src/app/api/auth/%5B...nextauth%5D/route.ts

import { handlers } from '@/lib/auth'
import { checkRateLimit } from '@/lib/rate-limit'

const AUTH_RATE_LIMIT = 10 // requests per window
const AUTH_RATE_WINDOW_MS = 60 * 1000 // 1 minute

const CSRF_RATE_LIMIT = 20 // requests per window
const CSRF_RATE_WINDOW_MS = 15 * 60 * 1000 // 15 minutes

function getClientIp(req: Request): string {
  return (
    req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ||
    req.headers.get('x-real-ip') ||
    'unknown'
  )
}

function withPostRateLimit(handler: (req: Request) => Promise<Response>) {
  return async (req: Request) => {
    const ip = getClientIp(req)
    const { success, resetAt } = checkRateLimit(`auth:${ip}`, AUTH_RATE_LIMIT, AUTH_RATE_WINDOW_MS)

    if (!success) {
      return new Response(JSON.stringify({ error: 'Too many authentication attempts' }), {
        status: 429,
        headers: {
          'Content-Type': 'application/json',
          'Retry-After': String(Math.ceil((resetAt - Date.now()) / 1000)),
        },
      })
    }

    return handler(req)
  }
}

function withGetRateLimit(handler: (req: Request) => Promise<Response>) {
  return async (req: Request) => {
    // Rate-limit the CSRF token endpoint to prevent token farming
    const url = new URL(req.url)
    if (url.pathname.endsWith('/csrf')) {
      const ip = getClientIp(req)
      const { success, resetAt } = checkRateLimit(`csrf:${ip}`, CSRF_RATE_LIMIT, CSRF_RATE_WINDOW_MS)

      if (!success) {
        return new Response(JSON.stringify({ error: 'Too many requests' }), {
          status: 429,
          headers: {
            'Content-Type': 'application/json',
            'Retry-After': String(Math.ceil((resetAt - Date.now()) / 1000)),
          },
        })
      }
    }

    return handler(req)
  }
}

export const GET = withGetRateLimit(handlers.GET as (req: Request) => Promise<Response>)
export const POST = withPostRateLimit(handlers.POST as (req: Request) => Promise<Response>)
Initial commit: MOPC platform with Docker deployment setup Full Next.js 15 platform with tRPC, Prisma, PostgreSQL, NextAuth. Includes production Dockerfile (multi-stage, port 7600), docker-compose with registry-based image pull, Gitea Actions CI workflow, nginx config for portal.monaco-opc.com, deployment scripts, and DEPLOYMENT.md guide. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 13:41:32 +01:00			`import { handlers } from '@/lib/auth'`
			`import { checkRateLimit } from '@/lib/rate-limit'`

			`const AUTH_RATE_LIMIT = 10 // requests per window`
			`const AUTH_RATE_WINDOW_MS = 60 * 1000 // 1 minute`

fix: batch 3 — webhook HMAC documentation + CSRF rate limiting - Webhook HMAC: added consumer verification JSDoc with Node.js example using crypto.timingSafeEqual - CSRF rate limiting: 20 requests/15min per IP on NextAuth /csrf endpoint - Renamed withRateLimit to withPostRateLimit/withGetRateLimit for clarity - 429 responses include Retry-After header Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-07 18:05:42 +01:00			`const CSRF_RATE_LIMIT = 20 // requests per window`
			`const CSRF_RATE_WINDOW_MS = 15 * 60 * 1000 // 15 minutes`

Initial commit: MOPC platform with Docker deployment setup Full Next.js 15 platform with tRPC, Prisma, PostgreSQL, NextAuth. Includes production Dockerfile (multi-stage, port 7600), docker-compose with registry-based image pull, Gitea Actions CI workflow, nginx config for portal.monaco-opc.com, deployment scripts, and DEPLOYMENT.md guide. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 13:41:32 +01:00			`function getClientIp(req: Request): string {`
			`return (`
			`req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() \|\|`
			`req.headers.get('x-real-ip') \|\|`
			`'unknown'`
			`)`
			`}`

fix: batch 3 — webhook HMAC documentation + CSRF rate limiting - Webhook HMAC: added consumer verification JSDoc with Node.js example using crypto.timingSafeEqual - CSRF rate limiting: 20 requests/15min per IP on NextAuth /csrf endpoint - Renamed withRateLimit to withPostRateLimit/withGetRateLimit for clarity - 429 responses include Retry-After header Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-07 18:05:42 +01:00			`function withPostRateLimit(handler: (req: Request) => Promise<Response>) {`
			`return async (req: Request) => {`
			`const ip = getClientIp(req)`
			const { success, resetAt } = checkRateLimit(`auth:${ip}`, AUTH_RATE_LIMIT, AUTH_RATE_WINDOW_MS)

