../../../lib/auth";
import { prisma } from "../../../../lib/prisma";
import { extractClientIP } from "../../../../lib/rateLimiter";
import {
AuditOutcome,
createAuditMetadata,
securityAuditLogger,
} from "../../../../lib/securityAuditLogger";
export async function GET(request: NextRequest) {
try {
const session = await getServerSession(authOptions);
const ip = extractClientIP(request);
const userAgent = request.headers.get("user-agent") || undefined;
if (!session?.user) {
await securityAuditLogger.logAuthorization(
"audit_logs_unauthorized_access",
AuditOutcome.BLOCKED,
{
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
error: "no_session",
}),
},
"Unauthorized attempt to access audit logs"
);
return NextResponse.json(
{ success: false, error: "Unauthorized" },
{ status: 401 }
);
}
// Only allow ADMIN users to view audit logs
if (session.user.role !== "ADMIN") {
await securityAuditLogger.logAuthorization(
"audit_logs_insufficient_permissions",
AuditOutcome.BLOCKED,
{
userId: session.user.id,
companyId: session.user.companyId,
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
userRole: session.user.role,
requiredRole: "ADMIN",
}),
},
"Insufficient permissions to access audit logs"
);
return NextResponse.json(
{ success: false, error: "Insufficient permissions" },
{ status: 403 }
);
}
const url = new URL(request.url);
const page = Number.parseInt(url.searchParams.get("page") || "1");
const limit = Math.min(
Number.parseInt(url.searchParams.get("limit") || "50"),
100
);
const eventType = url.searchParams.get("eventType");
const outcome = url.searchParams.get("outcome");
const severity = url.searchParams.get("severity");
const userId = url.searchParams.get("userId");
const startDate = url.searchParams.get("startDate");
const endDate = url.searchParams.get("endDate");
const skip = (page - 1) * limit;
// Build filter conditions
const where: {
companyId: string;
eventType?: string;
outcome?: string;
timestamp?: {
gte?: Date;
lte?: Date;
};
} = {
companyId: session.user.companyId, // Only show logs for user's company
};
if (eventType) {
where.eventType = eventType;
}
if (outcome) {
where.outcome = outcome;
}
if (severity) {
where.severity = severity;
}
if (userId) {
where.userId = userId;
}
if (startDate || endDate) {
where.timestamp = {};
if (startDate) {
where.timestamp.gte = new Date(startDate);
}
if (endDate) {
where.timestamp.lte = new Date(endDate);
}
}
// Get audit logs with pagination
const [auditLogs, totalCount] = await Promise.all([
prisma.securityAuditLog.findMany({
where,
skip,
take: limit,
orderBy: { timestamp: "desc" },
include: {
user: {
select: {
id: true,
email: true,
name: true,
role: true,
},
},
platformUser: {
select: {
id: true,
email: true,
name: true,
role: true,
},
},
},
}),
prisma.securityAuditLog.count({ where }),
]);
// Log successful audit log access
await securityAuditLogger.logDataPrivacy(
"audit_logs_accessed",
AuditOutcome.SUCCESS,
{
userId: session.user.id,
companyId: session.user.companyId,
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
page,
limit,
filters: {
eventType,
outcome,
severity,
userId,
startDate,
endDate,
},
recordsReturned: auditLogs.length,
}),
},
"Audit logs accessed by admin user"
);
return NextResponse.json({
success: true,
data: {
auditLogs,
pagination: {
page,
limit,
totalCount,
totalPages: Math.ceil(totalCount / limit),
hasNext: skip + limit < totalCount,
hasPrev: page > 1,
},
},
});
} catch (error) {
console.error("Error fetching audit logs:", error);
await securityAuditLogger.logDataPrivacy(
"audit_logs_server_error",
AuditOutcome.FAILURE,
{
userId: session?.user?.id,
companyId: session?.user?.companyId,
ipAddress: extractClientIP(request),
userAgent: request.headers.get("user-agent") || undefined,
metadata: createAuditMetadata({
error: "server_error",
}),
},
`Server error while fetching audit logs: ${error}`
);
return NextResponse.json(
{ success: false, error: "Internal server error" },
{ status: 500 }
);
}
}

