security: critical fixes from audit
- Rotate 5 exposed production secrets (JWT, ENCRYPTION, ADMIN, POSTGRES, REDIS) - Fix MOCK_PAYMENTS opt-in (now defaults to disabled) - HMAC-SHA256 webhook verification with timing-safe comparison - Purge dangling git blobs (git gc --prune=now) - Rate limiting on auth routes (10/15min per IP) - CORS middleware restricted to falahos.my - Fix walletBalance → flhBalance (Prisma schema mismatch)
This commit is contained in:
@@ -1,9 +1,19 @@
|
||||
import { NextRequest, NextResponse } from "next/server";
|
||||
import { prisma } from "@/lib/prisma";
|
||||
import { UMMAHID_URL } from "@/lib/auth";
|
||||
import { checkRateLimit, getClientIp } from "@/lib/rate-limit";
|
||||
|
||||
export async function POST(req: NextRequest) {
|
||||
try {
|
||||
const ip = getClientIp(req);
|
||||
const { allowed } = checkRateLimit(ip);
|
||||
if (!allowed) {
|
||||
return NextResponse.json(
|
||||
{ error: "Too many requests. Try again later." },
|
||||
{ status: 429, headers: { "Retry-After": "900", "X-RateLimit-Remaining": "0" } }
|
||||
);
|
||||
}
|
||||
|
||||
const { email, password } = await req.json();
|
||||
|
||||
if (!email || !password) {
|
||||
@@ -40,7 +50,7 @@ export async function POST(req: NextRequest) {
|
||||
name: ummahUser?.name || email?.split("@")[0] || "User",
|
||||
provider: "ummahid",
|
||||
providerId: ummahUser.id,
|
||||
walletBalance: 5000,
|
||||
flhBalance: 5000,
|
||||
},
|
||||
});
|
||||
}
|
||||
|
||||
@@ -1,9 +1,19 @@
|
||||
import { NextRequest, NextResponse } from "next/server";
|
||||
import { prisma } from "@/lib/prisma";
|
||||
import { UMMAHID_URL } from "@/lib/auth";
|
||||
import { checkRateLimit, getClientIp } from "@/lib/rate-limit";
|
||||
|
||||
export async function POST(req: NextRequest) {
|
||||
try {
|
||||
const ip = getClientIp(req);
|
||||
const { allowed } = checkRateLimit(ip);
|
||||
if (!allowed) {
|
||||
return NextResponse.json(
|
||||
{ error: "Too many requests. Try again later." },
|
||||
{ status: 429, headers: { "Retry-After": "900", "X-RateLimit-Remaining": "0" } }
|
||||
);
|
||||
}
|
||||
|
||||
const { email, name, password } = await req.json();
|
||||
|
||||
if (!email || !name || !password) {
|
||||
|
||||
Reference in New Issue
Block a user