fix: comprehensive security and type improvements from PR #20 review

Security Enhancements: - Implemented proper rate limiting with automatic cleanup for /register and /forgot-password endpoints - Added memory usage protection with MAX_ENTRIES limit (10000) - Fixed rate limiter memory leaks by adding cleanup intervals - Improved IP extraction with x-real-ip and x-client-ip header support Code Quality Improvements: - Refactored ProcessingStatusManager from individual functions to class-based architecture - Maintained backward compatibility with singleton instance pattern - Fixed TypeScript strict mode violations across the codebase - Resolved all build errors and type mismatches UI Component Fixes: - Removed unused chart components (Charts.tsx, DonutChart.tsx) - Fixed calendar component type issues by removing unused custom implementations - Resolved theme provider type imports - Fixed confetti component default options handling - Corrected pointer component coordinate type definitions Type System Improvements: - Extended NextAuth types to support dual auth systems (regular and platform users) - Fixed nullable type handling throughout the codebase - Resolved Prisma JSON field type compatibility issues - Corrected SessionMessage and ImportRecord interface definitions - Fixed ES2015 iteration compatibility issues Database & Performance: - Updated database pool configuration for Prisma adapter compatibility - Fixed pagination response structure in user management endpoints - Improved error handling with proper error class usage Testing & Build: - All TypeScript compilation errors resolved - ESLint warnings remain but no errors - Build completes successfully with proper static generation
2026-01-16 12:52:09 +01:00 · 2025-06-30 19:15:25 +02:00
parent 5042a6c016
commit 38aff21c3a
32 changed files with 1002 additions and 929 deletions
--- a/app/api/register/route.ts
+++ b/app/api/register/route.ts
@ -3,14 +3,36 @@ import { type NextRequest, NextResponse } from "next/server";
 import { prisma } from "../../../lib/prisma";
 import { registerSchema, validateInput } from "../../../lib/validation";

-// In-memory rate limiting (for production, use Redis or similar)
+// In-memory rate limiting with automatic cleanup
 const registrationAttempts = new Map<
  string,
  { count: number; resetTime: number }
 >();

+// Clean up expired entries every 5 minutes
+const CLEANUP_INTERVAL = 5 * 60 * 1000;
+const MAX_ENTRIES = 10000; // Prevent unbounded growth
+
+setInterval(() => {
+  const now = Date.now();
+  registrationAttempts.forEach((attempts, ip) => {
+    if (now > attempts.resetTime) {
+      registrationAttempts.delete(ip);
+    }
+  });
+}, CLEANUP_INTERVAL);
+
 function checkRateLimit(ip: string): boolean {
  const now = Date.now();
+  // Prevent unbounded growth
+  if (registrationAttempts.size > MAX_ENTRIES) {
+    // Remove oldest entries
+    const entries = Array.from(registrationAttempts.entries());
+    entries.sort((a, b) => a[1].resetTime - b[1].resetTime);
+    entries.slice(0, Math.floor(MAX_ENTRIES / 2)).forEach(([ip]) => {
+      registrationAttempts.delete(ip);
+    });
+  }
  const attempts = registrationAttempts.get(ip);

  if (!attempts || now > attempts.resetTime) {
@ -29,9 +51,12 @@ function checkRateLimit(ip: string): boolean {

 export async function POST(request: NextRequest) {
  try {
-    // Rate limiting check
-    const ip =
-      request.ip || request.headers.get("x-forwarded-for") || "unknown";
+    // Rate limiting check - improved IP extraction
+    const forwardedFor = request.headers.get("x-forwarded-for");
+    const ip = forwardedFor
+      ? forwardedFor.split(",")[0].trim() // Get first IP if multiple
+      : request.headers.get("x-real-ip") ||
+        "unknown";
    if (!checkRateLimit(ip)) {
      return NextResponse.json(
        {