159
app/api/admin/batch-monitoring/route.ts Normal file
View File

@ -0,0 +1,159 @@
import { type NextRequest, NextResponse } from "next/server";
import { getServerSession } from "next-auth";
import { authOptions } from "@/lib/auth";
import {
type BatchOperation,
batchLogger,
logBatchMetrics,
} from "@/lib/batchLogger";
import { getCircuitBreakerStatus } from "@/lib/batchProcessor";
import { getBatchSchedulerStatus } from "@/lib/batchProcessorIntegration";
/**
* GET /api/admin/batch-monitoring
* Get comprehensive batch processing monitoring data
*/
export async function GET(request: NextRequest) {
try {
const session = await getServerSession(authOptions);
if (!session?.user || session.user.role !== "ADMIN") {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
const url = new URL(request.url);
const companyId = url.searchParams.get("companyId");
const operation = url.searchParams.get("operation") as BatchOperation;
const format = url.searchParams.get("format") || "json";
// Get batch processing metrics
const metrics = batchLogger.getMetrics(companyId || undefined);
// Get scheduler status
const schedulerStatus = getBatchSchedulerStatus();
// Get circuit breaker status
const circuitBreakerStatus = getCircuitBreakerStatus();
// Generate performance metrics for specific operation if requested
if (operation) {
await logBatchMetrics(operation);
}
const monitoringData = {
timestamp: new Date().toISOString(),
metrics,
schedulerStatus,
circuitBreakerStatus,
systemHealth: {
schedulerRunning: schedulerStatus.isRunning,
circuitBreakersOpen: Object.values(circuitBreakerStatus).some(
(cb) => cb.isOpen
),
pausedDueToErrors: schedulerStatus.isPaused,
consecutiveErrors: schedulerStatus.consecutiveErrors,
},
};
if (
format === "csv" &&
typeof metrics === "object" &&
!Array.isArray(metrics)
) {
// Convert metrics to CSV format
const headers = [
"company_id",
"operation_start_time",
"request_count",
"success_count",
"failure_count",
"retry_count",
"total_cost",
"average_latency",
"circuit_breaker_trips",
].join(",");
const rows = Object.entries(metrics).map(([companyId, metric]) =>
[
companyId,
new Date(metric.operationStartTime).toISOString(),
metric.requestCount,
metric.successCount,
metric.failureCount,
metric.retryCount,
metric.totalCost.toFixed(4),
metric.averageLatency.toFixed(2),
metric.circuitBreakerTrips,
].join(",")
);
return new NextResponse([headers, ...rows].join("\n"), {
headers: {
"Content-Type": "text/csv",
"Content-Disposition": `attachment; filename="batch-monitoring-${Date.now()}.csv"`,
},
});
}
return NextResponse.json(monitoringData);
} catch (error) {
console.error("Batch monitoring API error:", error);
return NextResponse.json(
{ error: "Failed to fetch batch monitoring data" },
{ status: 500 }
);
}
}
/**
* POST /api/admin/batch-monitoring/export
* Export batch processing logs
*/
export async function POST(request: NextRequest) {
try {
const session = await getServerSession(authOptions);
if (!session?.user || session.user.role !== "ADMIN") {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
const body = await request.json();
const { startDate, endDate, format = "json" } = body;
if (!startDate || !endDate) {
return NextResponse.json(
{ error: "Start date and end date are required" },
{ status: 400 }
);
}
const timeRange = {
start: new Date(startDate),
end: new Date(endDate),
};
const exportData = batchLogger.exportLogs(timeRange);
if (format === "csv") {
return new NextResponse(exportData, {
headers: {
"Content-Type": "text/csv",
"Content-Disposition": `attachment; filename="batch-logs-${startDate}-${endDate}.csv"`,
},
});
}
return new NextResponse(exportData, {
headers: {
"Content-Type": "application/json",
"Content-Disposition": `attachment; filename="batch-logs-${startDate}-${endDate}.json"`,
},
});
} catch (error) {
console.error("Batch log export error:", error);
return NextResponse.json(
{ error: "Failed to export batch logs" },
{ status: 500 }
);
}
}

142
app/api/admin/security-monitoring/alerts/route.ts Normal file
View File

@ -0,0 +1,142 @@
import { type NextRequest, NextResponse } from "next/server";
import { getServerSession } from "next-auth";
import { z } from "zod";
import { authOptions } from "@/lib/auth";
import {
AuditOutcome,
createAuditContext,
securityAuditLogger,
} from "@/lib/securityAuditLogger";
import {
type AlertSeverity,
securityMonitoring,
} from "@/lib/securityMonitoring";
const alertQuerySchema = z.object({
severity: z.enum(["LOW", "MEDIUM", "HIGH", "CRITICAL"]).optional(),
acknowledged: z.enum(["true", "false"]).optional(),
limit: z
.string()
.transform((val) => Number.parseInt(val, 10))
.optional(),
offset: z
.string()
.transform((val) => Number.parseInt(val, 10))
.optional(),
});
const acknowledgeAlertSchema = z.object({
alertId: z.string().uuid(),
action: z.literal("acknowledge"),
});
export async function GET(request: NextRequest) {
try {
const session = await getServerSession(authOptions);
if (!session?.user || !session.user.isPlatformUser) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
const url = new URL(request.url);
const params = Object.fromEntries(url.searchParams.entries());
const query = alertQuerySchema.parse(params);
const context = await createAuditContext(request, session);
// Get alerts based on filters
const alerts = securityMonitoring.getActiveAlerts(
query.severity as AlertSeverity
);
// Apply pagination
const limit = query.limit || 50;
const offset = query.offset || 0;
const paginatedAlerts = alerts.slice(offset, offset + limit);
// Log alert access
await securityAuditLogger.logPlatformAdmin(
"security_alerts_access",
AuditOutcome.SUCCESS,
context,
undefined,
{
alertCount: alerts.length,
filters: query,
}
);
return NextResponse.json({
alerts: paginatedAlerts,
total: alerts.length,
limit,
offset,
});
} catch (error) {
console.error("Security alerts API error:", error);
if (error instanceof z.ZodError) {
return NextResponse.json(
{ error: "Invalid query parameters", details: error.errors },
{ status: 400 }
);
}
return NextResponse.json(
{ error: "Internal server error" },
{ status: 500 }
);
}
}
export async function POST(request: NextRequest) {
try {
const session = await getServerSession(authOptions);
if (!session?.user || !session.user.isPlatformUser) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
const body = await request.json();
const { alertId, action } = acknowledgeAlertSchema.parse(body);
const context = await createAuditContext(request, session);
if (action === "acknowledge") {
const success = await securityMonitoring.acknowledgeAlert(
alertId,
session.user.id
);
if (!success) {
return NextResponse.json({ error: "Alert not found" }, { status: 404 });
}
// Log alert acknowledgment
await securityAuditLogger.logPlatformAdmin(
"security_alert_acknowledged",
AuditOutcome.SUCCESS,
context,
undefined,
{ alertId }
);
return NextResponse.json({ success: true });
}
return NextResponse.json({ error: "Invalid action" }, { status: 400 });
} catch (error) {
console.error("Security alert action error:", error);
if (error instanceof z.ZodError) {
return NextResponse.json(
{ error: "Invalid request", details: error.errors },
{ status: 400 }
);
}
return NextResponse.json(
{ error: "Internal server error" },
{ status: 500 }
);
}
}

