security: full hardening pass — auth guards, rate limiting, headers, internal secret
- Add requireAdmin() to all unprotected admin server actions (clients/new, clients/[id], timer-actions — 17 functions total) - Protect /api/internal/* endpoints with X-Internal-Secret header (proxy.ts sends it; routes reject requests without it) - Randomize auto-generated client slugs with 4-char suffix to prevent enumeration via predictable name-based slugs - Add in-memory rate limiting to /api/client/approve (20/min) and /api/client/comment (10/min) per IP - Add security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-DNS-Prefetch-Control - Reduce JWT session from 30 days to 7 days with daily rotation - Remove hardcoded NEXTAUTH_URL from Dockerfile (pass via Coolify env) - Genericize client API error messages to not leak data structure - Update .env.example with all required variables including INTERNAL_SECRET Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+8
-2
@@ -43,15 +43,21 @@ export async function proxy(request: NextRequest) {
|
||||
const port = process.env.PORT ?? "3000";
|
||||
const base = `http://localhost:${port}`;
|
||||
|
||||
const internalHeaders = {
|
||||
"x-internal-secret": process.env.INTERNAL_SECRET ?? "",
|
||||
};
|
||||
|
||||
// Try slug first (D-06) — user-friendly slugs before token fallback
|
||||
let res = await fetch(
|
||||
`${base}/api/internal/validate-slug?slug=${encodeURIComponent(slugOrToken)}`
|
||||
`${base}/api/internal/validate-slug?slug=${encodeURIComponent(slugOrToken)}`,
|
||||
{ headers: internalHeaders }
|
||||
);
|
||||
|
||||
// If slug not found, fall back to token validation (existing links continue to work)
|
||||
if (!res.ok) {
|
||||
res = await fetch(
|
||||
`${base}/api/internal/validate-token?token=${encodeURIComponent(slugOrToken)}`
|
||||
`${base}/api/internal/validate-token?token=${encodeURIComponent(slugOrToken)}`,
|
||||
{ headers: internalHeaders }
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user