			`if (!success) {`
			`return new Response(JSON.stringify({ error: 'Too many authentication attempts' }), {`
			`status: 429,`
			`headers: {`
			`'Content-Type': 'application/json',`
			`'Retry-After': String(Math.ceil((resetAt - Date.now()) / 1000)),`
			`},`
			`})`
			`}`

			`return handler(req)`
			`}`
			`}`

			`function withGetRateLimit(handler: (req: Request) => Promise<Response>) {`
Initial commit: MOPC platform with Docker deployment setup Full Next.js 15 platform with tRPC, Prisma, PostgreSQL, NextAuth. Includes production Dockerfile (multi-stage, port 7600), docker-compose with registry-based image pull, Gitea Actions CI workflow, nginx config for portal.monaco-opc.com, deployment scripts, and DEPLOYMENT.md guide. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 13:41:32 +01:00			`return async (req: Request) => {`
fix: batch 3 — webhook HMAC documentation + CSRF rate limiting - Webhook HMAC: added consumer verification JSDoc with Node.js example using crypto.timingSafeEqual - CSRF rate limiting: 20 requests/15min per IP on NextAuth /csrf endpoint - Renamed withRateLimit to withPostRateLimit/withGetRateLimit for clarity - 429 responses include Retry-After header Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-07 18:05:42 +01:00			`// Rate-limit the CSRF token endpoint to prevent token farming`
			`const url = new URL(req.url)`
			`if (url.pathname.endsWith('/csrf')) {`
Initial commit: MOPC platform with Docker deployment setup Full Next.js 15 platform with tRPC, Prisma, PostgreSQL, NextAuth. Includes production Dockerfile (multi-stage, port 7600), docker-compose with registry-based image pull, Gitea Actions CI workflow, nginx config for portal.monaco-opc.com, deployment scripts, and DEPLOYMENT.md guide. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 13:41:32 +01:00			`const ip = getClientIp(req)`
fix: batch 3 — webhook HMAC documentation + CSRF rate limiting - Webhook HMAC: added consumer verification JSDoc with Node.js example using crypto.timingSafeEqual - CSRF rate limiting: 20 requests/15min per IP on NextAuth /csrf endpoint - Renamed withRateLimit to withPostRateLimit/withGetRateLimit for clarity - 429 responses include Retry-After header Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-07 18:05:42 +01:00			const { success, resetAt } = checkRateLimit(`csrf:${ip}`, CSRF_RATE_LIMIT, CSRF_RATE_WINDOW_MS)
Initial commit: MOPC platform with Docker deployment setup Full Next.js 15 platform with tRPC, Prisma, PostgreSQL, NextAuth. Includes production Dockerfile (multi-stage, port 7600), docker-compose with registry-based image pull, Gitea Actions CI workflow, nginx config for portal.monaco-opc.com, deployment scripts, and DEPLOYMENT.md guide. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 13:41:32 +01:00
			`if (!success) {`
fix: batch 3 — webhook HMAC documentation + CSRF rate limiting - Webhook HMAC: added consumer verification JSDoc with Node.js example using crypto.timingSafeEqual - CSRF rate limiting: 20 requests/15min per IP on NextAuth /csrf endpoint - Renamed withRateLimit to withPostRateLimit/withGetRateLimit for clarity - 429 responses include Retry-After header Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-07 18:05:42 +01:00			`return new Response(JSON.stringify({ error: 'Too many requests' }), {`
Initial commit: MOPC platform with Docker deployment setup Full Next.js 15 platform with tRPC, Prisma, PostgreSQL, NextAuth. Includes production Dockerfile (multi-stage, port 7600), docker-compose with registry-based image pull, Gitea Actions CI workflow, nginx config for portal.monaco-opc.com, deployment scripts, and DEPLOYMENT.md guide. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 13:41:32 +01:00			`status: 429,`
			`headers: {`
			`'Content-Type': 'application/json',`
			`'Retry-After': String(Math.ceil((resetAt - Date.now()) / 1000)),`
			`},`
			`})`
			`}`
			`}`

			`return handler(req)`
			`}`
			`}`

fix: batch 3 — webhook HMAC documentation + CSRF rate limiting - Webhook HMAC: added consumer verification JSDoc with Node.js example using crypto.timingSafeEqual - CSRF rate limiting: 20 requests/15min per IP on NextAuth /csrf endpoint - Renamed withRateLimit to withPostRateLimit/withGetRateLimit for clarity - 429 responses include Retry-After header Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-07 18:05:42 +01:00			`export const GET = withGetRateLimit(handlers.GET as (req: Request) => Promise<Response>)`
			`export const POST = withPostRateLimit(handlers.POST as (req: Request) => Promise<Response>)`