🔒 Security Enhancements & Critical Fixes

lib/auth/apiAuth.ts

@@ -0,0 +1,100 @@
+// lib/auth/apiAuth.ts
+import { NextRequest, NextResponse } from 'next/server';
+import { createClient } from '@supabase/supabase-js';
+
+const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
+const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+
+if (!supabaseUrl || !supabaseAnonKey) {
+  console.error('[Auth] Missing Supabase credentials');
+}
+
+export interface AuthResult {
+  user: any | null;
+  error: NextResponse | null;
+}
+
+/**
+ * Require authentication for API routes
+ * Returns user object if authenticated, or error response
+ * 
+ * @example
+ * export async function POST(req: NextRequest) {
+ *   const auth = await requireAuth(req);
+ *   if (auth.error) return auth.error;
+ *   const user = auth.user;
+ *   // ... rest of your code
+ * }
+ */
+export async function requireAuth(req: NextRequest): Promise<AuthResult> {
+  // Check for authorization header
+  const authHeader = req.headers.get('authorization');
+
+  if (!authHeader?.startsWith('Bearer ')) {
+    return {
+      user: null,
+      error: NextResponse.json(
+        { error: 'Não autorizado. Token de autenticação necessário.' },
+        { status: 401 }
+      ),
+    };
+  }
+
+  const token = authHeader.substring(7);
+
+  if (!supabaseUrl || !supabaseAnonKey) {
+    return {
+      user: null,
+      error: NextResponse.json(
+        { error: 'Serviço de autenticação indisponível.' },
+        { status: 503 }
+      ),
+    };
+  }
+
+  try {
+    const supabase = createClient(supabaseUrl, supabaseAnonKey);
+    const { data: { user }, error } = await supabase.auth.getUser(token);
+
+    if (error || !user) {
+      return {
+        user: null,
+        error: NextResponse.json(
+          { error: 'Token inválido ou expirado.' },
+          { status: 401 }
+        ),
+      };
+    }
+
+    return { user, error: null };
+  } catch (e) {
+    return {
+      user: null,
+      error: NextResponse.json(
+        { error: 'Erro ao validar autenticação.' },
+        { status: 500 }
+      ),
+    };
+  }
+}
+
+/**
+ * Optional authentication - doesn't block if no auth provided
+ * Useful for endpoints that work differently for authenticated users
+ */
+export async function optionalAuth(req: NextRequest): Promise<{ user: any | null }> {
+  const authHeader = req.headers.get('authorization');
+
+  if (!authHeader?.startsWith('Bearer ') || !supabaseUrl || !supabaseAnonKey) {
+    return { user: null };
+  }
+
+  try {
+    const token = authHeader.substring(7);
+    const supabase = createClient(supabaseUrl, supabaseAnonKey);
+    const { data: { user } } = await supabase.auth.getUser(token);
+    return { user: user || null };
+  } catch {
+    return { user: null };
+  }
+}

lib/logger.ts

@@ -0,0 +1,88 @@
+// lib/logger.ts
+
+/**
+ * Controlled logging system
+ * - Development: logs to console
+ * - Production: only errors to console (can be extended to Sentry)
+ */
+
+type LogLevel = 'info' | 'warn' | 'error' | 'debug';
+
+interface LogContext {
+  [key: string]: any;
+}
+
+const isDevelopment = process.env.NODE_ENV === 'development';
+
+function formatMessage(level: LogLevel, message: string, context?: LogContext): string {
+  const timestamp = new Date().toISOString();
+  const contextStr = context ? ` ${JSON.stringify(context)}` : '';
+  return `[${timestamp}] [${level.toUpperCase()}] ${message}${contextStr}`;
+}
+
+export const logger = {
+  /**
+   * Info messages - only in development
+   */
+  info: (message: string, context?: LogContext) => {
+    if (isDevelopment) {
+      console.log(formatMessage('info', message, context));
+    }
+  },
+
+  /**
+   * Warning messages - only in development
+   */
+  warn: (message: string, context?: LogContext) => {
+    if (isDevelopment) {
+      console.warn(formatMessage('warn', message, context));
+    }
+  },
+
+  /**
+   * Error messages - always logged
+   * In production, these should be sent to error tracking service (Sentry)
+   */
+  error: (message: string, error?: Error | unknown, context?: LogContext) => {
+    const errorContext = {
+      ...context,
+      error: error instanceof Error ? {
+        message: error.message,
+        stack: error.stack,
+        name: error.name,
+      } : error,
+    };
+
+    console.error(formatMessage('error', message, errorContext));
+
+    // TODO: Send to Sentry in production
+    // if (!isDevelopment && typeof window !== 'undefined' && window.Sentry) {
+    //   window.Sentry.captureException(error, { extra: context });
+    // }
+  },
+
+  /**
+   * Debug messages - only in development
+   */
+  debug: (message: string, context?: LogContext) => {
+    if (isDevelopment) {
+      console.debug(formatMessage('debug', message, context));
+    }
+  },
+};
+
+/**
+ * API route logger with request context
+ */
+export function createApiLogger(route: string) {
+  return {
+    info: (message: string, context?: LogContext) => 
+      logger.info(`[${route}] ${message}`, context),
+    warn: (message: string, context?: LogContext) => 
+      logger.warn(`[${route}] ${message}`, context),
+    error: (message: string, error?: Error | unknown, context?: LogContext) => 
+      logger.error(`[${route}] ${message}`, error, context),
+    debug: (message: string, context?: LogContext) => 
+      logger.debug(`[${route}] ${message}`, context),
+  };
+}

