kjanat/livedash-node
1
0
Fork 0
mirror of https://github.com/kjanat/livedash-node.git synced 2026-02-13 22:15:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: implement cache layer, CSP improvements, and database performance optimizations

Browse Source 
- Add Redis cache implementation with LRU eviction
- Enhance Content Security Policy with nonce generation
- Optimize database queries with connection pooling
- Add cache invalidation API endpoints
- Improve security monitoring performance
This commit is contained in:
Kaj Kowalski
2025-07-12 04:44:50 +02:00
parent 7a3eabccd9
commit e1abedb148
56 changed files with 6881 additions and 7040 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/auditLogRetention.ts
View File

@@ -119,11 +119,11 @@ export class AuditLogRetentionManager {
};
if (policy.severityFilter && policy.severityFilter.length > 0) {
whereClause.severity = { in: policy.severityFilter };
whereClause.severity = { in: policy.severityFilter as any };
}
if (policy.eventTypeFilter && policy.eventTypeFilter.length > 0) {
whereClause.eventType = { in: policy.eventTypeFilter };
whereClause.eventType = { in: policy.eventTypeFilter as any };
}
return whereClause;

3
lib/auditLogScheduler.ts
View File

@@ -8,7 +8,7 @@ import {
} from "./securityAuditLogger";
export class AuditLogScheduler {
private retentionTask: cron.ScheduledTask | null = null;
private retentionTask: any = null;
private isRunning = false;
constructor() {
@@ -71,7 +71,6 @@ export class AuditLogScheduler {
}
},
{
scheduled: false, // Don't start immediately
timezone: "UTC", // Use UTC to avoid timezone issues
}
);

44
lib/auth.ts
View File

@@ -1,6 +1,7 @@
import bcrypt from "bcryptjs";
import type { NextAuthOptions } from "next-auth";
import CredentialsProvider from "next-auth/providers/credentials";
import { Cache } from "./cache";
import { prisma } from "./prisma";
import {
AuditOutcome,
@@ -76,10 +77,43 @@ export const authOptions: NextAuthOptions = {
return null;
}
const user = await prisma.user.findUnique({
where: { email: credentials.email },
include: { company: true },
});
// Try to get user from cache first
const cachedUser = await Cache.getUserByEmail(credentials.email);
let fullUser: any = null;
if (cachedUser) {
// Get full user data from database if cached user found
fullUser = await prisma.user.findUnique({
where: { id: cachedUser.id },
include: { company: true },
});
} else {
// Cache miss - get from database and cache for next time
fullUser = await prisma.user.findUnique({
where: { email: credentials.email },
include: { company: true },
});
if (fullUser) {
// Cache the user data
await Cache.setUserByEmail(credentials.email, {
id: fullUser.id,
email: fullUser.email,
name: fullUser.name || undefined,
role: fullUser.role,
companyId: fullUser.companyId,
});
await Cache.setUser(fullUser.id, {
id: fullUser.id,
email: fullUser.email,
name: fullUser.name || undefined,
role: fullUser.role,
companyId: fullUser.companyId,
});
}
}
const user = fullUser;
if (!user || !user.password) {
await enhancedSecurityLog(
@@ -199,7 +233,7 @@ export const authOptions: NextAuthOptions = {
name: "app-auth.session-token",
options: {
httpOnly: true,
sameSite: "lax",
sameSite: process.env.NODE_ENV === "production" ? "strict" : "lax",
path: "/",
secure: process.env.NODE_ENV === "production",
},

12
lib/batchLogger.ts
View File

@@ -378,9 +378,9 @@ class BatchLoggerService {
}
const allMetrics: Record<string, BatchMetrics> = {};
for (const [key, metrics] of this.metrics) {
this.metrics.forEach((metrics, key) => {
allMetrics[key] = metrics;
}
});
return allMetrics;
}
@@ -411,18 +411,18 @@ class BatchLoggerService {
cleanupMetrics(olderThanHours = 24): void {
const cutoff = Date.now() - olderThanHours * 60 * 60 * 1000;
for (const [key, metrics] of this.metrics) {
this.metrics.forEach((metrics, key) => {
if (metrics.operationStartTime < cutoff) {
this.metrics.delete(key);
}
}
});
// Clear old operation times
for (const [operationId, startTime] of this.operationTimes) {
this.operationTimes.forEach((startTime, operationId) => {
if (startTime < cutoff) {
this.operationTimes.delete(operationId);
}
}
});
console.log(
`Cleaned up batch processing metrics older than ${olderThanHours} hours`

21
lib/batchProcessor.ts
View File

@@ -223,7 +223,7 @@ async function retryWithBackoff<T>(
operationName: string,
maxRetries = BATCH_CONFIG.MAX_RETRIES
): Promise<T> {
let lastError: Error;
let lastError: Error = new Error("Operation failed");
for (let attempt = 0; attempt <= maxRetries; attempt++) {
try {
@@ -411,6 +411,7 @@ export async function getPendingBatchRequests(
},
processingStatus: AIRequestStatus.PENDING_BATCHING,
batchId: null,
sessionId: { not: null },
},
include: {
session: {
@@ -436,7 +437,7 @@ export async function getPendingBatchRequests(
content: string;
order: number;
}>;
} | null;
};
})[]
>;
}
@@ -492,7 +493,9 @@ export async function createBatchRequest(
messages: [
{
role: "system",
content: getSystemPromptForProcessingType(request.processingType),
content: getSystemPromptForProcessingType(
request.processingType || "full_analysis"
),
},
{
role: "user",
@@ -1278,6 +1281,14 @@ async function processIndividualRequest(request: {
messages: Array<{ role: string; content: string }>;
temperature?: number;
max_tokens?: number;
processingType?: string;
session?: {
messages: Array<{
role: string;
content: string;
order: number;
}>;
};
}): Promise<{
usage: {
prompt_tokens: number;
@@ -1318,7 +1329,9 @@ async function processIndividualRequest(request: {
messages: [
{
role: "system",
content: getSystemPromptForProcessingType(request.processingType),
content: getSystemPromptForProcessingType(
request.processingType || "full_analysis"
),
},
{
role: "user",

37
lib/batchProcessorIntegration.ts
View File

@@ -90,6 +90,13 @@ class PerformanceTracker {
},
};
}
reset(): void {
this.metrics = {
optimized: { totalTime: 0, operationCount: 0, errorCount: 0 },
original: { totalTime: 0, operationCount: 0, errorCount: 0 },
};
}
}
const performanceTracker = new PerformanceTracker();
@@ -205,7 +212,30 @@ export const IntegratedBatchProcessor = {
getBatchProcessingStats: async (companyId?: string) => {
return executeWithTracking(
() => OptimizedProcessor.getBatchProcessingStatsOptimized(companyId),
() => OriginalProcessor.getBatchProcessingStats(companyId || ""),
async () => {
// Adapter function to transform original output to match optimized output
const originalResult = await OriginalProcessor.getBatchProcessingStats(
companyId || ""
);
const batchStats = originalResult.batchStats as Record<string, number>;
return {
totalBatches: Object.values(batchStats).reduce(
(sum, count) => sum + count,
0
),
pendingRequests: originalResult.pendingRequests,
inProgressBatches:
(batchStats["IN_PROGRESS"] || 0) +
(batchStats["VALIDATING"] || 0) +
(batchStats["UPLOADING"] || 0) +
(batchStats["FINALIZING"] || 0),
completedBatches:
(batchStats["COMPLETED"] || 0) + (batchStats["PROCESSED"] || 0),
failedRequests:
(batchStats["FAILED"] || 0) + (batchStats["CANCELLED"] || 0),
};
},
"getBatchProcessingStats"
);
},
@@ -303,10 +333,7 @@ export const IntegratedBatchProcessor = {
* Reset performance tracking (useful for testing)
*/
resetPerformanceTracking: (): void => {
performanceTracker.metrics = {
optimized: { totalTime: 0, operationCount: 0, errorCount: 0 },
original: { totalTime: 0, operationCount: 0, errorCount: 0 },
};
performanceTracker.reset();
},
};

