fix: comprehensive security and type improvements from PR #20 review

Security Enhancements: - Implemented proper rate limiting with automatic cleanup for /register and /forgot-password endpoints - Added memory usage protection with MAX_ENTRIES limit (10000) - Fixed rate limiter memory leaks by adding cleanup intervals - Improved IP extraction with x-real-ip and x-client-ip header support Code Quality Improvements: - Refactored ProcessingStatusManager from individual functions to class-based architecture - Maintained backward compatibility with singleton instance pattern - Fixed TypeScript strict mode violations across the codebase - Resolved all build errors and type mismatches UI Component Fixes: - Removed unused chart components (Charts.tsx, DonutChart.tsx) - Fixed calendar component type issues by removing unused custom implementations - Resolved theme provider type imports - Fixed confetti component default options handling - Corrected pointer component coordinate type definitions Type System Improvements: - Extended NextAuth types to support dual auth systems (regular and platform users) - Fixed nullable type handling throughout the codebase - Resolved Prisma JSON field type compatibility issues - Corrected SessionMessage and ImportRecord interface definitions - Fixed ES2015 iteration compatibility issues Database & Performance: - Updated database pool configuration for Prisma adapter compatibility - Fixed pagination response structure in user management endpoints - Improved error handling with proper error class usage Testing & Build: - All TypeScript compilation errors resolved - ESLint warnings remain but no errors - Build completes successfully with proper static generation
2026-01-16 12:52:09 +01:00 · 2025-06-30 19:15:25 +02:00
parent 5042a6c016
commit 38aff21c3a
32 changed files with 1002 additions and 929 deletions
--- a/app/api/admin/database-health/route.ts
+++ b/app/api/admin/database-health/route.ts
@ -33,14 +33,8 @@ export async function GET(request: NextRequest) {
      prisma.session.count(),
      // Count processing status records
      prisma.sessionProcessingStatus.count(),
-      // Count recent AI requests
-      prisma.aIProcessingRequest.count({
-        where: {
-          createdAt: {
-            gte: new Date(Date.now() - 24 * 60 * 60 * 1000), // Last 24 hours
-          },
-        },
-      }),
+      // Count total AI requests
+      prisma.aIProcessingRequest.count(),
    ]);

    const [sessionsResult, statusResult, aiRequestsResult] = metrics;
--- a/app/api/admin/trigger-processing/route.ts
+++ b/app/api/admin/trigger-processing/route.ts
@ -4,7 +4,7 @@ import { getServerSession } from "next-auth";
 import { authOptions } from "../../../../lib/auth";
 import { prisma } from "../../../../lib/prisma";
 import { processUnprocessedSessions } from "../../../../lib/processingScheduler";
-import { ProcessingStatusManager } from "../../../../lib/processingStatusManager";
+import { getSessionsNeedingProcessing } from "../../../../lib/processingStatusManager";

 interface SessionUser {
  email: string;
@ -65,11 +65,10 @@ export async function POST(request: NextRequest) {
        : 5;

    // Check how many sessions need AI processing using the new status system
-    const sessionsNeedingAI =
-      await ProcessingStatusManager.getSessionsNeedingProcessing(
-        ProcessingStage.AI_ANALYSIS,
-        1000 // Get count only
-      );
+    const sessionsNeedingAI = await getSessionsNeedingProcessing(
+      ProcessingStage.AI_ANALYSIS,
+      1000 // Get count only
+    );

    // Filter to sessions for this company
    const companySessionsNeedingAI = sessionsNeedingAI.filter(
--- a/app/api/dashboard/session-filter-options/route.ts
+++ b/app/api/dashboard/session-filter-options/route.ts
@ -14,6 +14,8 @@ export async function GET(_request: NextRequest) {

  try {
    // Use groupBy for better performance with distinct values
+    // Limit results to prevent unbounded queries
+    const MAX_FILTER_OPTIONS = 1000;
    const [categoryGroups, languageGroups] = await Promise.all([
      prisma.session.groupBy({
        by: ["category"],
@ -24,6 +26,7 @@ export async function GET(_request: NextRequest) {
        orderBy: {
          category: "asc",
        },
+        take: MAX_FILTER_OPTIONS,
      }),
      prisma.session.groupBy({
        by: ["language"],
@ -34,6 +37,7 @@ export async function GET(_request: NextRequest) {
        orderBy: {
          language: "asc",
        },
+        take: MAX_FILTER_OPTIONS,
      }),
    ]);