lib/rateLimit.ts

@@ -0,0 +1,141 @@
+// lib/rateLimit.ts
+import { NextRequest, NextResponse } from 'next/server';
+
+interface RateLimitRecord {
+  count: number;
+  resetAt: number;
+}
+
+const rateLimitStore = new Map<string, RateLimitRecord>();
+
+// Cleanup old entries every 5 minutes
+setInterval(() => {
+  const now = Date.now();
+  for (const [key, record] of rateLimitStore.entries()) {
+    if (now > record.resetAt) {
+      rateLimitStore.delete(key);
+    }
+  }
+}, 5 * 60 * 1000);
+
+export interface RateLimitConfig {
+  limit?: number;      // Max requests per window (default: 10)
+  windowMs?: number;   // Time window in milliseconds (default: 60000 = 1 minute)
+  keyGenerator?: (req: NextRequest) => string; // Custom key generator
+}
+
+export interface RateLimitResult {
+  allowed: boolean;
+  limit: number;
+  remaining: number;
+  resetAt: number;
+  retryAfter?: number;
+}
+
+/**
+ * Rate limiting middleware for API routes
+ * 
+ * @example
+ * export async function POST(req: NextRequest) {
+ *   const rateLimit = checkRateLimit(req, { limit: 5, windowMs: 60000 });
+ *   if (!rateLimit.allowed) {
+ *     return NextResponse.json(
+ *       { error: 'Muitas requisições. Tente novamente em breve.' },
+ *       { 
+ *         status: 429,
+ *         headers: {
+ *           'Retry-After': rateLimit.retryAfter?.toString() || '60',
+ *           'X-RateLimit-Limit': rateLimit.limit.toString(),
+ *           'X-RateLimit-Remaining': rateLimit.remaining.toString(),
+ *           'X-RateLimit-Reset': new Date(rateLimit.resetAt).toISOString(),
+ *         }
+ *       }
+ *     );
+ *   }
+ *   // ... rest of your code
+ * }
+ */
+export function checkRateLimit(
+  req: NextRequest,
+  config: RateLimitConfig = {}
+): RateLimitResult {
+  const limit = config.limit || 10;
+  const windowMs = config.windowMs || 60000; // 1 minute default
+
+  // Generate unique key for this client
+  const key = config.keyGenerator
+    ? config.keyGenerator(req)
+    : getClientKey(req);
+
+  const now = Date.now();
+  const record = rateLimitStore.get(key);
+
+  // No record or expired - create new
+  if (!record || now > record.resetAt) {
+    const resetAt = now + windowMs;
+    rateLimitStore.set(key, { count: 1, resetAt });
+
+    return {
+      allowed: true,
+      limit,
+      remaining: limit - 1,
+      resetAt,
+    };
+  }
+
+  // Limit exceeded
+  if (record.count >= limit) {
+    const retryAfter = Math.ceil((record.resetAt - now) / 1000);
+
+    return {
+      allowed: false,
+      limit,
+      remaining: 0,
+      resetAt: record.resetAt,
+      retryAfter,
+    };
+  }
+
+  // Increment counter
+  record.count++;
+
+  return {
+    allowed: true,
+    limit,
+    remaining: limit - record.count,
+    resetAt: record.resetAt,
+  };
+}
+
+/**
+ * Generate client identifier from request
+ */
+function getClientKey(req: NextRequest): string {
+  // Try to get real IP (considering proxies)
+  const forwarded = req.headers.get('x-forwarded-for');
+  const realIp = req.headers.get('x-real-ip');
+  const ip = forwarded?.split(',')[0] || realIp || req.ip || 'unknown';
+
+  // Include user agent for additional uniqueness
+  const userAgent = req.headers.get('user-agent') || 'unknown';
+
+  return `${ip}:${userAgent.substring(0, 50)}`;
+}
+
+/**
+ * Helper to add rate limit headers to response
+ */
+export function addRateLimitHeaders(
+  response: NextResponse,
+  result: RateLimitResult
+): NextResponse {
+  response.headers.set('X-RateLimit-Limit', result.limit.toString());
+  response.headers.set('X-RateLimit-Remaining', result.remaining.toString());
+  response.headers.set('X-RateLimit-Reset', new Date(result.resetAt).toISOString());
+
+  if (result.retryAfter) {
+    response.headers.set('Retry-After', result.retryAfter.toString());
+  }
+
+  return response;
+}