72
lib/batchProcessorOptimized.ts
View File

@@ -15,6 +15,7 @@ import {
AIRequestStatus,
} from "@prisma/client";
import { BatchLogLevel, BatchOperation, batchLogger } from "./batchLogger";
import { Cache } from "./cache";
import { prisma } from "./prisma";
/**
@@ -31,10 +32,22 @@ class CompanyCache {
private allActiveCompanies: CachedCompany[] | null = null;
private allActiveCompaniesCachedAt = 0;
private readonly CACHE_TTL = 5 * 60 * 1000; // 5 minutes
private readonly REDIS_CACHE_KEY = "active-companies";
async getActiveCompanies(): Promise<CachedCompany[]> {
const now = Date.now();
// Try Redis cache first
const redisCachedCompanies = await Cache.get<CachedCompany[]>(
this.REDIS_CACHE_KEY
);
if (redisCachedCompanies && redisCachedCompanies.length > 0) {
this.allActiveCompanies = redisCachedCompanies;
this.allActiveCompaniesCachedAt = now;
return redisCachedCompanies;
}
// Fall back to in-memory cache
if (
this.allActiveCompanies &&
now - this.allActiveCompaniesCachedAt < this.CACHE_TTL
@@ -42,17 +55,24 @@ class CompanyCache {
return this.allActiveCompanies;
}
// Cache miss - fetch from database
const companies = await prisma.company.findMany({
where: { status: "ACTIVE" },
select: { id: true, name: true },
});
this.allActiveCompanies = companies.map((company) => ({
const cachedCompanies = companies.map((company) => ({
...company,
cachedAt: now,
}));
// Update both caches
this.allActiveCompanies = cachedCompanies;
this.allActiveCompaniesCachedAt = now;
// Cache in Redis with 5-minute TTL
await Cache.set(this.REDIS_CACHE_KEY, cachedCompanies, 300);
await batchLogger.log(
BatchLogLevel.DEBUG,
`Refreshed company cache with ${companies.length} active companies`,
@@ -62,13 +82,24 @@ class CompanyCache {
}
);
return this.allActiveCompanies;
return cachedCompanies;
}
invalidate(): void {
async invalidate(): Promise<void> {
this.cache.clear();
this.allActiveCompanies = null;
this.allActiveCompaniesCachedAt = 0;
// Clear Redis cache
await Cache.delete(this.REDIS_CACHE_KEY);
}
getStats() {
return {
isActive: this.allActiveCompanies !== null,
cachedAt: new Date(this.allActiveCompaniesCachedAt),
cacheSize: this.allActiveCompanies?.length || 0,
};
}
}
@@ -128,8 +159,19 @@ export async function getPendingBatchRequestsOptimized(
/**
* Batch operation to get pending requests for multiple companies
*/
type AIProcessingRequestWithSession = AIProcessingRequest & {
session: {
messages: Array<{
id: string;
order: number;
role: string;
content: string;
}>;
};
};
export async function getPendingBatchRequestsForAllCompanies(): Promise<
Map<string, AIProcessingRequest[]>
Map<string, AIProcessingRequestWithSession[]>
> {
const startTime = Date.now();
const companies = await companyCache.getActiveCompanies();
@@ -138,7 +180,7 @@ export async function getPendingBatchRequestsForAllCompanies(): Promise<
return new Map();
}
// Single query to get all pending requests for all companies
// Single query to get all pending requests for all companies with session messages
const allRequests = await prisma.aIProcessingRequest.findMany({
where: {
session: {
@@ -149,10 +191,10 @@ export async function getPendingBatchRequestsForAllCompanies(): Promise<
},
include: {
session: {
select: {
id: true,
companyId: true,
_count: { select: { messages: true } },
include: {
messages: {
orderBy: { order: "asc" },
},
},
},
},
@@ -160,7 +202,7 @@ export async function getPendingBatchRequestsForAllCompanies(): Promise<
});
// Group requests by company
const requestsByCompany = new Map<string, AIProcessingRequest[]>();
const requestsByCompany = new Map<string, AIProcessingRequestWithSession[]>();
for (const request of allRequests) {
const companyId = request.session?.companyId;
if (!companyId) continue;
@@ -491,17 +533,13 @@ export async function getBatchProcessingStatsOptimized(
/**
* Utility to invalidate company cache (call when companies are added/removed/status changed)
*/
export function invalidateCompanyCache(): void {
companyCache.invalidate();
export async function invalidateCompanyCache(): Promise<void> {
await companyCache.invalidate();
}
/**
* Get cache statistics for monitoring
*/
export function getCompanyCacheStats() {
return {
isActive: companyCache.allActiveCompanies !== null,
cachedAt: new Date(companyCache.allActiveCompaniesCachedAt),
cacheSize: companyCache.allActiveCompanies?.length || 0,
};
return companyCache.getStats();
}

4
lib/batchSchedulerOptimized.ts
View File

@@ -9,7 +9,7 @@
*/
import cron, { type ScheduledTask } from "node-cron";
import { BatchOperation, batchLogger } from "./batchLogger";
import { BatchLogLevel, BatchOperation, batchLogger } from "./batchLogger";
import {
checkBatchStatuses,
createBatchRequest,
@@ -165,7 +165,7 @@ async function createBatchesOptimized(): Promise<void> {
if (pendingRequestsByCompany.size === 0) {
await batchLogger.log(
batchLogger.BatchLogLevel.DEBUG,
BatchLogLevel.DEBUG,
"No pending requests found across all companies",
{ operation: BatchOperation.BATCH_CREATION }
);

