feat: implement full authentication system with CSRF protection and email verification flow
All checks were successful
Build and Push App / build (push) Successful in 5m59s
All checks were successful
Build and Push App / build (push) Successful in 5m59s
This commit is contained in:
47
lib/csrf.ts
Normal file
47
lib/csrf.ts
Normal file
@@ -0,0 +1,47 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { cookies } from 'next/headers';
|
||||
import crypto from 'crypto';
|
||||
|
||||
const CSRF_COOKIE_NAME = 'csrf_token';
|
||||
const CSRF_HEADER_NAME = 'x-csrf-token';
|
||||
|
||||
export async function generateCsrfToken() {
|
||||
const token = crypto.randomBytes(32).toString('hex');
|
||||
const cookieStore = await cookies();
|
||||
|
||||
cookieStore.set(CSRF_COOKIE_NAME, token, {
|
||||
httpOnly: true,
|
||||
secure: process.env.NODE_ENV === 'production',
|
||||
sameSite: 'lax',
|
||||
path: '/',
|
||||
});
|
||||
|
||||
return token;
|
||||
}
|
||||
|
||||
export async function verifyCsrfToken(request: NextRequest) {
|
||||
const cookieStore = await cookies();
|
||||
const cookieToken = cookieStore.get(CSRF_COOKIE_NAME)?.value;
|
||||
const headerToken = request.headers.get(CSRF_HEADER_NAME);
|
||||
|
||||
if (!cookieToken || !headerToken || cookieToken !== headerToken) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Basic Origin check as an additional layer of defense
|
||||
*/
|
||||
export function verifyOrigin(request: NextRequest) {
|
||||
const origin = request.headers.get('origin');
|
||||
const host = request.headers.get('host');
|
||||
|
||||
if (!origin || !host) return false;
|
||||
|
||||
// Remove protocol from origin for comparison if host doesn't have it
|
||||
const originHost = origin.replace(/^https?:\/\//, '');
|
||||
|
||||
return originHost === host || originHost.startsWith(host + ':');
|
||||
}
|
||||
Reference in New Issue
Block a user