security update

Author: braindead-dev

app/[id]/page.tsx

@@ -25,6 +25,23 @@ const sanitizeTitleForTab = (title: string) => {
   return sanitizedTitle.trim() || "Henry's Notes";
 };
 
+// Add this helper function at the top of your file
+const sanitizeErrorMessage = (status: number, message?: string): string => {
+  const defaultMessages: { [key: number]: string } = {
+    400: "Bad Request",
+    401: "Unauthorized",
+    403: "Forbidden",
+    404: "Paste not found",
+    500: "Internal server error",
+  };
+
+  // Use default message if available, otherwise use sanitized custom message
+  const errorMessage = defaultMessages[status] || 
+    (message ? message.replace(/[^a-zA-Z0-9\s.,!?-]/g, '') : "An error occurred");
+
+  return `\`\`\`\nError ${status}: ${errorMessage}\n\`\`\``;
+};
+
 export default function Paste() {
   const { id } = useParams();
   const [title, setTitle] = useState('');
@@ -60,14 +77,14 @@ export default function Paste() {
               setContent(data.content);
             }
           } else {
-            // Handle error based on the response status and message
+            // Use the sanitized error message handler
             setTitle("Error");
-            setContent(`\`\`\`\n${response.status}: ${data.error || "```\n500: We were unable to fetch this paste.\n```"}\n\`\`\``);
+            setContent(sanitizeErrorMessage(response.status, data.error));
           }
         } catch (error) {
-          // Catch any network or unexpected errors
+          // Handle network or unexpected errors
           setTitle("Error");
-          setContent("```\n500: We were unable to fetch this paste.\n```");
+          setContent(sanitizeErrorMessage(500));
         } finally {
           setLoading(false);
         }

app/api/paste/route.ts

@@ -5,28 +5,37 @@ import clientPromise from '../../../utils/mongodb';
 import { generateUniqueId } from '../../../utils/slugUtils';
 import { sendDiscordNotification } from '../../../utils/discord';
 
+const validEncryptionMethods = ['key', 'password', null] as const;
+type EncryptionMethod = typeof validEncryptionMethods[number];
+
+const MIN_SIZE_BYTES = 1;
+const MAX_SIZE_BYTES = 400 * 1024; // 400 KB
+const MAX_TITLE_LENGTH = 100;
+const MIN_TITLE_LENGTH = 1;
+
 export async function POST(request: Request) {
   try {
     const { title, content, encryptionMethod } = await request.json();
 
     // Validate incoming data
-    if (!title || typeof title !== 'string' || title.trim() === '') {
-      return NextResponse.json({ error: 'Invalid title. Title cannot be empty.' }, { status: 400 });
+    if (!title || typeof title !== 'string' || 
+        title.length < MIN_TITLE_LENGTH || 
+        title.length > MAX_TITLE_LENGTH) {
+      return NextResponse.json({ 
+        error: `Title must be between ${MIN_TITLE_LENGTH} and ${MAX_TITLE_LENGTH} characters.` 
+      }, { status: 400 });
     }
     if (!content || typeof content !== 'string' || content.trim() === '') {
       return NextResponse.json({ error: 'Invalid content. Content cannot be empty.' }, { status: 400 });
     }
-    if (title.length > 100) {
-      return NextResponse.json({ error: 'Title is too long. Maximum length is 100 characters.' }, { status: 400 });
-    }
 
     const fullPaste = `${title}\n${content}`;
     const pasteSize = new Blob([fullPaste]).size;
 
-    const MAX_SIZE_BYTES = 400 * 1024; // 400 KB in bytes
-
-    if (pasteSize > MAX_SIZE_BYTES) {
-      return NextResponse.json({ error: `Paste exceeds ${(MAX_SIZE_BYTES / 1024)} KB size limit. Current size is ${(pasteSize / 1024).toFixed(2)} KB.` }, { status: 400 });
+    if (pasteSize < MIN_SIZE_BYTES || pasteSize > MAX_SIZE_BYTES) {
+      return NextResponse.json({ 
+        error: `Content size must be between ${MIN_SIZE_BYTES} and ${MAX_SIZE_BYTES/1024} KB.` 
+      }, { status: 400 });
     }
 
     const client = await clientPromise;
@@ -40,6 +49,10 @@ export async function POST(request: Request) {
       return NextResponse.json({ error: 'ID collision occurred. Please try again.' }, { status: 500 });
     }
 
+    if (!validEncryptionMethods.includes(encryptionMethod as EncryptionMethod)) {
+      return NextResponse.json({ error: 'Invalid encryption method' }, { status: 400 });
+    }
+
     // Insert the paste into the MongoDB database
     const result = await db.collection('pastes').insertOne({
       id,

lib/authOptions.ts

@@ -1,6 +1,6 @@
 // lib/authOptions.ts
 
-import { NextAuthOptions } from "next-auth";
+import type { NextAuthOptions } from "next-auth";
 import GithubProvider from "next-auth/providers/github";
 