90
app/api/admin/security-monitoring/export/route.ts Normal file
View File

@ -0,0 +1,90 @@
import { type NextRequest, NextResponse } from "next/server";
import { getServerSession } from "next-auth";
import { z } from "zod";
import { authOptions } from "@/lib/auth";
import {
AuditOutcome,
createAuditContext,
securityAuditLogger,
} from "@/lib/securityAuditLogger";
import { securityMonitoring } from "@/lib/securityMonitoring";
const exportQuerySchema = z.object({
format: z.enum(["json", "csv"]).default("json"),
startDate: z.string().datetime(),
endDate: z.string().datetime(),
type: z.enum(["alerts", "metrics"]).default("alerts"),
});
export async function GET(request: NextRequest) {
try {
const session = await getServerSession(authOptions);
if (!session?.user || !session.user.isPlatformUser) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
const url = new URL(request.url);
const params = Object.fromEntries(url.searchParams.entries());
const query = exportQuerySchema.parse(params);
const context = await createAuditContext(request, session);
const timeRange = {
start: new Date(query.startDate),
end: new Date(query.endDate),
};
let data: string;
let filename: string;
let contentType: string;
if (query.type === "alerts") {
data = securityMonitoring.exportSecurityData(query.format, timeRange);
filename = `security-alerts-${query.startDate.split("T")[0]}-to-${query.endDate.split("T")[0]}.${query.format}`;
contentType = query.format === "csv" ? "text/csv" : "application/json";
} else {
// Export metrics
const metrics = await securityMonitoring.getSecurityMetrics(timeRange);
data = JSON.stringify(metrics, null, 2);
filename = `security-metrics-${query.startDate.split("T")[0]}-to-${query.endDate.split("T")[0]}.json`;
contentType = "application/json";
}
// Log data export
await securityAuditLogger.logPlatformAdmin(
"security_data_export",
AuditOutcome.SUCCESS,
context,
undefined,
{
exportType: query.type,
format: query.format,
timeRange,
dataSize: data.length,
}
);
const headers = new Headers({
"Content-Type": contentType,
"Content-Disposition": `attachment; filename="${filename}"`,
"Content-Length": data.length.toString(),
});
return new NextResponse(data, { headers });
} catch (error) {
console.error("Security data export error:", error);
if (error instanceof z.ZodError) {
return NextResponse.json(
{ error: "Invalid query parameters", details: error.errors },
{ status: 400 }
);
}
return NextResponse.json(
{ error: "Internal server error" },
{ status: 500 }
);
}
}