475
lib/cache.ts Normal file
View File

@@ -0,0 +1,475 @@
/**
* Comprehensive Caching Layer with Redis + In-Memory Fallback
*
* This module provides a unified caching interface that:
* - Uses Redis when available for distributed caching
* - Falls back to in-memory LRU cache when Redis is unavailable
* - Provides type-safe caching with automatic serialization/deserialization
* - Includes cache warming, invalidation patterns, and monitoring
*/
import { env } from "./env";
import { redisManager } from "./redis";
interface CacheEntry<T> {
value: T;
expiresAt: number;
createdAt: number;
}
class MemoryCache {
private cache = new Map<string, CacheEntry<unknown>>();
private maxSize = 1000;
private cleanupInterval: NodeJS.Timeout;
constructor() {
// Clean up expired entries every 5 minutes
this.cleanupInterval = setInterval(() => this.cleanup(), 5 * 60 * 1000);
}
set<T>(key: string, value: T, ttlSeconds: number): void {
// If cache is full, remove oldest entries
if (this.cache.size >= this.maxSize) {
const oldestKey = this.cache.keys().next().value;
if (oldestKey) {
this.cache.delete(oldestKey);
}
}
const now = Date.now();
this.cache.set(key, {
value,
expiresAt: now + ttlSeconds * 1000,
createdAt: now,
});
}
get<T>(key: string): T | null {
const entry = this.cache.get(key) as CacheEntry<T> | undefined;
if (!entry) return null;
if (Date.now() > entry.expiresAt) {
this.cache.delete(key);
return null;
}
return entry.value;
}
delete(key: string): boolean {
return this.cache.delete(key);
}
clear(): void {
this.cache.clear();
}
private cleanup(): void {
const now = Date.now();
this.cache.forEach((entry, key) => {
if (now > entry.expiresAt) {
this.cache.delete(key);
}
});
}
getStats() {
const now = Date.now();
let expired = 0;
let valid = 0;
this.cache.forEach((entry) => {
if (now > entry.expiresAt) {
expired++;
} else {
valid++;
}
});
return {
size: this.cache.size,
valid,
expired,
maxSize: this.maxSize,
};
}
destroy(): void {
if (this.cleanupInterval) {
clearInterval(this.cleanupInterval);
}
this.cache.clear();
}
}
class CacheManager {
private memoryCache = new MemoryCache();
private stats = {
hits: 0,
misses: 0,
sets: 0,
deletes: 0,
errors: 0,
redisHits: 0,
memoryHits: 0,
};
async get<T>(key: string): Promise<T | null> {
try {
// Try Redis first
if (redisManager.isAvailable()) {
const redisValue = await redisManager.get(key);
if (redisValue) {
this.stats.hits++;
this.stats.redisHits++;
return JSON.parse(redisValue);
}
}
// Fall back to memory cache
const memoryValue = this.memoryCache.get<T>(key);
if (memoryValue) {
this.stats.hits++;
this.stats.memoryHits++;
return memoryValue;
}
this.stats.misses++;
return null;
} catch (error) {
console.error(`[Cache] GET error for key ${key}:`, error);
this.stats.errors++;
return null;
}
}
async set<T>(
key: string,
value: T,
ttlSeconds: number = env.REDIS_TTL_DEFAULT
): Promise<boolean> {
try {
const serializedValue = JSON.stringify(value);
let redisSuccess = false;
let memorySuccess = false;
// Set in Redis if available
if (redisManager.isAvailable()) {
redisSuccess = await redisManager.set(key, serializedValue, {
EX: ttlSeconds,
});
}
// Always set in memory cache as fallback
this.memoryCache.set(key, value, ttlSeconds);
memorySuccess = true;
this.stats.sets++;
return redisSuccess || memorySuccess;
} catch (error) {
console.error(`[Cache] SET error for key ${key}:`, error);
this.stats.errors++;
return false;
}
}
async delete(key: string): Promise<boolean> {
try {
let redisSuccess = false;
let memorySuccess = false;
// Delete from Redis if available
if (redisManager.isAvailable()) {
redisSuccess = await redisManager.del(key);
}
// Delete from memory cache
memorySuccess = this.memoryCache.delete(key);
this.stats.deletes++;
return redisSuccess || memorySuccess;
} catch (error) {
console.error(`[Cache] DELETE error for key ${key}:`, error);
this.stats.errors++;
return false;
}
}
async mget<T>(keys: string[]): Promise<Map<string, T>> {
const result = new Map<string, T>();
try {
// Try Redis first for all keys
if (redisManager.isAvailable()) {
const redisValues = await redisManager.mget(keys);
for (let i = 0; i < keys.length; i++) {
const value = redisValues[i];
if (value) {
result.set(keys[i], JSON.parse(value));
this.stats.redisHits++;
}
}
}
// For missing keys, check memory cache
for (const key of keys) {
if (!result.has(key)) {
const memoryValue = this.memoryCache.get<T>(key);
if (memoryValue) {
result.set(key, memoryValue);
this.stats.memoryHits++;
}
}
}
this.stats.hits += result.size;
this.stats.misses += keys.length - result.size;
} catch (error) {
console.error("[Cache] MGET error:", error);
this.stats.errors++;
}
return result;
}
async invalidatePattern(pattern: string): Promise<number> {
try {
let deleted = 0;
// Clear from Redis if available
if (redisManager.isAvailable()) {
deleted += await redisManager.flushPattern(pattern);
}
// Clear from memory cache (simple pattern matching)
// Note: Memory cache doesn't support patterns, so we clear all if pattern includes wildcards
if (pattern.includes("*")) {
this.memoryCache.clear();
deleted += 1; // Approximate since we cleared all
} else {
if (this.memoryCache.delete(pattern)) {
deleted += 1;
}
}
return deleted;
} catch (error) {
console.error(
`[Cache] Pattern invalidation error for ${pattern}:`,
error
);
this.stats.errors++;
return 0;
}
}
getStats() {
return {
...this.stats,
hitRate: this.stats.hits / (this.stats.hits + this.stats.misses) || 0,
redisAvailable: redisManager.isAvailable(),
memory: this.memoryCache.getStats(),
};
}
async healthCheck() {
const redisHealth = await redisManager.healthCheck();
const memoryStats = this.memoryCache.getStats();
return {
redis: redisHealth,
memory: {
available: true,
size: memoryStats.size,
valid: memoryStats.valid,
expired: memoryStats.expired,
},
overall: {
available: redisHealth.connected || memoryStats.valid >= 0,
fallbackMode: !redisHealth.connected,
},
};
}
async shutdown(): Promise<void> {
this.memoryCache.destroy();
await redisManager.disconnect();
}
}
// Singleton cache manager
const cacheManager = new CacheManager();
// Cache key builders for consistent naming
export const CacheKeys = {
user: (userId: string) => `user:${userId}`,
userByEmail: (email: string) => `user:email:${email}`,
session: (sessionId: string) => `session:${sessionId}`,
company: (companyId: string) => `company:${companyId}`,
companyUsers: (companyId: string) => `company:${companyId}:users`,
sessionsByCompany: (companyId: string) => `sessions:company:${companyId}`,
aiModelPricing: (modelId: string) => `ai-model-pricing:${modelId}`,
processingStats: (companyId?: string) =>
`processing-stats${companyId ? `:${companyId}` : ":global"}`,
auditLogs: (companyId: string, filters: string) =>
`audit-logs:${companyId}:${filters}`,
};
// Typed cache operations with automatic TTL based on data type
export const Cache = {
// User operations
async getUser(userId: string) {
return cacheManager.get<{
id: string;
email: string;
name?: string;
role: string;
companyId: string;
}>(CacheKeys.user(userId));
},
async setUser(
userId: string,
user: {
id: string;
email: string;
name?: string;
role: string;
companyId: string;
}
) {
return cacheManager.set(CacheKeys.user(userId), user, env.REDIS_TTL_USER);
},
async getUserByEmail(email: string) {
return cacheManager.get<{
id: string;
email: string;
name?: string;
role: string;
companyId: string;
}>(CacheKeys.userByEmail(email));
},
async setUserByEmail(
email: string,
user: {
id: string;
email: string;
name?: string;
role: string;
companyId: string;
}
) {
return cacheManager.set(
CacheKeys.userByEmail(email),
user,
env.REDIS_TTL_USER
);
},
// Session operations
async getSession(sessionId: string) {
return cacheManager.get<{
id: string;
companyId: string;
startTime: string;
endTime: string;
messageCount?: number;
}>(CacheKeys.session(sessionId));
},
async setSession(
sessionId: string,
session: {
id: string;
companyId: string;
startTime: string;
endTime: string;
messageCount?: number;
}
) {
return cacheManager.set(
CacheKeys.session(sessionId),
session,
env.REDIS_TTL_SESSION
);
},
// Company operations
async getCompany(companyId: string) {
return cacheManager.get<{
id: string;
name: string;
status: string;
}>(CacheKeys.company(companyId));
},
async setCompany(
companyId: string,
company: {
id: string;
name: string;
status: string;
}
) {
return cacheManager.set(
CacheKeys.company(companyId),
company,
env.REDIS_TTL_COMPANY
);
},
// Generic operations
async get<T>(key: string): Promise<T | null> {
return cacheManager.get<T>(key);
},
async set<T>(key: string, value: T, ttlSeconds?: number): Promise<boolean> {
return cacheManager.set(key, value, ttlSeconds);
},
async delete(key: string): Promise<boolean> {
return cacheManager.delete(key);
},
async mget<T>(keys: string[]): Promise<Map<string, T>> {
return cacheManager.mget<T>(keys);
},
async invalidatePattern(pattern: string): Promise<number> {
return cacheManager.invalidatePattern(pattern);
},
// Cache invalidation helpers
async invalidateUser(userId: string) {
await cacheManager.delete(CacheKeys.user(userId));
},
async invalidateUserByEmail(email: string) {
await cacheManager.delete(CacheKeys.userByEmail(email));
},
async invalidateCompany(companyId: string) {
return cacheManager.invalidatePattern(`company:${companyId}*`);
},
async invalidateSession(sessionId: string) {
await cacheManager.delete(CacheKeys.session(sessionId));
},
// Monitoring and management
getStats() {
return cacheManager.getStats();
},
async healthCheck() {
return cacheManager.healthCheck();
},
async shutdown() {
return cacheManager.shutdown();
},
};
export { cacheManager };

165
lib/csp-server.ts Normal file
View File

@@ -0,0 +1,165 @@
/**
* Server-only CSP utilities
* This file should never be imported by client-side code
*/
import { type NextRequest, NextResponse } from "next/server";
import type { CSPConfig } from "./csp";
/**
* Generate a cryptographically secure nonce for CSP
*/
export function generateNonce(): string {
// Use Web Crypto API for Edge Runtime and browser compatibility
if (typeof crypto !== "undefined" && crypto.getRandomValues) {
const bytes = new Uint8Array(16);
crypto.getRandomValues(bytes);
return btoa(String.fromCharCode(...bytes));
}
throw new Error(
"Web Crypto API not available - this should only be called in supported environments"
);
}
/**
* Build Content Security Policy header value based on configuration
*/
export function buildCSP(config: CSPConfig = {}): string {
const {
nonce,
isDevelopment = false,
reportUri,
_enforceMode = true,
strictMode = false,
allowedExternalDomains = [],
_reportingLevel = "violations",
} = config;
// Base directives for all environments
const baseDirectives = {
"default-src": ["'self'"],
"base-uri": ["'self'"],
"form-action": ["'self'"],
"frame-ancestors": ["'none'"],
"object-src": ["'none'"],
"upgrade-insecure-requests": true,
};
// Script sources - more restrictive in production
const scriptSrc = isDevelopment
? ["'self'", "'unsafe-eval'", "'unsafe-inline'"]
: nonce
? ["'self'", `'nonce-${nonce}'`, "'strict-dynamic'"]
: ["'self'"];
// Style sources - use nonce in production when available
const styleSrc = nonce
? ["'self'", `'nonce-${nonce}'`]
: ["'self'", "'unsafe-inline'"]; // Fallback for TailwindCSS
// Image sources - allow self, data URIs, and specific trusted domains
const imgSrc = [
"'self'",
"data:",
"https://schema.org", // For structured data images
"https://livedash.notso.ai", // Application domain
"https://*.basemaps.cartocdn.com", // Leaflet map tiles
"https://*.openstreetmap.org", // OpenStreetMap tiles
...allowedExternalDomains
.filter((domain) => domain.startsWith("https://"))
.map((domain) => domain),
].filter(Boolean);
// Font sources - restrict to self and data URIs
const fontSrc = ["'self'", "data:"];
// Connect sources - API endpoints and trusted domains
const connectSrc = isDevelopment
? ["'self'", "https:", "wss:", "ws:"] // Allow broader sources in dev for HMR
: strictMode
? [
"'self'",
"https://api.openai.com", // OpenAI API
"https://livedash.notso.ai", // Application API
...allowedExternalDomains.filter(
(domain) =>
domain.startsWith("https://") || domain.startsWith("wss://")
),
].filter(Boolean)
: [
"'self'",
"https://api.openai.com", // OpenAI API
"https://livedash.notso.ai", // Application API
"https:", // Allow all HTTPS in non-strict mode
];
// Media sources - restrict to self
const mediaSrc = ["'self'"];
// Worker sources - restrict to self
const workerSrc = ["'self'"];
// Child sources - restrict to self
const childSrc = ["'self'"];
// Manifest sources - restrict to self
const manifestSrc = ["'self'"];
// Build the directive object
const directives = {
...baseDirectives,
"script-src": scriptSrc,
"style-src": styleSrc,
"img-src": imgSrc,
"font-src": fontSrc,
"connect-src": connectSrc,
"media-src": mediaSrc,
"worker-src": workerSrc,
"child-src": childSrc,
"manifest-src": manifestSrc,
};
// Add report URI if provided
if (reportUri) {
directives["report-uri"] = [reportUri];
directives["report-to"] = ["csp-endpoint"];
}
// Convert directives to CSP string
const cspString = Object.entries(directives)
.map(([directive, value]) => {
if (value === true) return directive;
if (Array.isArray(value)) return `${directive} ${value.join(" ")}`;
return `${directive} ${value}`;
})
.join("; ");
return cspString;
}
/**
* Create CSP middleware for Next.js
*/
export function createCSPMiddleware(config: CSPConfig = {}) {
return (_request: NextRequest) => {
const nonce = generateNonce();
const isDevelopment = process.env.NODE_ENV === "development";
const csp = buildCSP({
...config,
nonce,
isDevelopment,
});
const response = NextResponse.next();
// Set CSP header
response.headers.set("Content-Security-Policy", csp);
// Store nonce for use in components
response.headers.set("X-Nonce", nonce);
return response;
};
}

