Matt
8d0979e649
Security (Critical/High): - Fix path traversal bypass in local storage provider (path.resolve + prefix check) - Fix timing-unsafe HMAC comparison (crypto.timingSafeEqual) - Add auth + ownership checks to email API routes (verify-credentials, change-password) - Remove hardcoded secret key fallback in local storage provider - Add production credential check for MinIO (fail loudly if not set) - Remove DB error details from health check response - Add stricter rate limiting on application submissions (5/hour) - Add rate limiting on email availability check (anti-enumeration) - Change getAIAssignmentJobStatus to adminProcedure - Block dangerous file extensions on upload - Reduce project list max perPage from 5000 to 200 Query Optimization: - Optimize analytics getProjectRankings with select instead of full includes - Fix N+1 in mentor.getSuggestions (batch findMany instead of loop) - Use _count for files instead of fetching full file records in project list - Switch to bulk notifications in assignment and user bulk operations - Batch filtering upserts (25 per transaction instead of all at once) UI/UX: - Replace Inter font with Montserrat in public layout (brand consistency) - Use Logo component in public layout instead of placeholder - Create branded 404 and error pages - Make admin rounds table responsive with mobile card layout - Fix notification bell paths to be role-aware - Replace hardcoded slate colors with semantic tokens in admin sidebar - Force light mode (dark mode untested) - Adjust CardTitle default size - Improve muted-foreground contrast for accessibility (A11Y) - Move profile form state initialization to useEffect Code Quality: - Extract shared toProjectWithRelations to anonymization.ts (removed 3 duplicates) - Remove dead code: getObjectInfo, isValidImageSize, unused batch tag functions, debug logs - Remove unused twilio dependency - Remove redundant email index from schema - Add actual storage object deletion when file records are deleted - Wrap evaluation submit + assignment update in - Add comprehensive platform review document Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
85 lines
2.3 KiB
TypeScript
85 lines
2.3 KiB
TypeScript
import { NextRequest, NextResponse } from 'next/server'
|
|
import nodemailer from 'nodemailer'
|
|
import { checkRateLimit } from '@/lib/rate-limit'
|
|
import { auth } from '@/lib/auth'
|
|
|
|
const MAIL_DOMAIN = process.env.POSTE_MAIL_DOMAIN || 'monaco-opc.com'
|
|
const SMTP_HOST = process.env.SMTP_HOST || 'localhost'
|
|
const SMTP_PORT = parseInt(process.env.SMTP_PORT || '587')
|
|
|
|
export async function POST(request: NextRequest): Promise<NextResponse> {
|
|
// Verify authenticated session
|
|
const session = await auth()
|
|
if (!session?.user?.email) {
|
|
return NextResponse.json(
|
|
{ error: 'Authentication required.' },
|
|
{ status: 401 }
|
|
)
|
|
}
|
|
|
|
const ip = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() || 'unknown'
|
|
const rateLimit = checkRateLimit(`email-verify:${ip}`, 5, 15 * 60 * 1000)
|
|
|
|
if (!rateLimit.success) {
|
|
return NextResponse.json(
|
|
{ error: 'Too many attempts. Please try again later.' },
|
|
{ status: 429 }
|
|
)
|
|
}
|
|
|
|
try {
|
|
const body = await request.json()
|
|
const { email, password } = body as { email: string; password: string }
|
|
|
|
if (!email || !password) {
|
|
return NextResponse.json(
|
|
{ error: 'Email and password are required.' },
|
|
{ status: 400 }
|
|
)
|
|
}
|
|
|
|
const emailLower = email.toLowerCase().trim()
|
|
|
|
// Verify the user can only check their own email credentials
|
|
if (emailLower !== session.user.email.toLowerCase()) {
|
|
return NextResponse.json(
|
|
{ error: 'You can only verify your own email credentials.' },
|
|
{ status: 403 }
|
|
)
|
|
}
|
|
|
|
if (!emailLower.endsWith(`@${MAIL_DOMAIN}`)) {
|
|
return NextResponse.json(
|
|
{ error: `Email must be an @${MAIL_DOMAIN} address.` },
|
|
{ status: 400 }
|
|
)
|
|
}
|
|
|
|
const transporter = nodemailer.createTransport({
|
|
host: SMTP_HOST,
|
|
port: SMTP_PORT,
|
|
secure: SMTP_PORT === 465,
|
|
auth: {
|
|
user: emailLower,
|
|
pass: password,
|
|
},
|
|
connectionTimeout: 10000,
|
|
greetingTimeout: 10000,
|
|
})
|
|
|
|
try {
|
|
await transporter.verify()
|
|
return NextResponse.json({ valid: true })
|
|
} catch {
|
|
return NextResponse.json({ valid: false, error: 'Invalid email or password.' })
|
|
} finally {
|
|
transporter.close()
|
|
}
|
|
} catch {
|
|
return NextResponse.json(
|
|
{ error: 'Invalid request.' },
|
|
{ status: 400 }
|
|
)
|
|
}
|
|
}
|