169
app/api/admin/security-monitoring/route.ts Normal file
View File

@ -0,0 +1,169 @@
import { type NextRequest, NextResponse } from "next/server";
import { getServerSession } from "next-auth";
import { z } from "zod";
import { authOptions } from "@/lib/auth";
import {
AuditOutcome,
createAuditContext,
securityAuditLogger,
} from "@/lib/securityAuditLogger";
import {
type AlertSeverity,
securityMonitoring,
} from "@/lib/securityMonitoring";
const metricsQuerySchema = z.object({
startDate: z.string().datetime().optional(),
endDate: z.string().datetime().optional(),
companyId: z.string().uuid().optional(),
severity: z.enum(["LOW", "MEDIUM", "HIGH", "CRITICAL"]).optional(),
});
const configUpdateSchema = z.object({
thresholds: z
.object({
failedLoginsPerMinute: z.number().min(1).max(100).optional(),
failedLoginsPerHour: z.number().min(1).max(1000).optional(),
rateLimitViolationsPerMinute: z.number().min(1).max(100).optional(),
cspViolationsPerMinute: z.number().min(1).max(100).optional(),
adminActionsPerHour: z.number().min(1).max(100).optional(),
massDataAccessThreshold: z.number().min(10).max(10000).optional(),
suspiciousIPThreshold: z.number().min(1).max(100).optional(),
})
.optional(),
alerting: z
.object({
enabled: z.boolean().optional(),
channels: z
.array(z.enum(["EMAIL", "WEBHOOK", "SLACK", "DISCORD", "PAGERDUTY"]))
.optional(),
suppressDuplicateMinutes: z.number().min(1).max(1440).optional(),
escalationTimeoutMinutes: z.number().min(5).max(1440).optional(),
})
.optional(),
retention: z
.object({
alertRetentionDays: z.number().min(1).max(3650).optional(),
metricsRetentionDays: z.number().min(1).max(3650).optional(),
})
.optional(),
});
export async function GET(request: NextRequest) {
try {
const session = await getServerSession(authOptions);
if (!session?.user) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
// Only platform admins can access security monitoring
if (!session.user.isPlatformUser) {
return NextResponse.json({ error: "Forbidden" }, { status: 403 });
}
const url = new URL(request.url);
const params = Object.fromEntries(url.searchParams.entries());
const query = metricsQuerySchema.parse(params);
const context = await createAuditContext(request, session);
const timeRange = {
start: query.startDate
? new Date(query.startDate)
: new Date(Date.now() - 24 * 60 * 60 * 1000),
end: query.endDate ? new Date(query.endDate) : new Date(),
};
// Get security metrics
const metrics = await securityMonitoring.getSecurityMetrics(
timeRange,
query.companyId
);
// Get active alerts
const alerts = securityMonitoring.getActiveAlerts(
query.severity as AlertSeverity
);
// Get monitoring configuration
const config = securityMonitoring.getConfig();
// Log access to security monitoring
await securityAuditLogger.logPlatformAdmin(
"security_monitoring_access",
AuditOutcome.SUCCESS,
context
);
return NextResponse.json({
metrics,
alerts,
config,
timeRange,
});
} catch (error) {
console.error("Security monitoring API error:", error);
if (error instanceof z.ZodError) {
return NextResponse.json(
{ error: "Invalid query parameters", details: error.errors },
{ status: 400 }
);
}
return NextResponse.json(
{ error: "Internal server error" },
{ status: 500 }
);
}
}
export async function POST(request: NextRequest) {
try {
const session = await getServerSession(authOptions);
if (!session?.user) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
if (!session.user.isPlatformUser) {
return NextResponse.json({ error: "Forbidden" }, { status: 403 });
}
const body = await request.json();
const config = configUpdateSchema.parse(body);
const context = await createAuditContext(request, session);
// Update monitoring configuration
securityMonitoring.updateConfig(config);
// Log configuration change
await securityAuditLogger.logPlatformAdmin(
"security_monitoring_config_update",
AuditOutcome.SUCCESS,
context,
undefined,
{ configChanges: config }
);
return NextResponse.json({
success: true,
config: securityMonitoring.getConfig(),
});
} catch (error) {
console.error("Security monitoring config update error:", error);
if (error instanceof z.ZodError) {
return NextResponse.json(
{ error: "Invalid configuration", details: error.errors },
{ status: 400 }
);
}
return NextResponse.json(
{ error: "Internal server error" },
{ status: 500 }
);
}
}

191
app/api/admin/security-monitoring/threat-analysis/route.ts Normal file
View File

@ -0,0 +1,191 @@
import { type NextRequest, NextResponse } from "next/server";
import { getServerSession } from "next-auth";
import { z } from "zod";
import { authOptions } from "@/lib/auth";
import {
AuditOutcome,
createAuditContext,
securityAuditLogger,
} from "@/lib/securityAuditLogger";
import { securityMonitoring, type SecurityMetrics, type AlertType } from "@/lib/securityMonitoring";
const threatAnalysisSchema = z.object({
ipAddress: z.string().ip().optional(),
userId: z.string().uuid().optional(),
timeRange: z
.object({
start: z.string().datetime(),
end: z.string().datetime(),
})
.optional(),
});
export async function POST(request: NextRequest) {
try {
const session = await getServerSession(authOptions);
if (!session?.user || !session.user.isPlatformUser) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
const body = await request.json();
const analysis = threatAnalysisSchema.parse(body);
const context = await createAuditContext(request, session);
interface ThreatAnalysisResults {
ipThreatAnalysis?: {
ipAddress: string;
threatLevel: number;
isBlacklisted: boolean;
riskFactors: string[];
};
timeRangeAnalysis?: {
timeRange: { start: Date; end: Date };
securityScore: number;
threatLevel: string;
topThreats: Array<{ type: AlertType; count: number }>;
geoDistribution: Record<string, number>;
riskUsers: Array<{ userId: string; email: string; riskScore: number }>;
};
overallThreatLandscape?: {
currentThreatLevel: string;
securityScore: number;
activeAlerts: number;
criticalEvents: number;
recommendations: string[];
};
}
const results: ThreatAnalysisResults = {};
// IP threat analysis
if (analysis.ipAddress) {
const ipThreat = await securityMonitoring.calculateIPThreatLevel(
analysis.ipAddress
);
results.ipThreatAnalysis = {
ipAddress: analysis.ipAddress,
...ipThreat,
};
}
// Time-based analysis
if (analysis.timeRange) {
const timeRange = {
start: new Date(analysis.timeRange.start),
end: new Date(analysis.timeRange.end),
};
const metrics = await securityMonitoring.getSecurityMetrics(timeRange);
results.timeRangeAnalysis = {
timeRange,
securityScore: metrics.securityScore,
threatLevel: metrics.threatLevel,
topThreats: metrics.topThreats,
geoDistribution: metrics.geoDistribution,
riskUsers: metrics.userRiskScores.slice(0, 5),
};
}
// General threat landscape
const defaultTimeRange = {
start: new Date(Date.now() - 24 * 60 * 60 * 1000), // Last 24 hours
end: new Date(),
};
const overallMetrics =
await securityMonitoring.getSecurityMetrics(defaultTimeRange);
results.overallThreatLandscape = {
currentThreatLevel: overallMetrics.threatLevel,
securityScore: overallMetrics.securityScore,
activeAlerts: overallMetrics.activeAlerts,
criticalEvents: overallMetrics.criticalEvents,
recommendations: generateThreatRecommendations(overallMetrics),
};
// Log threat analysis request
await securityAuditLogger.logPlatformAdmin(
"threat_analysis_performed",
AuditOutcome.SUCCESS,
context,
undefined,
{
analysisType: Object.keys(analysis),
threatLevel: results.overallThreatLandscape?.currentThreatLevel,
}
);
return NextResponse.json(results);
} catch (error) {
console.error("Threat analysis error:", error);
if (error instanceof z.ZodError) {
return NextResponse.json(
{ error: "Invalid request", details: error.errors },
{ status: 400 }
);
}
return NextResponse.json(
{ error: "Internal server error" },
{ status: 500 }
);
}
}
function generateThreatRecommendations(metrics: SecurityMetrics): string[] {
const recommendations: string[] = [];
if (metrics.securityScore < 70) {
recommendations.push(
"Security score is below acceptable threshold - immediate action required"
);
}
if (metrics.activeAlerts > 5) {
recommendations.push(
"High number of active alerts - prioritize alert resolution"
);
}
if (metrics.criticalEvents > 0) {
recommendations.push(
"Critical security events detected - investigate immediately"
);
}
const highRiskUsers = metrics.userRiskScores.filter(
(user) => user.riskScore > 50
);
if (highRiskUsers.length > 0) {
recommendations.push(
`${highRiskUsers.length} users have elevated risk scores - review accounts`
);
}
// Check for geographic anomalies
const countries = Object.keys(metrics.geoDistribution);
if (countries.length > 10) {
recommendations.push(
"High geographic diversity detected - review for suspicious activity"
);
}
// Check for common attack patterns
const bruteForceAlerts = metrics.topThreats.filter(
(threat) => threat.type === "BRUTE_FORCE_ATTACK"
);
if (bruteForceAlerts.length > 0) {
recommendations.push(
"Brute force attacks detected - strengthen authentication controls"
);
}
if (recommendations.length === 0) {
recommendations.push(
"Security posture appears stable - continue monitoring"
);
}
return recommendations;
}

