sachen

Author: Sparths

.env.local.backup

@@ -0,0 +1,17 @@
+POSTGRES_URL="postgres://postgres.hxijjvnsrxynegthasmh:pcE680j67rhFfDRr@aws-0-eu-central-1.pooler.supabase.com:6543/postgres?sslmode=require&supa=base-pooler.x"
+POSTGRES_USER="postgres"
+POSTGRES_HOST="db.hxijjvnsrxynegthasmh.supabase.co"
+SUPABASE_JWT_SECRET="998Vo+CP+u2rNnH6fv9w4KWGb+8I1P9bXjrM2tKiFE5YcIlQ1Tr+NBNPNGw1de2drhvoXX0dSZJZ84toPkxBtA=="
+NEXT_PUBLIC_SUPABASE_ANON_KEY="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Imh4aWpqdm5zcnh5bmVndGhhc21oIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NDc3Mzk5NDcsImV4cCI6MjA2MzMxNTk0N30.zWILyiJA1K5L0w2rynsWqhMVU6jySaal5lC9IBO05bc"
+POSTGRES_PRISMA_URL="postgres://postgres.hxijjvnsrxynegthasmh:pcE680j67rhFfDRr@aws-0-eu-central-1.pooler.supabase.com:6543/postgres?sslmode=require&supa=base-pooler.x"
+POSTGRES_PASSWORD="pcE680j67rhFfDRr"
+POSTGRES_DATABASE="postgres"
+SUPABASE_URL="https://hxijjvnsrxynegthasmh.supabase.co"
+NEXT_PUBLIC_SUPABASE_URL="https://hxijjvnsrxynegthasmh.supabase.co"
+SUPABASE_SERVICE_ROLE_KEY="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Imh4aWpqdm5zcnh5bmVndGhhc21oIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTc0NzczOTk0NywiZXhwIjoyMDYzMzE1OTQ3fQ.poV3TJW7eJULdQ_yYHhygUPbEMYW-SSrIVWSsnRXRAk"
+POSTGRES_URL_NON_POOLING="postgres://postgres.hxijjvnsrxynegthasmh:pcE680j67rhFfDRr@aws-0-eu-central-1.pooler.supabase.com:5432/postgres?sslmode=require"
+DISCORD_WEBHOOK_URL="https://discord.com/api/webhooks/1326548524657016842/rJrqRnK7lZQKKh_kzT2bz_rjBx6T0BDz8vym4SVeMt-sLXl4PaMycrYuM8pbbr1JNpSm"
+NEXT_PUBLIC_SITE_URL = "https://orange-engine-q6gpjxwwqg9h9pw5-3001.app.github.dev"
+
+AUTHORIZED_ADMINS=Sparths,sparths,f8adc96a-496f-412b-af15-20bd3cd66b3c
+NEXT_PUBLIC_AUTHORIZED_ADMINS=Sparths,sparths

SECURITY_CHECKLIST.md

@@ -0,0 +1,41 @@
+# Security Implementation Checklist
+
+## Files to Update
+- [ ] Copy secure-token.ts content from artifact
+- [ ] Copy sanitization.ts content from artifact
+- [ ] Copy rate-limiter-config.ts content from artifact
+- [ ] Copy csrf-protection.ts content from artifact
+- [ ] Copy session-manager.ts content from artifact
+- [ ] Copy security-headers.ts content from artifact
+- [ ] Update middleware.ts
+- [ ] Create use-csrf.ts hook
+- [ ] Create csrf API route
+- [ ] Create session API route
+
+## API Routes to Update
+- [ ] /app/api/admin/verify/route.tsx
+- [ ] /app/api/project-requests/route.tsx
+- [ ] /app/api/users/route.tsx
+- [ ] /app/api/comments/route.tsx
+- [ ] /app/api/ratings/route.tsx
+- [ ] /app/api/badges/route.tsx
+
+## Frontend Components to Update
+- [ ] CommentSection.tsx - Add CSRF headers
+- [ ] RatingSystem.tsx - Add CSRF headers
+- [ ] AuthContext.tsx - Remove localStorage usage
+- [ ] UserProjectRequests.tsx - Add CSRF headers
+- [ ] ProfileForm.tsx - Add CSRF headers
+
+## Testing
+- [ ] Test rate limiting
+- [ ] Test CSRF protection
+- [ ] Test XSS prevention
+- [ ] Test admin authentication
+- [ ] Test session management
+
+## Deployment
+- [ ] Set environment variables in production
+- [ ] Enable HTTPS
+- [ ] Test all features in production
+- [ ] Monitor security logs

app/api/admin/verify/route.tsx

@@ -1,5 +1,7 @@
 import { NextResponse } from "next/server";
 import { createClient } from '@supabase/supabase-js';
+import { createSecureAdminToken, verifySecureAdminToken } from '@/lib/security/secure-token';
+import { sanitizeInput } from '@/lib/security/sanitization';
 
 // Admin verification with service role
 const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
@@ -19,11 +21,6 @@ const getAuthorizedAdmins = (): string[] => {
   return adminList.split(',').map(admin => admin.trim());
 };
 
-// Input sanitization
-const sanitizeInput = (input: string): string => {
-  return input.replace(/[<>]/g, '').trim();
-};
-
 export async function POST(request: Request) {
   try {
     const body = await request.json();
@@ -52,15 +49,8 @@ export async function POST(request: Request) {
     if (authorizedAdmins.includes(sanitizedUserId)) {
       console.log("User found in direct admin list:", sanitizedUserId);
 
-      // Create admin session token for subsequent requests
-      const adminSession = {
-        userId: sanitizedUserId,
-        timestamp: Date.now(),
-        verified: true,
-        isAdmin: true
-      };
-
-      const adminToken = Buffer.from(JSON.stringify(adminSession)).toString('base64');
+      // Create secure admin session token
+      const adminToken = createSecureAdminToken(sanitizedUserId);
 
       return NextResponse.json({
         success: true,
@@ -108,15 +98,8 @@ export async function POST(request: Request) {
         if (isAdmin) {
           console.log("User verified as admin");
 
-          // Create admin session token for subsequent requests
-          const adminSession = {
-            userId: sanitizedUserId,
-            timestamp: Date.now(),
-            verified: true,
-            isAdmin: true
-          };
-
-          const adminToken = Buffer.from(JSON.stringify(adminSession)).toString('base64');
+          // Create secure admin session token
+          const adminToken = createSecureAdminToken(sanitizedUserId);
 
           return NextResponse.json({
             success: true,
@@ -160,12 +143,26 @@ export async function POST(request: Request) {
   }
 }
 
-// Optional: GET method to check current admin status
+// GET method to check current admin status
 export async function GET(request: Request) {
   try {
     const { searchParams } = new URL(request.url);
     const userId = searchParams.get("userId");
 
+    // Check for admin token in Authorization header
+    const authHeader = request.headers.get('authorization');
+    if (authHeader && authHeader.startsWith('Bearer ')) {
+      const token = authHeader.substring(7);
+      const verification = verifySecureAdminToken(token);
+      
+      if (verification.isValid) {
+        return NextResponse.json({
+          isAdmin: true,
+          userId: verification.userId
+        });
+      }
+    }
+
     if (!userId) {
       return NextResponse.json(
         { error: "User ID is required" },