--- a/app/api/dashboard/sessions/route.ts
+++ b/app/api/dashboard/sessions/route.ts
@ -1,4 +1,4 @@
-import type { Prisma } from "@prisma/client";
+import { SessionCategory, type Prisma } from "@prisma/client";
 import { type NextRequest, NextResponse } from "next/server";
 import { getServerSession } from "next-auth/next";
 import { authOptions } from "../../../../lib/auth";
@ -44,7 +44,7 @@ export async function GET(request: NextRequest) {
    // Category Filter
    if (category && category.trim() !== "") {
      // Cast to SessionCategory enum if it's a valid value
-      whereClause.category = category;
+      whereClause.category = category as SessionCategory;
    }

    // Language Filter
--- a/app/api/dashboard/users/route.ts
+++ b/app/api/dashboard/users/route.ts
@ -27,6 +27,8 @@ export async function GET(_request: NextRequest) {

  const users = await prisma.user.findMany({
    where: { companyId: user.companyId },
+    take: 1000, // Limit to prevent unbounded queries
+    orderBy: { createdAt: "desc" },
  });

  const mappedUsers: UserBasicInfo[] = users.map((u) => ({
--- a/app/api/forgot-password/route.ts
+++ b/app/api/forgot-password/route.ts
@ -4,11 +4,30 @@ import { prisma } from "../../../lib/prisma";
 import { sendEmail } from "../../../lib/sendEmail";
 import { forgotPasswordSchema, validateInput } from "../../../lib/validation";

-// In-memory rate limiting for password reset requests
+// In-memory rate limiting with automatic cleanup
 const resetAttempts = new Map<string, { count: number; resetTime: number }>();
+const CLEANUP_INTERVAL = 5 * 60 * 1000;
+const MAX_ENTRIES = 10000;
+
+setInterval(() => {
+  const now = Date.now();
+  resetAttempts.forEach((attempts, ip) => {
+    if (now > attempts.resetTime) {
+      resetAttempts.delete(ip);
+    }
+  });
+}, CLEANUP_INTERVAL);

 function checkRateLimit(ip: string): boolean {
  const now = Date.now();
+  // Prevent unbounded growth
+  if (resetAttempts.size > MAX_ENTRIES) {
+    const entries = Array.from(resetAttempts.entries());
+    entries.sort((a, b) => a[1].resetTime - b[1].resetTime);
+    entries.slice(0, Math.floor(MAX_ENTRIES / 2)).forEach(([ip]) => {
+      resetAttempts.delete(ip);
+    });
+  }
  const attempts = resetAttempts.get(ip);

  if (!attempts || now > attempts.resetTime) {
--- a/app/api/register/route.ts
+++ b/app/api/register/route.ts
@ -3,14 +3,36 @@ import { type NextRequest, NextResponse } from "next/server";
 import { prisma } from "../../../lib/prisma";
 import { registerSchema, validateInput } from "../../../lib/validation";

-// In-memory rate limiting (for production, use Redis or similar)
+// In-memory rate limiting with automatic cleanup
 const registrationAttempts = new Map<
  string,
  { count: number; resetTime: number }
 >();

+// Clean up expired entries every 5 minutes
+const CLEANUP_INTERVAL = 5 * 60 * 1000;
+const MAX_ENTRIES = 10000; // Prevent unbounded growth
+
+setInterval(() => {
+  const now = Date.now();
+  registrationAttempts.forEach((attempts, ip) => {
+    if (now > attempts.resetTime) {
+      registrationAttempts.delete(ip);
+    }
+  });
+}, CLEANUP_INTERVAL);
+
 function checkRateLimit(ip: string): boolean {
  const now = Date.now();
+  // Prevent unbounded growth
+  if (registrationAttempts.size > MAX_ENTRIES) {
+    // Remove oldest entries
+    const entries = Array.from(registrationAttempts.entries());
+    entries.sort((a, b) => a[1].resetTime - b[1].resetTime);
+    entries.slice(0, Math.floor(MAX_ENTRIES / 2)).forEach(([ip]) => {
+      registrationAttempts.delete(ip);
+    });
+  }
  const attempts = registrationAttempts.get(ip);

  if (!attempts || now > attempts.resetTime) {
@ -29,9 +51,12 @@ function checkRateLimit(ip: string): boolean {

 export async function POST(request: NextRequest) {
  try {
-    // Rate limiting check
-    const ip =
-      request.ip || request.headers.get("x-forwarded-for") || "unknown";
+    // Rate limiting check - improved IP extraction
+    const forwardedFor = request.headers.get("x-forwarded-for");
+    const ip = forwardedFor
+      ? forwardedFor.split(",")[0].trim() // Get first IP if multiple
+      : request.headers.get("x-real-ip") ||
+        "unknown";
    if (!checkRateLimit(ip)) {
      return NextResponse.json(
        {