1
app/api/admin/trigger-processing/route.ts
View File

@ -87,7 +87,6 @@ export async function POST(request: NextRequest) {
}
// Start processing (this will run asynchronously)
const _startTime = Date.now();
// Note: We're calling the function but not awaiting it to avoid timeout
// The processing will continue in the background

110
app/api/csp-metrics/route.ts Normal file
View File

@ -0,0 +1,110 @@
import { type NextRequest, NextResponse } from "next/server";
import { cspMonitoring } from "@/lib/csp-monitoring";
import { rateLimiter } from "@/lib/rateLimiter";
export async function GET(request: NextRequest) {
try {
// Rate limiting for metrics endpoint
const ip =
request.ip || request.headers.get("x-forwarded-for") || "unknown";
const rateLimitResult = await rateLimiter.check(
`csp-metrics:${ip}`,
30, // 30 requests
60 * 1000 // per minute
);
if (!rateLimitResult.success) {
return NextResponse.json({ error: "Too many requests" }, { status: 429 });
}
// Parse query parameters
const url = new URL(request.url);
const timeRange = url.searchParams.get("range") || "24h";
const format = url.searchParams.get("format") || "json";
// Calculate time range
const now = new Date();
let start: Date;
switch (timeRange) {
case "1h":
start = new Date(now.getTime() - 60 * 60 * 1000);
break;
case "6h":
start = new Date(now.getTime() - 6 * 60 * 60 * 1000);
break;
case "24h":
start = new Date(now.getTime() - 24 * 60 * 60 * 1000);
break;
case "7d":
start = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1000);
break;
case "30d":
start = new Date(now.getTime() - 30 * 24 * 60 * 60 * 1000);
break;
default:
start = new Date(now.getTime() - 24 * 60 * 60 * 1000);
}
// Get metrics from monitoring service
const metrics = cspMonitoring.getMetrics({ start, end: now });
// Get policy recommendations
const recommendations = cspMonitoring.generatePolicyRecommendations({
start,
end: now,
});
const response = {
timeRange: {
start: start.toISOString(),
end: now.toISOString(),
range: timeRange,
},
summary: {
totalViolations: metrics.totalViolations,
criticalViolations: metrics.criticalViolations,
bypassAttempts: metrics.bypassAttempts,
violationRate:
metrics.totalViolations /
((now.getTime() - start.getTime()) / (60 * 60 * 1000)), // per hour
},
topViolatedDirectives: metrics.topViolatedDirectives,
topBlockedUris: metrics.topBlockedUris,
violationTrends: metrics.violationTrends,
recommendations: recommendations,
lastUpdated: now.toISOString(),
};
// Export format handling
if (format === "csv") {
const csv = cspMonitoring.exportViolations("csv");
return new NextResponse(csv, {
headers: {
"Content-Type": "text/csv",
"Content-Disposition": `attachment; filename="csp-violations-${timeRange}.csv"`,
},
});
}
return NextResponse.json(response);
} catch (error) {
console.error("Error fetching CSP metrics:", error);
return NextResponse.json(
{ error: "Failed to fetch metrics" },
{ status: 500 }
);
}
}
// Handle preflight requests
export async function OPTIONS() {
return new NextResponse(null, {
status: 200,
headers: {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "GET, OPTIONS",
"Access-Control-Allow-Headers": "Content-Type",
},
});
}

