mirror of
https://github.com/kjanat/livedash-node.git
synced 2026-02-13 18:55:43 +01:00
Kaj Kowalski
5bfd762e55
- Update tsconfig to ES2024 target and bundler moduleResolution - Add dynamic imports for chart.js and recharts (bundle optimization) - Consolidate 17 useState into useReducer in sessions page - Fix 18 .js extension imports across lib files - Add type declarations for @rapideditor/country-coder - Fix platform user types (PlatformUserRole enum) - Fix Calendar component prop types - Centralize next-auth type augmentation - Add force-dynamic to all API routes (prevent build-time prerender) - Fix Prisma JSON null handling with Prisma.DbNull - Fix various type mismatches (SessionMessage, ImportRecord, etc.) - Export ButtonProps from button component - Update next-themes import path - Replace JSX.Element with React.ReactElement - Remove obsolete debug scripts and pnpm lockfile - Downgrade eslint to v8 for next compatibility
97 lines
2.7 KiB
TypeScript
97 lines
2.7 KiB
TypeScript
import crypto from "node:crypto";
|
|
import { type NextRequest, NextResponse } from "next/server";
|
|
import { prisma } from "../../../lib/prisma";
|
|
import { sendEmail } from "../../../lib/sendEmail";
|
|
import { forgotPasswordSchema, validateInput } from "../../../lib/validation";
|
|
|
|
export const dynamic = "force-dynamic";
|
|
|
|
// In-memory rate limiting for password reset requests
|
|
const resetAttempts = new Map<string, { count: number; resetTime: number }>();
|
|
|
|
function checkRateLimit(ip: string): boolean {
|
|
const now = Date.now();
|
|
const attempts = resetAttempts.get(ip);
|
|
|
|
if (!attempts || now > attempts.resetTime) {
|
|
resetAttempts.set(ip, { count: 1, resetTime: now + 15 * 60 * 1000 }); // 15 minute window
|
|
return true;
|
|
}
|
|
|
|
if (attempts.count >= 5) {
|
|
// Max 5 reset requests per 15 minutes per IP
|
|
return false;
|
|
}
|
|
|
|
attempts.count++;
|
|
return true;
|
|
}
|
|
|
|
export async function POST(request: NextRequest) {
|
|
try {
|
|
// Rate limiting check
|
|
const ip =
|
|
request.headers.get("x-forwarded-for") ||
|
|
request.headers.get("x-real-ip") ||
|
|
"unknown";
|
|
if (!checkRateLimit(ip)) {
|
|
return NextResponse.json(
|
|
{
|
|
success: false,
|
|
error: "Too many password reset attempts. Please try again later.",
|
|
},
|
|
{ status: 429 }
|
|
);
|
|
}
|
|
|
|
const body = await request.json();
|
|
|
|
// Validate input
|
|
const validation = validateInput(forgotPasswordSchema, body);
|
|
if (!validation.success) {
|
|
return NextResponse.json(
|
|
{
|
|
success: false,
|
|
error: "Invalid email format",
|
|
},
|
|
{ status: 400 }
|
|
);
|
|
}
|
|
|
|
const { email } = validation.data;
|
|
|
|
const user = await prisma.user.findUnique({ where: { email } });
|
|
|
|
// Always return success for privacy (don't reveal if email exists)
|
|
// But only send email if user exists
|
|
if (user) {
|
|
const token = crypto.randomBytes(32).toString("hex");
|
|
const tokenHash = crypto.createHash("sha256").update(token).digest("hex");
|
|
const expiry = new Date(Date.now() + 1000 * 60 * 30); // 30 min expiry
|
|
|
|
await prisma.user.update({
|
|
where: { email },
|
|
data: { resetToken: tokenHash, resetTokenExpiry: expiry },
|
|
});
|
|
|
|
const resetUrl = `${process.env.NEXTAUTH_URL || "http://localhost:3000"}/reset-password?token=${token}`;
|
|
await sendEmail(
|
|
email,
|
|
"Password Reset",
|
|
`Reset your password: ${resetUrl}`
|
|
);
|
|
}
|
|
|
|
return NextResponse.json({ success: true }, { status: 200 });
|
|
} catch (error) {
|
|
console.error("Forgot password error:", error);
|
|
return NextResponse.json(
|
|
{
|
|
success: false,
|
|
error: "Internal server error",
|
|
},
|
|
{ status: 500 }
|
|
);
|
|
}
|
|
}
|