252
lib/csp.ts
View File

@@ -1,5 +1,5 @@
import crypto from "node:crypto";
import { type NextRequest, NextResponse } from "next/server";
// CSP types and browser-safe utilities
// Server-only functions (generateNonce, buildCSP) are in csp-server.ts
export interface CSPConfig {
nonce?: string;
@@ -11,6 +11,105 @@ export interface CSPConfig {
reportingLevel?: "none" | "violations" | "all";
}
/**
* Build Content Security Policy string based on configuration
*/
export function buildCSPString(config: CSPConfig = {}): string {
const {
nonce,
isDevelopment = false,
reportUri,
strictMode = false,
allowedExternalDomains = [],
} = config;
const directives: Record<string, string[]> = {
"default-src": ["'self'"],
"script-src": ["'self'"],
"style-src": ["'self'"],
"img-src": ["'self'", "data:", "blob:"],
"font-src": ["'self'", "data:"],
"connect-src": ["'self'"],
"frame-src": ["'none'"],
"object-src": ["'none'"],
"base-uri": ["'self'"],
"form-action": ["'self'"],
"frame-ancestors": ["'none'"],
"upgrade-insecure-requests": [],
};
// Script source configuration
if (isDevelopment) {
directives["script-src"].push("'unsafe-eval'", "'unsafe-inline'");
} else if (nonce) {
directives["script-src"].push(
`'nonce-${nonce}'`,
"'strict-dynamic'",
"'unsafe-inline'" // Required for browsers that don't support nonce
);
}
// Style source configuration
if (isDevelopment) {
directives["style-src"].push("'unsafe-inline'");
} else if (nonce) {
directives["style-src"].push(`'nonce-${nonce}'`);
}
// Development-specific relaxations
if (isDevelopment) {
// Allow WebSocket connections for hot reload
directives["connect-src"].push("ws:", "wss:");
// Allow local development servers
directives["connect-src"].push("http://localhost:*", "http://127.0.0.1:*");
}
// Map tile sources
directives["img-src"].push(
"https://*.basemaps.cartocdn.com",
"https://*.openstreetmap.org",
"https://unpkg.com" // For Leaflet markers
);
// External domains configuration
if (allowedExternalDomains.length > 0) {
directives["connect-src"].push(...allowedExternalDomains);
} else if (!strictMode) {
// In non-strict mode, allow HTTPS connections
directives["connect-src"].push("https:");
}
// Worker sources
directives["worker-src"] = ["'self'", "blob:"];
// Media sources
directives["media-src"] = ["'self'"];
// Manifest source
directives["manifest-src"] = ["'self'"];
// Report URI
if (reportUri) {
directives["report-uri"] = [reportUri];
directives["report-to"] = ["csp-endpoint"];
}
// Build the CSP string
return Object.entries(directives)
.filter(
([_, values]) =>
values.length > 0 ||
["upgrade-insecure-requests", "block-all-mixed-content"].includes(_)
)
.map(([directive, values]) => {
if (values.length === 0) {
return directive;
}
return `${directive} ${values.join(" ")}`;
})
.join("; ");
}
export interface CSPViolationReport {
"csp-report": {
"document-uri": string;
@@ -25,155 +124,6 @@ export interface CSPViolationReport {
};
}
/**
* Generate a cryptographically secure nonce for CSP
*/
export function generateNonce(): string {
return crypto.randomBytes(16).toString("base64");
}
/**
* Build Content Security Policy header value based on configuration
*/
export function buildCSP(config: CSPConfig = {}): string {
const {
nonce,
isDevelopment = false,
reportUri,
_enforceMode = true,
strictMode = false,
allowedExternalDomains = [],
_reportingLevel = "violations",
} = config;
// Base directives for all environments
const baseDirectives = {
"default-src": ["'self'"],
"base-uri": ["'self'"],
"form-action": ["'self'"],
"frame-ancestors": ["'none'"],
"object-src": ["'none'"],
"upgrade-insecure-requests": true,
};
// Script sources - more restrictive in production
const scriptSrc = isDevelopment
? ["'self'", "'unsafe-eval'", "'unsafe-inline'"]
: nonce
? ["'self'", `'nonce-${nonce}'`, "'strict-dynamic'"]
: ["'self'"];
// Style sources - use nonce in production when available
const styleSrc = nonce
? ["'self'", `'nonce-${nonce}'`]
: ["'self'", "'unsafe-inline'"]; // Fallback for TailwindCSS
// Image sources - allow self, data URIs, and specific trusted domains
const imgSrc = [
"'self'",
"data:",
"https://schema.org", // For structured data images
"https://livedash.notso.ai", // Application domain
"https://*.basemaps.cartocdn.com", // Leaflet map tiles
"https://*.openstreetmap.org", // OpenStreetMap tiles
...allowedExternalDomains
.filter((domain) => domain.startsWith("https://"))
.map((domain) => domain),
].filter(Boolean);
// Font sources - restrict to self and data URIs
const fontSrc = ["'self'", "data:"];
// Connect sources - API endpoints and trusted domains
const connectSrc = isDevelopment
? ["'self'", "https:", "wss:", "ws:"] // Allow broader sources in dev for HMR
: strictMode
? [
"'self'",
"https://api.openai.com", // OpenAI API
"https://livedash.notso.ai", // Application API
...allowedExternalDomains.filter(
(domain) =>
domain.startsWith("https://") || domain.startsWith("wss://")
),
].filter(Boolean)
: [
"'self'",
"https://api.openai.com", // OpenAI API
"https://livedash.notso.ai", // Application API
"https:", // Allow all HTTPS in non-strict mode
];
// Media sources - restrict to self
const mediaSrc = ["'self'"];
// Worker sources - restrict to self
const workerSrc = ["'self'"];
// Child sources - restrict to self
const childSrc = ["'self'"];
// Manifest sources - restrict to self
const manifestSrc = ["'self'"];
// Build the directive object
const directives = {
...baseDirectives,
"script-src": scriptSrc,
"style-src": styleSrc,
"img-src": imgSrc,
"font-src": fontSrc,
"connect-src": connectSrc,
"media-src": mediaSrc,
"worker-src": workerSrc,
"child-src": childSrc,
"manifest-src": manifestSrc,
};
// Add report URI if provided
if (reportUri) {
directives["report-uri"] = [reportUri];
directives["report-to"] = ["csp-endpoint"];
}
// Convert directives to CSP string
const cspString = Object.entries(directives)
.map(([directive, value]) => {
if (value === true) return directive;
if (Array.isArray(value)) return `${directive} ${value.join(" ")}`;
return `${directive} ${value}`;
})
.join("; ");
return cspString;
}
/**
* Create CSP middleware for Next.js
*/
export function createCSPMiddleware(config: CSPConfig = {}) {
return (_request: NextRequest) => {
const nonce = generateNonce();
const isDevelopment = process.env.NODE_ENV === "development";
const csp = buildCSP({
...config,
nonce,
isDevelopment,
});
const response = NextResponse.next();
// Set CSP header
response.headers.set("Content-Security-Policy", csp);
// Store nonce for use in components
response.headers.set("X-Nonce", nonce);
return response;
};
}
/**
* Helper function to check unsafe directives
*/