130
app/api/csp-report/route.ts Normal file
View File

@ -0,0 +1,130 @@
import { type NextRequest, NextResponse } from "next/server";
import {
type CSPViolationReport,
detectCSPBypass,
parseCSPViolation,
} from "@/lib/csp";
import { cspMonitoring } from "@/lib/csp-monitoring";
import { rateLimiter } from "@/lib/rateLimiter";
export async function POST(request: NextRequest) {
try {
// Rate limiting for CSP reports
const ip =
request.ip || request.headers.get("x-forwarded-for") || "unknown";
const rateLimitResult = await rateLimiter.check(
`csp-report:${ip}`,
10, // 10 reports
60 * 1000 // per minute
);
if (!rateLimitResult.success) {
return NextResponse.json(
{ error: "Too many CSP reports" },
{ status: 429 }
);
}
const contentType = request.headers.get("content-type");
if (
!contentType?.includes("application/csp-report") &&
!contentType?.includes("application/json")
) {
return NextResponse.json(
{ error: "Invalid content type" },
{ status: 400 }
);
}
const report: CSPViolationReport = await request.json();
if (!report["csp-report"]) {
return NextResponse.json(
{ error: "Invalid CSP report format" },
{ status: 400 }
);
}
// Process violation through monitoring service
const monitoringResult = await cspMonitoring.processViolation(
report,
ip,
request.headers.get("user-agent") || undefined
);
// Enhanced logging based on monitoring analysis
const logEntry = {
timestamp: new Date().toISOString(),
ip,
userAgent: request.headers.get("user-agent"),
violation: parseCSPViolation(report),
bypassDetection: detectCSPBypass(
report["csp-report"]["blocked-uri"] +
" " +
(report["csp-report"]["script-sample"] || "")
),
originalReport: report,
alertLevel: monitoringResult.alertLevel,
shouldAlert: monitoringResult.shouldAlert,
recommendations: monitoringResult.recommendations,
};
// In development, log to console with recommendations
if (process.env.NODE_ENV === "development") {
console.warn("🚨 CSP Violation Detected:", {
...logEntry,
recommendations: monitoringResult.recommendations,
});
if (monitoringResult.recommendations.length > 0) {
console.info("💡 Recommendations:", monitoringResult.recommendations);
}
}
// Enhanced alerting based on monitoring service analysis
if (monitoringResult.shouldAlert) {
const alertEmoji = {
low: "🟡",
medium: "🟠",
high: "🔴",
critical: "🚨",
}[monitoringResult.alertLevel];
console.error(
`${alertEmoji} CSP ${monitoringResult.alertLevel.toUpperCase()} ALERT:`,
{
directive: logEntry.violation.directive,
blockedUri: logEntry.violation.blockedUri,
isBypassAttempt: logEntry.bypassDetection.isDetected,
riskLevel: logEntry.bypassDetection.riskLevel,
recommendations: monitoringResult.recommendations.slice(0, 3), // Limit to 3 recommendations
}
);
}
// Clean up old violations periodically (every 100 requests)
if (Math.random() < 0.01) {
cspMonitoring.cleanupOldViolations();
}
return new NextResponse(null, { status: 204 });
} catch (error) {
console.error("Error processing CSP report:", error);
return NextResponse.json(
{ error: "Failed to process report" },
{ status: 500 }
);
}
}
// Handle preflight requests
export async function OPTIONS() {
return new NextResponse(null, {
status: 200,
headers: {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "POST, OPTIONS",
"Access-Control-Allow-Headers": "Content-Type",
},
});
}

6
app/api/csrf-token/route.ts
View File

@ -5,7 +5,7 @@
* It generates a new token and sets it as an HTTP-only cookie.
*/
import { NextRequest } from "next/server";
import type { NextRequest } from "next/server";
import { generateCSRFTokenResponse } from "../../../middleware/csrfProtection";
/**
@ -14,6 +14,6 @@ import { generateCSRFTokenResponse } from "../../../middleware/csrfProtection";
* Generates and returns a new CSRF token.
* The token is also set as an HTTP-only cookie for automatic inclusion in requests.
*/
export function GET(request: NextRequest) {
export function GET() {
return generateCSRFTokenResponse();
}
}

2
app/api/dashboard/config/route.ts
View File

@ -3,7 +3,7 @@ import { getServerSession } from "next-auth";
import { authOptions } from "../../../../lib/auth";
import { prisma } from "../../../../lib/prisma";
export async function GET(_request: NextRequest) {
export async function GET() {
const session = await getServerSession(authOptions);
if (!session?.user) {
return NextResponse.json({ error: "Not logged in" }, { status: 401 });

2
app/api/dashboard/session-filter-options/route.ts
View File

@ -3,7 +3,7 @@ import { getServerSession } from "next-auth/next";
import { authOptions } from "../../../../lib/auth";
import { prisma } from "../../../../lib/prisma";
export async function GET(_request: NextRequest) {
export async function GET() {
const authSession = await getServerSession(authOptions);
if (!authSession || !authSession.user?.companyId) {