 // Extend the Session interface to include the id property
@@ -23,16 +23,20 @@ const allowedUsers = process.env.ALLOWED_USERS?.split(",") || [];
 export const authOptions: NextAuthOptions = {
   providers: [
     GithubProvider({
-      clientId: process.env.GITHUB_ID!,
-      clientSecret: process.env.GITHUB_SECRET!,
-      authorization: { params: { scope: "read:user" } },
+      clientId: process.env.GITHUB_ID as string,
+      clientSecret: process.env.GITHUB_SECRET as string,
     }),
   ],
   secret: process.env.NEXTAUTH_SECRET,
   pages: {
     signIn: "/auth/signin", // Custom sign-in page
     error: "/auth/signin",  // Redirect to sign-in page on error
   },
+  session: {
+    // Session will expire in 8 hours
+    maxAge: 8 * 60 * 60, // 8 hours in seconds
+    updateAge: 60 * 60, // Update session every 1 hour
+  },
   callbacks: {
     async signIn({ profile }) {
       const githubProfile = profile as GitHubProfile;

middleware.ts

@@ -2,27 +2,55 @@
 
 import { withAuth } from "next-auth/middleware";
 import { NextResponse } from "next/server";
+import { rateLimit } from './utils/rateLimit';
 
 // Load allowed users from the environment variables
 const allowedUsers = process.env.ALLOWED_USERS?.split(",") || [];
 
+// Create rate limiters for different endpoints
+const apiLimiter = rateLimit({
+  interval: 60 * 1000, // 1 minute
+  uniqueTokenPerInterval: 500
+});
+
+const adminLimiter = rateLimit({
+  interval: 60 * 1000,
+  uniqueTokenPerInterval: 100
+});
+
 export default withAuth(
-  function middleware(req) {
+  async function middleware(req) {
     const { pathname, origin } = req.nextUrl;
+    const ip = req.ip ?? '127.0.0.1';
 
-    if (pathname.startsWith("/admin")) {
-      const token = req.nextauth.token;
+    try {
+      // Apply rate limiting based on path
+      if (pathname.startsWith("/api/admin")) {
+        await adminLimiter.check(ip, 100); // Stricter limit for admin routes
+      } else if (pathname.startsWith("/api")) {
+        await apiLimiter.check(ip, 30); // General API rate limit
+      }
 
-      // Check if the user ID is allowed to access
-      if (!token || typeof token.id !== "number" || !allowedUsers.includes(token.id.toString())) {
-        const signInUrl = new URL("/auth/signin", origin);
-        signInUrl.searchParams.set("callbackUrl", req.url);
-        return NextResponse.redirect(signInUrl);
+      // Existing admin authentication logic
+      if (pathname.startsWith("/admin")) {
+        const token = req.nextauth.token;
+        if (!token || typeof token.id !== "number" || !allowedUsers.includes(token.id.toString())) {
+          const signInUrl = new URL("/auth/signin", origin);
+          signInUrl.searchParams.set("callbackUrl", req.url);
+          return NextResponse.redirect(signInUrl);
+        }
       }
+
+      return NextResponse.next();
+    } catch {
+      return new NextResponse('Too Many Requests', { status: 429 });
     }
   }
 );
 
 export const config = {
-  matcher: ["/admin/:path*"],
+  matcher: [
+    "/admin/:path*",
+    "/api/:path*"
+  ],
 };

next.config.mjs

@@ -1,5 +1,42 @@
 /** @type {import('next').NextConfig} */
 const nextConfig = {
-  };
-  
-  export default nextConfig;
+  async headers() {
+    return [
+      {
+        source: '/:path*',
+        headers: [
+          {
+            key: 'X-DNS-Prefetch-Control',
+            value: 'on'
+          },
+          {
+            key: 'Strict-Transport-Security',
+            value: 'max-age=31536000; includeSubDomains'
+          },
+          {
+            key: 'X-Frame-Options',
+            value: 'SAMEORIGIN'
+          },
+          {
+            key: 'X-Content-Type-Options',
+            value: 'nosniff'
+          },
+          {
+            key: 'Referrer-Policy',
+            value: 'strict-origin-when-cross-origin'
+          },
+          {
+            key: 'Permissions-Policy',
+            value: 'camera=(), microphone=(), geolocation=()'
+          },
+          {
+            key: 'Content-Security-Policy',
+            value: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self'"
+          }
+        ]
+      }
+    ];
+  }
+};
+
+export default nextConfig;

utils/rateLimit.ts

@@ -0,0 +1,38 @@
+export interface RateLimitConfig {
+    interval: number;
+    uniqueTokenPerInterval: number;
+  }
+  
+  interface TokenBucket {
+    tokens: number;
+    lastRefill: number;
+  }
+  
+  export function rateLimit(config: RateLimitConfig) {
+    const tokenBuckets = new Map<string, TokenBucket>();
+  
+    return {
+      check: async (key: string, limit: number) => {
+        const now = Date.now();
+        let bucket = tokenBuckets.get(key);
+  
+        if (!bucket) {
+          bucket = { tokens: limit, lastRefill: now };
+          tokenBuckets.set(key, bucket);
+        } else {
+          // Refill tokens based on time passed
+          const timePassed = now - bucket.lastRefill;
+          const refillAmount = Math.floor(timePassed / config.interval) * limit;
+          bucket.tokens = Math.min(limit, bucket.tokens + refillAmount);
+          bucket.lastRefill = now;
+        }
+  
+        if (bucket.tokens > 0) {
+          bucket.tokens--;
+          return true;
+        }
+  
+        throw new Error('Rate limit exceeded');
+      }
+    };
+  }