diff options
| author | Fuwn <[email protected]> | 2026-02-07 05:35:28 -0800 |
|---|---|---|
| committer | Fuwn <[email protected]> | 2026-02-07 05:35:28 -0800 |
| commit | c4b2813cc07a72ad7186347a2e003c01cf0d4fb0 (patch) | |
| tree | ef9e2991084139e649dc7f6d3ada0795789a55f0 /apps/web/app/api/account | |
| parent | fix: dynamically calculate detail panel equal split from current layout (diff) | |
| download | asa.news-c4b2813cc07a72ad7186347a2e003c01cf0d4fb0.tar.xz asa.news-c4b2813cc07a72ad7186347a2e003c01cf0d4fb0.zip | |
security: remove unsafe-eval CSP, fix host header injection, harden API routes
- Remove unsafe-eval from script-src CSP (not needed in production)
- Replace Host/Origin header fallback with NEXT_PUBLIC_APP_URL in share
and checkout routes to prevent host header injection
- Add .catch() to request.json() in share POST and PATCH routes
- Add rate limiting (3/min) to account deletion endpoint
Diffstat (limited to 'apps/web/app/api/account')
| -rw-r--r-- | apps/web/app/api/account/route.ts | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/apps/web/app/api/account/route.ts b/apps/web/app/api/account/route.ts index 35408d7..1212541 100644 --- a/apps/web/app/api/account/route.ts +++ b/apps/web/app/api/account/route.ts @@ -1,6 +1,7 @@ import { NextResponse } from "next/server" import { createSupabaseServerClient } from "@/lib/supabase/server" import { createSupabaseAdminClient } from "@/lib/supabase/admin" +import { rateLimit } from "@/lib/rate-limit" export async function DELETE() { const supabaseClient = await createSupabaseServerClient() @@ -12,6 +13,11 @@ export async function DELETE() { return NextResponse.json({ error: "not authenticated" }, { status: 401 }) } + const rateLimitResult = rateLimit(`account-delete:${user.id}`, 3, 60_000) + if (!rateLimitResult.success) { + return NextResponse.json({ error: "too many requests" }, { status: 429 }) + } + const adminClient = createSupabaseAdminClient() const { error } = await adminClient.auth.admin.deleteUser(user.id) |