2
app/api/dashboard/users/route.ts
View File

@ -11,7 +11,7 @@ interface UserBasicInfo {
role: string;
}
export async function GET(_request: NextRequest) {
export async function GET() {
const session = await getServerSession(authOptions);
if (!session?.user || session.user.role !== "ADMIN") {
return NextResponse.json({ error: "Forbidden" }, { status: 403 });

78
app/api/forgot-password/route.ts
View File

@ -2,6 +2,11 @@ import crypto from "node:crypto";
import { type NextRequest, NextResponse } from "next/server";
import { prisma } from "../../../lib/prisma";
import { extractClientIP, InMemoryRateLimiter } from "../../../lib/rateLimiter";
import {
AuditOutcome,
createAuditMetadata,
securityAuditLogger,
} from "../../../lib/securityAuditLogger";
import { sendEmail } from "../../../lib/sendEmail";
import { forgotPasswordSchema, validateInput } from "../../../lib/validation";
@ -17,9 +22,25 @@ export async function POST(request: NextRequest) {
try {
// Rate limiting check using shared utility
const ip = extractClientIP(request);
const userAgent = request.headers.get("user-agent") || undefined;
const rateLimitResult = passwordResetLimiter.checkRateLimit(ip);
if (!rateLimitResult.allowed) {
await securityAuditLogger.logPasswordReset(
"password_reset_rate_limited",
AuditOutcome.RATE_LIMITED,
{
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
resetTime: rateLimitResult.resetTime,
maxAttempts: 5,
windowMs: 15 * 60 * 1000,
}),
},
"Password reset rate limit exceeded"
);
return NextResponse.json(
{
success: false,
@ -34,6 +55,19 @@ export async function POST(request: NextRequest) {
// Validate input
const validation = validateInput(forgotPasswordSchema, body);
if (!validation.success) {
await securityAuditLogger.logPasswordReset(
"password_reset_invalid_input",
AuditOutcome.FAILURE,
{
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
error: "invalid_email_format",
}),
},
"Invalid email format in password reset request"
);
return NextResponse.json(
{
success: false,
@ -65,11 +99,55 @@ export async function POST(request: NextRequest) {
subject: "Password Reset",
text: `Reset your password: ${resetUrl}`,
});
await securityAuditLogger.logPasswordReset(
"password_reset_email_sent",
AuditOutcome.SUCCESS,
{
userId: user.id,
companyId: user.companyId,
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
email: "[REDACTED]",
tokenExpiry: expiry.toISOString(),
}),
},
"Password reset email sent successfully"
);
} else {
// Log attempt for non-existent user
await securityAuditLogger.logPasswordReset(
"password_reset_user_not_found",
AuditOutcome.FAILURE,
{
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
email: "[REDACTED]",
}),
},
"Password reset attempt for non-existent user"
);
}
return NextResponse.json({ success: true }, { status: 200 });
} catch (error) {
console.error("Forgot password error:", error);
await securityAuditLogger.logPasswordReset(
"password_reset_server_error",
AuditOutcome.FAILURE,
{
ipAddress: extractClientIP(request),
userAgent: request.headers.get("user-agent") || undefined,
metadata: createAuditMetadata({
error: "server_error",
}),
},
`Server error in password reset: ${error}`
);
return NextResponse.json(
{
success: false,

13
app/api/platform/companies/[id]/users/route.ts
View File

@ -73,14 +73,13 @@ export async function POST(
{ error: "User already exists in this company" },
{ status: 400 }
);
} else {
return NextResponse.json(
{
error: `Email already in use by a user in company: ${existingUser.company.name}. Each email address can only be used once across all companies.`
},
{ status: 400 }
);
}
return NextResponse.json(
{
error: `Email already in use by a user in company: ${existingUser.company.name}. Each email address can only be used once across all companies.`,
},
{ status: 400 }
);
}
// Generate a temporary password (in a real app, you'd send an invitation email)