75
lib/csrf-client.ts Normal file
View File

@@ -0,0 +1,75 @@
/**
* Client-side CSRF Utilities
*
* This module provides client-side CSRF functionality without server-side imports.
* Used by tRPC client and other client-side code.
*/
/**
* CSRF configuration for client-side usage
*/
export const CSRF_CONFIG = {
cookieName: "csrf-token",
headerName: "x-csrf-token",
} as const;
/**
* Client-side utilities
*/
export const CSRFClient = {
/**
* Get CSRF token from cookies (client-side)
*/
getToken(): string | null {
if (typeof document === "undefined") return null;
const cookies = document.cookie.split(";");
for (const cookie of cookies) {
const [name, value] = cookie.trim().split("=");
if (name === CSRF_CONFIG.cookieName) {
return decodeURIComponent(value);
}
}
return null;
},
/**
* Add CSRF token to fetch options
*/
addTokenToFetch(options: RequestInit = {}): RequestInit {
const token = this.getToken();
if (!token) return options;
return {
...options,
headers: {
...options.headers,
[CSRF_CONFIG.headerName]: token,
},
};
},
/**
* Add CSRF token to form data
*/
addTokenToFormData(formData: FormData): FormData {
const token = this.getToken();
if (token) {
formData.append("csrf_token", token);
}
return formData;
},
/**
* Add CSRF token to object (for JSON requests)
*/
addTokenToObject<T extends Record<string, unknown>>(
obj: T
): T & { csrfToken: string } {
const token = this.getToken();
return {
...obj,
csrfToken: token || "",
};
},
};

93
lib/csrf.ts
View File

@@ -8,7 +8,7 @@
import csrf from "csrf";
import { cookies } from "next/headers";
import type { NextRequest } from "next/server";
import { env } from "./env";
import { clientEnv } from "./env-client";
const tokens = new csrf();
@@ -18,11 +18,14 @@ const tokens = new csrf();
export const CSRF_CONFIG = {
cookieName: "csrf-token",
headerName: "x-csrf-token",
secret: env.CSRF_SECRET,
secret: clientEnv.CSRF_SECRET,
cookie: {
httpOnly: true,
secure: env.NODE_ENV === "production",
sameSite: "lax" as const,
secure: clientEnv.NODE_ENV === "production",
sameSite:
clientEnv.NODE_ENV === "production"
? ("strict" as const)
: ("lax" as const),
maxAge: 60 * 60 * 24, // 24 hours
},
} as const;
@@ -66,21 +69,8 @@ export function extractCSRFToken(request: NextRequest): string | null {
return headerToken;
}
// Check form data for POST requests
if (request.method === "POST") {
try {
const formData = request.formData();
return formData.then((data) => data.get("csrf_token") as string | null);
} catch {
// If formData fails, try JSON body
try {
const body = request.json();
return body.then((data) => data.csrfToken || null);
} catch {
return null;
}
}
}
// Note: For form data and JSON body, we need async handling
// This function will be made async or handled by the caller
return null;
}
@@ -90,7 +80,7 @@ export function extractCSRFToken(request: NextRequest): string | null {
*/
export async function getCSRFTokenFromCookies(): Promise<string | null> {
try {
const cookieStore = cookies();
const cookieStore = await cookies();
const token = cookieStore.get(CSRF_CONFIG.cookieName);
return token?.value || null;
} catch {
@@ -113,7 +103,7 @@ export const CSRFProtection = {
options: {
httpOnly: boolean;
secure: boolean;
sameSite: "lax";
sameSite: "lax" | "strict";
maxAge: number;
path: string;
};
@@ -224,63 +214,4 @@ export const CSRFProtection = {
},
};
/**
* Client-side utilities
*/
export const CSRFClient = {
/**
* Get CSRF token from cookies (client-side)
*/
getToken(): string | null {
if (typeof document === "undefined") return null;
const cookies = document.cookie.split(";");
for (const cookie of cookies) {
const [name, value] = cookie.trim().split("=");
if (name === CSRF_CONFIG.cookieName) {
return decodeURIComponent(value);
}
}
return null;
},
/**
* Add CSRF token to fetch options
*/
addTokenToFetch(options: RequestInit = {}): RequestInit {
const token = this.getToken();
if (!token) return options;
return {
...options,
headers: {
...options.headers,
[CSRF_CONFIG.headerName]: token,
},
};
},
/**
* Add CSRF token to form data
*/
addTokenToFormData(formData: FormData): FormData {
const token = this.getToken();
if (token) {
formData.append("csrf_token", token);
}
return formData;
},
/**
* Add CSRF token to object (for JSON requests)
*/
addTokenToObject<T extends Record<string, unknown>>(
obj: T
): T & { csrfToken: string } {
const token = this.getToken();
return {
...obj,
csrfToken: token || "",
};
},
};
// Client-side utilities moved to ./csrf-client.ts to avoid server-side import issues

5
lib/database-pool.ts
View File

@@ -1,7 +1,10 @@
// Advanced database connection pooling configuration
import { PrismaPg } from "@prisma/adapter-pg";
import { PrismaClient } from "@prisma/client";
import pkg from "@prisma/client";
const { PrismaClient } = pkg;
import type { Pool } from "pg";
import { env } from "./env";

