feat: comprehensive security and architecture improvements

- Add Zod validation schemas with strong password requirements (12+ chars, complexity) - Implement rate limiting for authentication endpoints (registration, password reset) - Remove duplicate MetricCard component, consolidate to ui/metric-card.tsx - Update README.md to use pnpm commands consistently - Enhance authentication security with 12-round bcrypt hashing - Add comprehensive input validation for all API endpoints - Fix security vulnerabilities in user registration and password reset flows 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-16 09:32:08 +01:00 · 2025-06-28 01:52:53 +02:00
parent 192f9497b4
commit 7f48a085bf
68 changed files with 8045 additions and 4542 deletions
--- a/app/api/forgot-password/route.ts
+++ b/app/api/forgot-password/route.ts
@ -1,28 +1,92 @@
 import { NextRequest, NextResponse } from "next/server";
 import { prisma } from "../../../lib/prisma";
 import { sendEmail } from "../../../lib/sendEmail";
+import { forgotPasswordSchema, validateInput } from "../../../lib/validation";
 import crypto from "crypto";

-export async function POST(request: NextRequest) {
-  const body = await request.json();
-  const { email } = body as { email: string };
+// In-memory rate limiting for password reset requests
+const resetAttempts = new Map<string, { count: number; resetTime: number }>();

-  const user = await prisma.user.findUnique({ where: { email } });
-  if (!user) {
-    // Always return 200 for privacy (don't reveal if email exists)
-    return NextResponse.json({ success: true }, { status: 200 });
+function checkRateLimit(ip: string): boolean {
+  const now = Date.now();
+  const attempts = resetAttempts.get(ip);
+
+  if (!attempts || now > attempts.resetTime) {
+    resetAttempts.set(ip, { count: 1, resetTime: now + 15 * 60 * 1000 }); // 15 minute window
+    return true;
  }

-  const token = crypto.randomBytes(32).toString("hex");
-  const expiry = new Date(Date.now() + 1000 * 60 * 30); // 30 min expiry
-  
-  await prisma.user.update({
-    where: { email },
-    data: { resetToken: token, resetTokenExpiry: expiry },
-  });
+  if (attempts.count >= 5) {
+    // Max 5 reset requests per 15 minutes per IP
+    return false;
+  }

-  const resetUrl = `${process.env.NEXTAUTH_URL || "http://localhost:3000"}/reset-password?token=${token}`;
-  await sendEmail(email, "Password Reset", `Reset your password: ${resetUrl}`);
-  
-  return NextResponse.json({ success: true }, { status: 200 });
+  attempts.count++;
+  return true;
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    // Rate limiting check
+    const ip =
+      request.ip || request.headers.get("x-forwarded-for") || "unknown";
+    if (!checkRateLimit(ip)) {
+      return NextResponse.json(
+        {
+          success: false,
+          error: "Too many password reset attempts. Please try again later.",
+        },
+        { status: 429 }
+      );
+    }
+
+    const body = await request.json();
+
+    // Validate input
+    const validation = validateInput(forgotPasswordSchema, body);
+    if (!validation.success) {
+      return NextResponse.json(
+        {
+          success: false,
+          error: "Invalid email format",
+        },
+        { status: 400 }
+      );
+    }
+
+    const { email } = validation.data;
+
+    const user = await prisma.user.findUnique({ where: { email } });
+
+    // Always return success for privacy (don't reveal if email exists)
+    // But only send email if user exists
+    if (user) {
+      const token = crypto.randomBytes(32).toString("hex");
+      const tokenHash = crypto.createHash("sha256").update(token).digest("hex");
+      const expiry = new Date(Date.now() + 1000 * 60 * 30); // 30 min expiry
+
+      await prisma.user.update({
+        where: { email },
+        data: { resetToken: tokenHash, resetTokenExpiry: expiry },
+      });
+
+      const resetUrl = `${process.env.NEXTAUTH_URL || "http://localhost:3000"}/reset-password?token=${token}`;
+      await sendEmail(
+        email,
+        "Password Reset",
+        `Reset your password: ${resetUrl}`
+      );
+    }
+
+    return NextResponse.json({ success: true }, { status: 200 });
+  } catch (error) {
+    console.error("Forgot password error:", error);
+    return NextResponse.json(
+      {
+        success: false,
+        error: "Internal server error",
+      },
+      { status: 500 }
+    );
+  }
 }