security: harden API routes

- Add rate limiting to /api/share (30/min), /api/export (5/hr),
  /api/account/data (3/day)
- Add client-side 30s throttle to forgot-password form
- Remove immediate tier upgrade on plan change; let invoice.paid
  webhook handle tier promotion to prevent free upgrades on payment
  failure
- Add SSRF validation to webhook URLs: block localhost, private IPs,
  link-local, and metadata endpoints
- Log Stripe webhook signature verification errors instead of
  swallowing silently
- Mask webhook secret in GET response (show first/last 4 chars only)
- Add error logging to API key last_used_at update
- Remove internal error message leaking from checkout session route

1 files changed, 6 insertions, 0 deletions

diff --git a/apps/web/app/api/share/route.ts b/apps/web/app/api/share/route.ts
index 324d1e9..5f67bc6 100644
--- a/apps/web/app/api/share/route.ts
+++ b/apps/web/app/api/share/route.ts
@@ -2,6 +2,7 @@ import { NextResponse } from "next/server"
 import { randomBytes } from "crypto"
 import { createSupabaseServerClient } from "@/lib/supabase/server"
 import { checkBotId } from "botid/server"
+import { rateLimit } from "@/lib/rate-limit"
 
 const MAX_NOTE_LENGTH = 1000
 
@@ -27,6 +28,11 @@ export async function POST(request: Request) {
     return NextResponse.json({ error: "not authenticated" }, { status: 401 })
   }
 
+  const rateLimitResult = rateLimit(`share:${user.id}`, 30, 60_000)
+  if (!rateLimitResult.success) {
+    return NextResponse.json({ error: "too many requests" }, { status: 429 })
+  }
+
   const { data: userProfile } = await supabaseClient
     .from("user_profiles")
     .select("tier")