241
lib/dynamic-imports.tsx Normal file
View File

@@ -0,0 +1,241 @@
/**
* Dynamic Import Utilities for Bundle Optimization
*
* This module provides utilities for dynamic imports to improve
* bundle splitting and reduce initial bundle size through:
* - Lazy loading of heavy components
* - Route-based code splitting
* - Library-specific dynamic imports
*/
import dynamic from "next/dynamic";
import { type ComponentType, lazy, Suspense } from "react";
// Loading component for better UX during lazy loading
const LoadingSpinner = () => (
<div className="flex items-center justify-center p-4">
<div className="animate-spin rounded-full h-8 w-8 border-b-2 border-primary" />
</div>
);
const LoadingSkeleton = () => (
<div className="animate-pulse space-y-4 p-4">
<div className="h-4 bg-gray-200 rounded w-3/4" />
<div className="h-4 bg-gray-200 rounded w-1/2" />
<div className="h-4 bg-gray-200 rounded w-5/6" />
</div>
);
// Generic dynamic import wrapper with error boundary
function createDynamicComponent<T = object>(
importFunc: () => Promise<{ default: ComponentType<T> }>,
options?: {
loading?: ComponentType;
ssr?: boolean;
suspense?: boolean;
}
) {
const {
loading: LoadingComponent = LoadingSpinner,
ssr = true,
suspense = false,
} = options || {};
return dynamic(importFunc, {
loading: () => <LoadingComponent />,
ssr,
suspense,
});
}
// Chart components (heavy libraries - perfect for dynamic loading)
export const DynamicLineChart = createDynamicComponent(
() => import("recharts").then((mod) => ({ default: mod.LineChart })),
{ loading: LoadingSkeleton, ssr: false }
);
export const DynamicBarChart = createDynamicComponent(
() => import("recharts").then((mod) => ({ default: mod.BarChart })),
{ loading: LoadingSkeleton, ssr: false }
);
export const DynamicPieChart = createDynamicComponent(
() => import("recharts").then((mod) => ({ default: mod.PieChart })),
{ loading: LoadingSkeleton, ssr: false }
);
export const DynamicAreaChart = createDynamicComponent(
() => import("recharts").then((mod) => ({ default: mod.AreaChart })),
{ loading: LoadingSkeleton, ssr: false }
);
// D3 components for data visualization (also heavy)
export const DynamicWordCloud = createDynamicComponent(
() =>
import("../components/charts/WordCloud").then((mod) => ({
default: mod.WordCloud,
})),
{ loading: LoadingSkeleton, ssr: false }
);
export const DynamicTreeMap = createDynamicComponent(
() =>
import("../components/charts/TreeMap").then((mod) => ({
default: mod.TreeMap,
})),
{ loading: LoadingSkeleton, ssr: false }
);
// Map components (Leaflet is heavy)
export const DynamicLeafletMap = createDynamicComponent(
() =>
import("../components/maps/LeafletMap").then((mod) => ({
default: mod.LeafletMap,
})),
{ loading: LoadingSkeleton, ssr: false }
);
// Admin panels (only loaded for admin users)
export const DynamicAuditLogsPanel = createDynamicComponent(
() =>
import("../app/dashboard/audit-logs/page").then((mod) => ({
default: mod.default,
})),
{ loading: LoadingSkeleton }
);
export const DynamicSecurityMonitoring = createDynamicComponent(
() =>
import("../components/admin/SecurityMonitoring").then((mod) => ({
default: mod.SecurityMonitoring,
})),
{ loading: LoadingSkeleton }
);
// CSV processing components (only loaded when needed)
export const DynamicCSVUploader = createDynamicComponent(
() =>
import("../components/csv/CSVUploader").then((mod) => ({
default: mod.CSVUploader,
})),
{ loading: LoadingSpinner }
);
export const DynamicCSVProcessor = createDynamicComponent(
() =>
import("../components/csv/CSVProcessor").then((mod) => ({
default: mod.CSVProcessor,
})),
{ loading: LoadingSpinner }
);
// Data table components (heavy when dealing with large datasets)
export const DynamicDataTable = createDynamicComponent(
() =>
import("../components/tables/DataTable").then((mod) => ({
default: mod.DataTable,
})),
{ loading: LoadingSkeleton }
);
// Modal components (can be heavy with complex forms)
export const DynamicUserInviteModal = createDynamicComponent(
() =>
import("../components/modals/UserInviteModal").then((mod) => ({
default: mod.UserInviteModal,
})),
{ loading: LoadingSpinner }
);
export const DynamicCompanySettingsModal = createDynamicComponent(
() =>
import("../components/modals/CompanySettingsModal").then((mod) => ({
default: mod.CompanySettingsModal,
})),
{ loading: LoadingSpinner }
);
// Text editor components (rich text editors are typically heavy)
export const DynamicRichTextEditor = createDynamicComponent(
() =>
import("../components/editor/RichTextEditor").then((mod) => ({
default: mod.RichTextEditor,
})),
{ loading: LoadingSpinner, ssr: false }
);
// PDF viewers and generators (heavy libraries)
export const DynamicPDFViewer = createDynamicComponent(
() =>
import("../components/pdf/PDFViewer").then((mod) => ({
default: mod.PDFViewer,
})),
{ loading: LoadingSpinner, ssr: false }
);
// Animation libraries (Framer Motion, Lottie, etc.)
export const DynamicAnimatedComponent = createDynamicComponent(
() =>
import("../components/animations/AnimatedComponent").then((mod) => ({
default: mod.AnimatedComponent,
})),
{ loading: LoadingSpinner, ssr: false }
);
// React wrapper for React.lazy with Suspense
export function createLazyComponent<T = object>(
importFunc: () => Promise<{ default: ComponentType<T> }>,
_fallback: ComponentType = LoadingSpinner
) {
const LazyComponent = lazy(importFunc);
return function WrappedComponent(props: T) {
return (
<Suspense fallback={<fallback />}>
<LazyComponent {...props} />
</Suspense>
);
};
}
// Utility for dynamic library imports (for libraries not directly used in components)
export async function dynamicImport<T>(
importFunc: () => Promise<T>
): Promise<T> {
try {
return await importFunc();
} catch (error) {
console.error("Dynamic import failed:", error);
throw new Error("Failed to load module");
}
}
// Dynamic import helpers for specific heavy libraries
export const DynamicLibraries = {
// Date utilities
dateFns: () => dynamicImport(() => import("date-fns")),
dateFnsFormat: () =>
dynamicImport(() =>
import("date-fns").then((mod) => ({ format: mod.format }))
),
// Validation libraries
zod: () => dynamicImport(() => import("zod")),
// Animation libraries
framerMotion: () => dynamicImport(() => import("motion")),
// CSV parsing
csvParse: () => dynamicImport(() => import("csv-parse")),
// Crypto utilities (when needed client-side)
bcrypt: () => dynamicImport(() => import("bcryptjs")),
};
// Bundle analyzer helper
export const analyzeBundleSize = async () => {
if (process.env.NODE_ENV === "development") {
console.log("🔍 To analyze bundle size, run: pnpm build:analyze");
console.log("📊 This will generate an interactive bundle analyzer report");
}
};

56
lib/env-client.ts Normal file
View File

@@ -0,0 +1,56 @@
/**
* Client-safe environment variables
* This module only includes environment variables that are safe to use in the browser
* and does not have any Node.js dependencies
*/
/**
* Parse environment variable value by removing quotes, comments, and trimming whitespace
*/
function parseEnvValue(value: string | undefined): string {
if (!value) return "";
// Trim whitespace
let cleaned = value.trim();
// Remove inline comments (everything after #)
const commentIndex = cleaned.indexOf("#");
if (commentIndex !== -1) {
cleaned = cleaned.substring(0, commentIndex).trim();
}
// Remove surrounding quotes (both single and double)
if (
(cleaned.startsWith('"') && cleaned.endsWith('"')) ||
(cleaned.startsWith("'") && cleaned.endsWith("'"))
) {
cleaned = cleaned.slice(1, -1);
}
return cleaned;
}
/**
* Client-safe environment variables (browser-safe subset)
*/
export const clientEnv = {
NODE_ENV: parseEnvValue(process.env.NODE_ENV) || "development",
NEXTAUTH_URL:
parseEnvValue(process.env.NEXTAUTH_URL) || "http://localhost:3000",
// CSRF Protection - fallback to a default value that will work in client
CSRF_SECRET:
parseEnvValue(process.env.CSRF_SECRET) ||
parseEnvValue(process.env.NEXTAUTH_SECRET) ||
"fallback-csrf-secret",
} as const;
/**
* Check if we're in development mode
*/
export const isDevelopment = clientEnv.NODE_ENV === "development";
/**
* Check if we're in production mode
*/
export const isProduction = clientEnv.NODE_ENV === "production";

25
lib/env.ts
View File

@@ -80,10 +80,17 @@ export const env = {
NODE_ENV: parseEnvValue(process.env.NODE_ENV) || "development",
// CSRF Protection
CSRF_SECRET:
parseEnvValue(process.env.CSRF_SECRET) ||
parseEnvValue(process.env.NEXTAUTH_SECRET) ||
"fallback-csrf-secret",
CSRF_SECRET: (() => {
const csrfSecret = parseEnvValue(process.env.CSRF_SECRET);
const nextAuthSecret = parseEnvValue(process.env.NEXTAUTH_SECRET);
if (csrfSecret) return csrfSecret;
if (nextAuthSecret) return nextAuthSecret;
throw new Error(
"CSRF_SECRET or NEXTAUTH_SECRET is required for security. Please set one of these environment variables."
);
})(),
// OpenAI
OPENAI_API_KEY: parseEnvValue(process.env.OPENAI_API_KEY) || "",
@@ -124,6 +131,13 @@ export const env = {
10
),
// Redis Configuration (optional - graceful fallback to in-memory if not provided)
REDIS_URL: parseEnvValue(process.env.REDIS_URL) || "",
REDIS_TTL_DEFAULT: parseIntWithDefault(process.env.REDIS_TTL_DEFAULT, 300), // 5 minutes default
REDIS_TTL_SESSION: parseIntWithDefault(process.env.REDIS_TTL_SESSION, 1800), // 30 minutes
REDIS_TTL_USER: parseIntWithDefault(process.env.REDIS_TTL_USER, 900), // 15 minutes
REDIS_TTL_COMPANY: parseIntWithDefault(process.env.REDIS_TTL_COMPANY, 600), // 10 minutes
// Server
PORT: parseIntWithDefault(process.env.PORT, 3000),
} as const;
@@ -142,6 +156,9 @@ export function validateEnv(): { valid: boolean; errors: string[] } {
errors.push("NEXTAUTH_SECRET is required");
}
// CSRF_SECRET validation is now handled in the IIFE above
// If we reach here, CSRF_SECRET is guaranteed to be set
if (
!env.OPENAI_API_KEY &&
env.NODE_ENV === "production" &&

2
lib/hooks/useCSRF.ts
View File

@@ -7,7 +7,7 @@
"use client";
import { useCallback, useEffect, useState } from "react";
import { CSRFClient } from "../csrf";
import { CSRFClient } from "../csrf-client";
/**
* Hook for managing CSRF tokens