108
app/api/platform/companies/route.ts
View File

@ -3,13 +3,34 @@ import { type NextRequest, NextResponse } from "next/server";
import { getServerSession } from "next-auth";
import { platformAuthOptions } from "../../../../lib/platform-auth";
import { prisma } from "../../../../lib/prisma";
import { extractClientIP } from "../../../../lib/rateLimiter";
import {
AuditOutcome,
createAuditMetadata,
securityAuditLogger,
} from "../../../../lib/securityAuditLogger";
// GET /api/platform/companies - List all companies
export async function GET(request: NextRequest) {
try {
const session = await getServerSession(platformAuthOptions);
const ip = extractClientIP(request);
const userAgent = request.headers.get("user-agent") || undefined;
if (!session?.user?.isPlatformUser) {
await securityAuditLogger.logPlatformAdmin(
"platform_companies_unauthorized_access",
AuditOutcome.BLOCKED,
{
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
error: "no_platform_session",
}),
},
"Unauthorized attempt to access platform companies list"
);
return NextResponse.json(
{ error: "Platform access required" },
{ status: 401 }
@ -63,6 +84,24 @@ export async function GET(request: NextRequest) {
prisma.company.count({ where }),
]);
// Log successful platform companies access
await securityAuditLogger.logPlatformAdmin(
"platform_companies_list_accessed",
AuditOutcome.SUCCESS,
{
platformUserId: session.user.id,
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
companiesReturned: companies.length,
totalCompanies: total,
filters: { status, search },
pagination: { page, limit },
}),
},
"Platform companies list accessed"
);
return NextResponse.json({
companies,
pagination: {
@ -74,6 +113,21 @@ export async function GET(request: NextRequest) {
});
} catch (error) {
console.error("Platform companies list error:", error);
await securityAuditLogger.logPlatformAdmin(
"platform_companies_list_error",
AuditOutcome.FAILURE,
{
platformUserId: session?.user?.id,
ipAddress: extractClientIP(request),
userAgent: request.headers.get("user-agent") || undefined,
metadata: createAuditMetadata({
error: "server_error",
}),
},
`Server error in platform companies list: ${error}`
);
return NextResponse.json(
{ error: "Internal server error" },
{ status: 500 }
@ -85,11 +139,29 @@ export async function GET(request: NextRequest) {
export async function POST(request: NextRequest) {
try {
const session = await getServerSession(platformAuthOptions);
const ip = extractClientIP(request);
const userAgent = request.headers.get("user-agent") || undefined;
if (
!session?.user?.isPlatformUser ||
session.user.platformRole === "SUPPORT"
) {
await securityAuditLogger.logPlatformAdmin(
"platform_company_create_unauthorized",
AuditOutcome.BLOCKED,
{
platformUserId: session?.user?.id,
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
error: "insufficient_permissions",
requiredRole: "ADMIN",
currentRole: session?.user?.platformRole,
}),
},
"Unauthorized attempt to create platform company"
);
return NextResponse.json(
{ error: "Admin access required" },
{ status: 403 }
@ -165,6 +237,27 @@ export async function POST(request: NextRequest) {
};
});
// Log successful company creation
await securityAuditLogger.logCompanyManagement(
"platform_company_created",
AuditOutcome.SUCCESS,
{
platformUserId: session.user.id,
companyId: result.company.id,
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
companyName: result.company.name,
companyStatus: result.company.status,
adminUserEmail: "[REDACTED]",
adminUserName: result.adminUser.name,
maxUsers: result.company.maxUsers,
hasGeneratedPassword: !!result.generatedPassword,
}),
},
"Platform company created successfully"
);
return NextResponse.json(
{
company: result.company,
@ -179,6 +272,21 @@ export async function POST(request: NextRequest) {
);
} catch (error) {
console.error("Platform company creation error:", error);
await securityAuditLogger.logCompanyManagement(
"platform_company_create_error",
AuditOutcome.FAILURE,
{
platformUserId: session?.user?.id,
ipAddress: extractClientIP(request),
userAgent: request.headers.get("user-agent") || undefined,
metadata: createAuditMetadata({
error: "server_error",
}),
},
`Server error in platform company creation: ${error}`
);
return NextResponse.json(
{ error: "Internal server error" },
{ status: 500 }

65
app/api/reset-password/route.ts
View File

@ -2,15 +2,37 @@ import crypto from "node:crypto";
import bcrypt from "bcryptjs";
import { type NextRequest, NextResponse } from "next/server";
import { prisma } from "../../../lib/prisma";
import { extractClientIP } from "../../../lib/rateLimiter";
import {
AuditOutcome,
createAuditMetadata,
securityAuditLogger,
} from "../../../lib/securityAuditLogger";
import { resetPasswordSchema, validateInput } from "../../../lib/validation";
export async function POST(request: NextRequest) {
try {
const ip = extractClientIP(request);
const userAgent = request.headers.get("user-agent") || undefined;
const body = await request.json();
// Validate input with strong password requirements
const validation = validateInput(resetPasswordSchema, body);
if (!validation.success) {
await securityAuditLogger.logPasswordReset(
"password_reset_validation_failed",
AuditOutcome.FAILURE,
{
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
error: "validation_failed",
validationErrors: validation.errors,
}),
},
"Password reset validation failed"
);
return NextResponse.json(
{
success: false,
@ -34,6 +56,19 @@ export async function POST(request: NextRequest) {
});
if (!user) {
await securityAuditLogger.logPasswordReset(
"password_reset_invalid_token",
AuditOutcome.FAILURE,
{
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
error: "invalid_or_expired_token",
}),
},
"Password reset attempt with invalid or expired token"
);
return NextResponse.json(
{
success: false,
@ -56,6 +91,22 @@ export async function POST(request: NextRequest) {
},
});
await securityAuditLogger.logPasswordReset(
"password_reset_completed",
AuditOutcome.SUCCESS,
{
userId: user.id,
companyId: user.companyId,
ipAddress: ip,
userAgent,
metadata: createAuditMetadata({
email: "[REDACTED]",
passwordChanged: true,
}),
},
"Password reset completed successfully"
);
return NextResponse.json(
{
success: true,
@ -65,6 +116,20 @@ export async function POST(request: NextRequest) {
);
} catch (error) {
console.error("Reset password error:", error);
await securityAuditLogger.logPasswordReset(
"password_reset_server_error",
AuditOutcome.FAILURE,
{
ipAddress: extractClientIP(request),
userAgent: request.headers.get("user-agent") || undefined,
metadata: createAuditMetadata({
error: "server_error",
}),
},
`Server error in password reset completion: ${error}`
);
return NextResponse.json(
{
success: false,