MVP

2025-10-18 17:55:32 +02:00
parent 254e6490b8
commit 91b78cb284
65 changed files with 4481 additions and 1078 deletions
--- a/src/app/api/auth/signup/route.ts
+++ b/src/app/api/auth/signup/route.ts
@@ -1,7 +1,11 @@
 import { NextRequest, NextResponse } from 'next/server';
 import bcrypt from 'bcryptjs';
+import { cookies } from 'next/headers';
 import { db } from '@/lib/db';
 import { z } from 'zod';
+import { csrfProtection } from '@/lib/csrf';
+import { rateLimit, getClientIdentifier, RateLimits } from '@/lib/rateLimit';
+import { getAuthCookieOptions } from '@/lib/cookieConfig';

 const signupSchema = z.object({
  name: z.string().min(2),
@@ -11,6 +15,36 @@ const signupSchema = z.object({

 export async function POST(request: NextRequest) {
  try {
+    // CSRF Protection
+    const csrfCheck = csrfProtection(request);
+    if (!csrfCheck.valid) {
+      return NextResponse.json(
+        { error: csrfCheck.error },
+        { status: 403 }
+      );
+    }
+
+    // Rate Limiting
+    const clientId = getClientIdentifier(request);
+    const rateLimitResult = rateLimit(clientId, RateLimits.SIGNUP);
+
+    if (!rateLimitResult.success) {
+      return NextResponse.json(
+        {
+          error: 'Too many signup attempts. Please try again later.',
+          retryAfter: Math.ceil((rateLimitResult.reset - Date.now()) / 1000)
+        },
+        {
+          status: 429,
+          headers: {
+            'X-RateLimit-Limit': rateLimitResult.limit.toString(),
+            'X-RateLimit-Remaining': rateLimitResult.remaining.toString(),
+            'X-RateLimit-Reset': rateLimitResult.reset.toString(),
+          }
+        }
+      );
+    }
+
    const body = await request.json();
    const { name, email, password } = signupSchema.parse(body);

@@ -38,10 +72,16 @@ export async function POST(request: NextRequest) {
      },
    });

+    // Set cookie for auto-login after signup
+    cookies().set('userId', user.id, getAuthCookieOptions());
+
    return NextResponse.json({
-      id: user.id,
-      name: user.name,
-      email: user.email,
+      success: true,
+      user: {
+        id: user.id,
+        name: user.name,
+        email: user.email,
+      },
    });
  } catch (error) {
    if (error instanceof z.ZodError) {