34
lib/importProcessor.ts
View File

@@ -119,6 +119,14 @@ async function parseTranscriptIntoMessages(
// Split transcript into lines and parse each message
const lines = transcriptContent.split("\n").filter((line) => line.trim());
const messagesToCreate: Array<{
sessionId: string;
timestamp: Date | null;
role: string;
content: string;
order: number;
}> = [];
let order = 0;
for (const line of lines) {
@@ -158,22 +166,28 @@ async function parseTranscriptIntoMessages(
// Skip empty content
if (!content) continue;
// Create message record
await prisma.message.create({
data: {
sessionId,
timestamp,
role,
content,
order,
},
// Collect message data for batch creation
messagesToCreate.push({
sessionId,
timestamp,
role,
content,
order,
});
order++;
}
// Batch create all messages at once for better performance
if (messagesToCreate.length > 0) {
await prisma.message.createMany({
data: messagesToCreate,
skipDuplicates: true, // Prevents errors on unique constraint violations
});
}
console.log(
`[Import Processor] ✓ Parsed ${order} messages for session ${sessionId}`
`[Import Processor] ✓ Parsed ${messagesToCreate.length} messages for session ${sessionId} (batch operation)`
);
}

350
lib/performance.ts Normal file
View File

@@ -0,0 +1,350 @@
/**
* Performance Monitoring and Optimization Utilities
*
* This module provides client-side performance monitoring tools to:
* - Track Core Web Vitals (LCP, FID, CLS)
* - Monitor bundle loading performance
* - Provide runtime performance insights
* - Help identify optimization opportunities
*/
// Core Web Vitals types
interface PerformanceMetrics {
lcp?: number; // Largest Contentful Paint
fid?: number; // First Input Delay
cls?: number; // Cumulative Layout Shift
fcp?: number; // First Contentful Paint
ttfb?: number; // Time to First Byte
}
class PerformanceMonitor {
private metrics: PerformanceMetrics = {};
private observers: PerformanceObserver[] = [];
private isMonitoring = false;
constructor() {
if (typeof window !== "undefined") {
this.initializeMonitoring();
}
}
private initializeMonitoring() {
if (this.isMonitoring) return;
this.isMonitoring = true;
// Monitor LCP (Largest Contentful Paint)
this.observeMetric("largest-contentful-paint", (entries) => {
const lastEntry = entries[entries.length - 1] as PerformanceEntry & {
renderTime: number;
loadTime: number;
};
this.metrics.lcp = lastEntry.renderTime || lastEntry.loadTime;
this.reportMetric("LCP", this.metrics.lcp);
});
// Monitor FID (First Input Delay)
this.observeMetric("first-input", (entries) => {
const firstEntry = entries[0] as PerformanceEntry & {
processingStart: number;
startTime: number;
};
this.metrics.fid = firstEntry.processingStart - firstEntry.startTime;
this.reportMetric("FID", this.metrics.fid);
});
// Monitor CLS (Cumulative Layout Shift)
this.observeMetric("layout-shift", (entries) => {
let clsValue = 0;
for (const entry of entries) {
const entryWithValue = entry as PerformanceEntry & {
value: number;
hadRecentInput: boolean;
};
if (!entryWithValue.hadRecentInput) {
clsValue += entryWithValue.value;
}
}
this.metrics.cls = clsValue;
this.reportMetric("CLS", this.metrics.cls);
});
// Monitor FCP (First Contentful Paint)
this.observeMetric("paint", (entries) => {
const fcpEntry = entries.find(
(entry) => entry.name === "first-contentful-paint"
);
if (fcpEntry) {
this.metrics.fcp = fcpEntry.startTime;
this.reportMetric("FCP", this.metrics.fcp);
}
});
// Monitor TTFB (Time to First Byte)
this.observeMetric("navigation", (entries) => {
const navEntry = entries[0] as PerformanceNavigationTiming;
this.metrics.ttfb = navEntry.responseStart - navEntry.requestStart;
this.reportMetric("TTFB", this.metrics.ttfb);
});
// Monitor resource loading
this.observeResourceLoading();
}
private observeMetric(
entryType: string,
callback: (entries: PerformanceEntry[]) => void
) {
try {
const observer = new PerformanceObserver((list) => {
callback(list.getEntries());
});
observer.observe({ entryTypes: [entryType] });
this.observers.push(observer);
} catch (error) {
console.warn(`Failed to observe ${entryType}:`, error);
}
}
private observeResourceLoading() {
try {
const observer = new PerformanceObserver((list) => {
const entries = list.getEntries();
for (const entry of entries) {
if (entry.name.includes(".js") || entry.name.includes(".css")) {
this.analyzeResourceTiming(entry as PerformanceResourceTiming);
}
}
});
observer.observe({ entryTypes: ["resource"] });
this.observers.push(observer);
} catch (error) {
console.warn("Failed to observe resource loading:", error);
}
}
private analyzeResourceTiming(entry: PerformanceResourceTiming) {
const isSlowResource = entry.duration > 1000; // Resources taking > 1s
const isLargeResource = entry.transferSize > 500000; // Resources > 500KB
if (isSlowResource || isLargeResource) {
console.warn("Performance Issue Detected:", {
resource: entry.name,
duration: `${entry.duration.toFixed(2)}ms`,
size: `${(entry.transferSize / 1024).toFixed(2)}KB`,
type: entry.initiatorType,
suggestion: isLargeResource
? "Consider code splitting or dynamic imports"
: "Resource loading is slow - check network or CDN",
});
}
}
private reportMetric(name: string, value: number) {
if (process.env.NODE_ENV === "development") {
const rating = this.getRating(name, value);
console.log(`📊 ${name}: ${value.toFixed(2)}ms (${rating})`);
if (rating === "poor") {
console.warn(`⚠️ ${name} performance is poor. Consider optimization.`);
}
}
// In production, you might want to send this to an analytics service
if (process.env.NODE_ENV === "production") {
this.sendToAnalytics(name, value);
}
}
private getRating(
metricName: string,
value: number
): "good" | "needs-improvement" | "poor" {
const thresholds = {
LCP: { good: 2500, poor: 4000 },
FID: { good: 100, poor: 300 },
CLS: { good: 0.1, poor: 0.25 },
FCP: { good: 1800, poor: 3000 },
TTFB: { good: 600, poor: 1500 },
};
const threshold = thresholds[metricName as keyof typeof thresholds];
if (!threshold) return "good";
if (value <= threshold.good) return "good";
if (value <= threshold.poor) return "needs-improvement";
return "poor";
}
private sendToAnalytics(metricName: string, value: number) {
// Placeholder for analytics integration
// You could send this to Google Analytics, Vercel Analytics, etc.
if (typeof gtag !== "undefined") {
gtag("event", "core_web_vital", {
name: metricName,
value: Math.round(value),
metric_rating: this.getRating(metricName, value),
});
}
}
public getMetrics(): PerformanceMetrics {
return { ...this.metrics };
}
public generatePerformanceReport(): string {
const report = Object.entries(this.metrics)
.map(([key, value]) => {
const rating = this.getRating(key.toUpperCase(), value);
return `${key.toUpperCase()}: ${value.toFixed(2)}ms (${rating})`;
})
.join("\n");
return `Performance Report:\n${report}`;
}
public getBundleAnalysis() {
if (typeof window === "undefined") return null;
const scripts = Array.from(document.querySelectorAll("script[src]"));
const styles = Array.from(
document.querySelectorAll('link[rel="stylesheet"]')
);
const bundleInfo = {
scripts: scripts.length,
styles: styles.length,
totalResources: scripts.length + styles.length,
suggestions: [] as string[],
};
// Analyze bundle composition
const jsFiles = scripts.map((script) => (script as HTMLScriptElement).src);
const hasLargeVendorBundle = jsFiles.some(
(src) => src.includes("vendor") || src.includes("node_modules")
);
if (bundleInfo.scripts > 10) {
bundleInfo.suggestions.push("Consider consolidating scripts");
}
if (hasLargeVendorBundle) {
bundleInfo.suggestions.push(
"Consider code splitting for vendor libraries"
);
}
return bundleInfo;
}
public cleanup() {
this.observers.forEach((observer) => observer.disconnect());
this.observers = [];
this.isMonitoring = false;
}
}
// Bundle size analysis utilities
export const BundleAnalyzer = {
// Estimate the size of imported modules
estimateModuleSize: (moduleName: string): Promise<number> => {
return import(moduleName).then((module) => {
// This is a rough estimation - in practice you'd use webpack-bundle-analyzer
return JSON.stringify(module).length;
});
},
// Check if a module should be dynamically imported based on size
shouldDynamicImport: (estimatedSize: number, threshold = 50000): boolean => {
return estimatedSize > threshold; // 50KB threshold
},
// Provide bundle optimization suggestions
getOptimizationSuggestions: (): string[] => {
const suggestions: string[] = [];
// Check if running in development with potential optimizations
if (process.env.NODE_ENV === "development") {
suggestions.push("Run `pnpm build:analyze` to analyze bundle size");
suggestions.push("Consider using dynamic imports for heavy components");
suggestions.push("Check if all imported dependencies are actually used");
}
return suggestions;
},
};
// Web Vitals integration
export const webVitalsMonitor = new PerformanceMonitor();
// Performance hooks for React components
export const usePerformanceMonitor = () => {
return {
getMetrics: () => webVitalsMonitor.getMetrics(),
generateReport: () => webVitalsMonitor.generatePerformanceReport(),
getBundleAnalysis: () => webVitalsMonitor.getBundleAnalysis(),
};
};
// Utility to measure component render time
export const measureRenderTime = (componentName: string) => {
const startTime = performance.now();
return () => {
const endTime = performance.now();
const renderTime = endTime - startTime;
if (renderTime > 50) {
// Flag components taking >50ms to render
console.warn(
`🐌 Slow render detected: ${componentName} took ${renderTime.toFixed(2)}ms`
);
}
return renderTime;
};
};
// Resource loading utilities
export const ResourceOptimizer = {
// Preload critical resources
preloadResource: (
url: string,
type: "script" | "style" | "image" = "script"
) => {
if (typeof document === "undefined") return;
const link = document.createElement("link");
link.rel = "preload";
link.href = url;
link.as = type;
document.head.appendChild(link);
},
// Prefetch resources for next navigation
prefetchResource: (url: string) => {
if (typeof document === "undefined") return;
const link = document.createElement("link");
link.rel = "prefetch";
link.href = url;
document.head.appendChild(link);
},
// Check if resource is already loaded
isResourceLoaded: (url: string): boolean => {
if (typeof document === "undefined") return false;
const scripts = Array.from(document.querySelectorAll("script[src]"));
const styles = Array.from(document.querySelectorAll("link[href]"));
return [...scripts, ...styles].some(
(element) =>
(element as HTMLScriptElement | HTMLLinkElement).src === url ||
(element as HTMLLinkElement).href === url
);
},
};
export default webVitalsMonitor;

