feat: comprehensive security and architecture improvements

- Add Zod validation schemas with strong password requirements (12+ chars, complexity) - Implement rate limiting for authentication endpoints (registration, password reset) - Remove duplicate MetricCard component, consolidate to ui/metric-card.tsx - Update README.md to use pnpm commands consistently - Enhance authentication security with 12-round bcrypt hashing - Add comprehensive input validation for all API endpoints - Fix security vulnerabilities in user registration and password reset flows 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-16 12:12:09 +01:00 · 2025-06-28 01:52:53 +02:00
parent 192f9497b4
commit 7f48a085bf
68 changed files with 8045 additions and 4542 deletions
--- a/app/api/reset-password/route.ts
+++ b/app/api/reset-password/route.ts
@ -1,29 +1,34 @@
 import { NextRequest, NextResponse } from "next/server";
 import { prisma } from "../../../lib/prisma";
+import { resetPasswordSchema, validateInput } from "../../../lib/validation";
 import bcrypt from "bcryptjs";
+import crypto from "crypto";

 export async function POST(request: NextRequest) {
-  const body = await request.json();
-  const { token, password } = body as { token?: string; password?: string };
-
-  if (!token || !password) {
-    return NextResponse.json(
-      { error: "Token and password are required." },
-      { status: 400 }
-    );
-  }
-
-  if (password.length < 8) {
-    return NextResponse.json(
-      { error: "Password must be at least 8 characters long." },
-      { status: 400 }
-    );
-  }
-
  try {
+    const body = await request.json();
+
+    // Validate input with strong password requirements
+    const validation = validateInput(resetPasswordSchema, body);
+    if (!validation.success) {
+      return NextResponse.json(
+        {
+          success: false,
+          error: "Validation failed",
+          details: validation.errors,
+        },
+        { status: 400 }
+      );
+    }
+
+    const { token, password } = validation.data;
+
+    // Hash the token to compare with stored hash
+    const tokenHash = crypto.createHash("sha256").update(token).digest("hex");
+
    const user = await prisma.user.findFirst({
      where: {
-        resetToken: token,
+        resetToken: tokenHash,
        resetTokenExpiry: { gte: new Date() },
      },
    });
@ -31,30 +36,38 @@ export async function POST(request: NextRequest) {
    if (!user) {
      return NextResponse.json(
        {
-          error: "Invalid or expired token. Please request a new password reset.",
+          success: false,
+          error:
+            "Invalid or expired token. Please request a new password reset.",
        },
        { status: 400 }
      );
    }

-    const hash = await bcrypt.hash(password, 10);
+    // Hash password with higher rounds for better security
+    const hashedPassword = await bcrypt.hash(password, 12);
+
    await prisma.user.update({
      where: { id: user.id },
      data: {
-        password: hash,
+        password: hashedPassword,
        resetToken: null,
        resetTokenExpiry: null,
      },
    });

    return NextResponse.json(
-      { message: "Password has been reset successfully." },
+      {
+        success: true,
+        message: "Password has been reset successfully.",
+      },
      { status: 200 }
    );
  } catch (error) {
    console.error("Reset password error:", error);
    return NextResponse.json(
      {
+        success: false,
        error: "An internal server error occurred. Please try again later.",
      },
      { status: 500 }