5
lib/prisma.ts
View File

@@ -1,5 +1,8 @@
// Enhanced Prisma client setup with connection pooling
import { PrismaClient } from "@prisma/client";
import pkg from "@prisma/client";
const { PrismaClient } = pkg;
import { createEnhancedPrismaClient } from "./database-pool";
import { env } from "./env";

233
lib/redis.ts Normal file
View File

@@ -0,0 +1,233 @@
/**
* Redis Client Configuration and Management
*
* This module provides Redis client setup with connection management,
* error handling, and graceful fallbacks to in-memory caching when Redis is unavailable.
*/
import { createClient, type RedisClientType } from "redis";
import { env } from "./env";
type RedisClient = RedisClientType;
class RedisManager {
private client: RedisClient | null = null;
private isConnected = false;
private isConnecting = false;
private connectionAttempts = 0;
private readonly maxRetries = 3;
private readonly retryDelay = 2000;
constructor() {
this.initializeConnection();
}
private async initializeConnection(): Promise<void> {
if (this.isConnecting || this.isConnected) return;
this.isConnecting = true;
try {
if (!env.REDIS_URL) {
console.log("[Redis] No REDIS_URL provided, skipping Redis connection");
this.isConnecting = false;
return;
}
this.client = createClient({
url: env.REDIS_URL,
socket: {
connectTimeout: 5000,
commandTimeout: 3000,
},
retryDelayOnFailover: 100,
retryDelayOnClusterDown: 300,
});
this.client.on("error", (error) => {
console.error("[Redis] Client error:", error);
this.isConnected = false;
});
this.client.on("connect", () => {
console.log("[Redis] Connected successfully");
this.isConnected = true;
this.connectionAttempts = 0;
});
this.client.on("disconnect", () => {
console.log("[Redis] Disconnected");
this.isConnected = false;
});
await this.client.connect();
} catch (error) {
console.error("[Redis] Connection failed:", error);
this.isConnected = false;
this.connectionAttempts++;
if (this.connectionAttempts < this.maxRetries) {
console.log(
`[Redis] Retrying connection in ${this.retryDelay}ms (attempt ${this.connectionAttempts}/${this.maxRetries})`
);
setTimeout(() => {
this.isConnecting = false;
this.initializeConnection();
}, this.retryDelay);
} else {
console.warn(
"[Redis] Max connection attempts reached, falling back to in-memory caching"
);
}
} finally {
this.isConnecting = false;
}
}
async get(key: string): Promise<string | null> {
if (!this.isConnected || !this.client) {
return null;
}
try {
return await this.client.get(key);
} catch (error) {
console.error(`[Redis] GET failed for key ${key}:`, error);
return null;
}
}
async set(
key: string,
value: string,
options?: { EX?: number; PX?: number }
): Promise<boolean> {
if (!this.isConnected || !this.client) {
return false;
}
try {
await this.client.set(key, value, options);
return true;
} catch (error) {
console.error(`[Redis] SET failed for key ${key}:`, error);
return false;
}
}
async del(key: string): Promise<boolean> {
if (!this.isConnected || !this.client) {
return false;
}
try {
await this.client.del(key);
return true;
} catch (error) {
console.error(`[Redis] DEL failed for key ${key}:`, error);
return false;
}
}
async exists(key: string): Promise<boolean> {
if (!this.isConnected || !this.client) {
return false;
}
try {
const result = await this.client.exists(key);
return result === 1;
} catch (error) {
console.error(`[Redis] EXISTS failed for key ${key}:`, error);
return false;
}
}
async mget(keys: string[]): Promise<(string | null)[]> {
if (!this.isConnected || !this.client || keys.length === 0) {
return keys.map(() => null);
}
try {
return await this.client.mGet(keys);
} catch (error) {
console.error(`[Redis] MGET failed for keys ${keys.join(", ")}:`, error);
return keys.map(() => null);
}
}
async mset(keyValuePairs: Record<string, string>): Promise<boolean> {
if (!this.isConnected || !this.client) {
return false;
}
try {
await this.client.mSet(keyValuePairs);
return true;
} catch (error) {
console.error("[Redis] MSET failed:", error);
return false;
}
}
async flushPattern(pattern: string): Promise<number> {
if (!this.isConnected || !this.client) {
return 0;
}
try {
const keys = await this.client.keys(pattern);
if (keys.length === 0) return 0;
await this.client.del(keys);
return keys.length;
} catch (error) {
console.error(`[Redis] FLUSH pattern ${pattern} failed:`, error);
return 0;
}
}
isAvailable(): boolean {
return this.isConnected && this.client !== null;
}
async disconnect(): Promise<void> {
if (this.client) {
try {
await this.client.disconnect();
} catch (error) {
console.error("[Redis] Disconnect error:", error);
}
this.client = null;
this.isConnected = false;
}
}
async healthCheck(): Promise<{
connected: boolean;
latency?: number;
error?: string;
}> {
if (!this.isConnected || !this.client) {
return { connected: false, error: "Not connected" };
}
try {
const start = Date.now();
await this.client.ping();
const latency = Date.now() - start;
return { connected: true, latency };
} catch (error) {
return {
connected: false,
error: error instanceof Error ? error.message : "Unknown error",
};
}
}
}
// Singleton instance
const redisManager = new RedisManager();
export { redisManager };
export type { RedisClient };

14
lib/securityMonitoring.ts
View File

@@ -7,6 +7,11 @@ import {
securityAuditLogger,
} from "./securityAuditLogger";
// Utility type for deep partial objects
type DeepPartial<T> = {
[P in keyof T]?: T[P] extends object ? DeepPartial<T[P]> : T[P];
};
export interface SecurityAlert {
id: string;
timestamp: Date;
@@ -370,7 +375,7 @@ class SecurityMonitoringService {
/**
* Configure monitoring thresholds
*/
updateConfig(config: Partial<MonitoringConfig>): void {
updateConfig(config: DeepPartial<MonitoringConfig>): void {
this.config = this.deepMerge(this.config, config);
}
@@ -412,6 +417,7 @@ class SecurityMonitoringService {
threatLevel: ThreatLevel;
riskFactors: string[];
recommendations: string[];
isBlacklisted: boolean;
}> {
const oneDayAgo = new Date(Date.now() - 24 * 60 * 60 * 1000);
@@ -470,7 +476,11 @@ class SecurityMonitoringService {
recommendations.push("Continue monitoring for suspicious activity");
}
return { threatLevel, riskFactors, recommendations };
// Simple blacklist check based on threat level and risk factors
const isBlacklisted =
threatLevel === ThreatLevel.CRITICAL && riskFactors.length >= 3;
return { threatLevel, riskFactors, recommendations, isBlacklisted };
}
private async detectImediateThreats(

2
lib/trpc-client.ts
View File

@@ -9,7 +9,7 @@ import { httpBatchLink } from "@trpc/client";
import { createTRPCNext } from "@trpc/next";
import superjson from "superjson";
import type { AppRouter } from "@/server/routers/_app";
import { CSRFClient } from "./csrf";
import { CSRFClient } from "./csrf-client";
function getBaseUrl() {
if (typeof window !== "undefined") {