implemented better next auth configuration, enchanced security, increased rate limits and fixed orders admin page display bag

Author: Kuzma02

app/api/auth/[...nextauth]/route.ts

@@ -1,4 +1,4 @@
-import NextAuth from "next-auth";
+import NextAuth, { NextAuthOptions } from "next-auth";
 import { Account, User as AuthUser } from "next-auth";
 import GithubProvider from "next-auth/providers/github";
 import CredentialsProvider from "next-auth/providers/credentials";
@@ -7,7 +7,7 @@ import bcrypt from "bcryptjs";
 import prisma from "@/utils/db";
 import { nanoid } from "nanoid";
 
-export const authOptions: any = {
+export const authOptions: NextAuthOptions = {
   // Configure one or more authentication providers
   providers: [
     CredentialsProvider({
@@ -40,33 +40,84 @@ export const authOptions: any = {
         } catch (err: any) {
           throw new Error(err);
         }
+        return null;
       },
-    })
-    // ... existing providers ...
+    }),
+    // Uncomment and configure these providers as needed
+    // GithubProvider({
+    //   clientId: process.env.GITHUB_ID!,
+    //   clientSecret: process.env.GITHUB_SECRET!,
+    // }),
+    // GoogleProvider({
+    //   clientId: process.env.GOOGLE_CLIENT_ID!,
+    //   clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+    // }),
   ],
   callbacks: {
     async signIn({ user, account }: { user: AuthUser; account: Account }) {
-      if (account?.provider == "credentials") {
+      if (account?.provider === "credentials") {
         return true;
       }
-      // ... existing provider logic ...
+      
+      // Handle OAuth providers
+      if (account?.provider === "github" || account?.provider === "google") {
+        try {
+          // Check if user exists in database
+          const existingUser = await prisma.user.findFirst({
+            where: {
+              email: user.email!,
+            },
+          });
+
+          if (!existingUser) {
+            // Create new user for OAuth providers
+            await prisma.user.create({
+              data: {
+                id: nanoid(),
+                email: user.email!,
+                role: "user",
+                // OAuth users don't have passwords
+                password: null,
+              },
+            });
+          }
+          return true;
+        } catch (error) {
+          console.error("Error in signIn callback:", error);
+          return false;
+        }
+      }
+      
+      return true;
     },
     async jwt({ token, user }) {
       if (user) {
         token.role = user.role;
+        token.id = user.id;
       }
       return token;
     },
     async session({ session, token }) {
       if (token) {
-        session.user.role = token.role;
+        session.user.role = token.role as string;
+        session.user.id = token.id as string;
       }
       return session;
     },
   },
   pages: {
     signIn: '/login',
+    error: '/login', // Redirect to login page on auth errors
+  },
+  session: {
+    strategy: "jwt",
+    maxAge: 30 * 24 * 60 * 60, // 30 days
+  },
+  jwt: {
+    maxAge: 30 * 24 * 60 * 60, // 30 days
   },
+  secret: process.env.NEXTAUTH_SECRET,
+  debug: process.env.NODE_ENV === "development",
 };
 
 export const handler = NextAuth(authOptions);

components/AdminOrders.tsx

@@ -21,7 +21,8 @@ const AdminOrders = () => {
     const fetchOrders = async () => {
       const response = await apiClient.get("/api/orders");
       const data = await response.json();
-      setOrders(data);
+      
+      setOrders(data?.orders);
     };
     fetchOrders();
   }, []);
@@ -49,7 +50,7 @@ const AdminOrders = () => {
           </thead>
           <tbody>
             {/* row 1 */}
-            {orders &&
+            {orders && orders.length > 0 &&
               orders.map((order) => (
                 <tr key={order?.id}>
                   <th>

server/middleware/advancedRateLimiter.js

@@ -3,7 +3,7 @@ const rateLimit = require('express-rate-limit');
 // Rate limiter for password reset attempts
 const passwordResetLimiter = rateLimit({
   windowMs: 60 * 60 * 1000, // 1 hour
-  max: 3, // Limit to 3 password reset attempts per hour per IP
+  max: 6, // Limit to 3 password reset attempts per hour per IP
   message: {
     error: 'Too many password reset attempts, please try again later.',
     retryAfter: '1 hour'
@@ -21,7 +21,7 @@ const passwordResetLimiter = rateLimit({
 // Rate limiter for admin operations
 const adminLimiter = rateLimit({
   windowMs: 15 * 60 * 1000, // 15 minutes
-  max: 50, // Higher limit for admin operations
+  max: 100, // Higher limit for admin operations
   message: {
     error: 'Too many admin operations, please try again later.',
     retryAfter: '15 minutes'
@@ -39,7 +39,7 @@ const adminLimiter = rateLimit({
 // Rate limiter for wishlist operations
 const wishlistLimiter = rateLimit({
   windowMs: 5 * 60 * 1000, // 5 minutes
-  max: 20, // Limit wishlist operations
+  max: 40, // Limit wishlist operations
   message: {
     error: 'Too many wishlist operations, please try again later.',
     retryAfter: '5 minutes'
@@ -57,7 +57,7 @@ const wishlistLimiter = rateLimit({
 // Rate limiter for product operations (viewing, etc.)
 const productLimiter = rateLimit({
   windowMs: 1 * 60 * 1000, // 1 minute
-  max: 60, // Allow more requests for product viewing
+  max: 120, // Allow more requests for product viewing
   message: {
     error: 'Too many product requests, please try again later.',
     retryAfter: '1 minute'

server/middleware/rateLimiter.js

@@ -3,7 +3,7 @@ const rateLimit = require('express-rate-limit');
 // General API rate limiter - applies to all API routes
 const generalLimiter = rateLimit({
   windowMs: 15 * 60 * 1000, // 15 minutes
-  max: 100, // Limit each IP to 100 requests per windowMs
+  max: 200, // Limit each IP to 100 requests per windowMs
   message: {
     error: 'Too many requests from this IP, please try again later.',
     retryAfter: '15 minutes'
@@ -21,7 +21,7 @@ const generalLimiter = rateLimit({
 // Strict rate limiter for authentication endpoints
 const authLimiter = rateLimit({
   windowMs: 15 * 60 * 1000, // 15 minutes
-  max: 5, // Limit each IP to 5 login attempts per windowMs
+  max: 10, // Limit each IP to 5 login attempts per windowMs
   message: {
     error: 'Too many authentication attempts, please try again later.',
     retryAfter: '15 minutes'
@@ -40,7 +40,7 @@ const authLimiter = rateLimit({
 // Strict rate limiter for user registration
 const registerLimiter = rateLimit({
   windowMs: 60 * 60 * 1000, // 1 hour
-  max: 3, // Limit each IP to 3 registration attempts per hour
+  max: 6, // Limit each IP to 3 registration attempts per hour
   message: {
     error: 'Too many registration attempts, please try again later.',
     retryAfter: '1 hour'
@@ -58,7 +58,7 @@ const registerLimiter = rateLimit({
 // Moderate rate limiter for user management endpoints
 const userManagementLimiter = rateLimit({
   windowMs: 15 * 60 * 1000, // 15 minutes
-  max: 20, // Limit each IP to 20 requests per windowMs
+  max: 40, // Limit each IP to 20 requests per windowMs
   message: {
     error: 'Too many user management requests, please try again later.',
     retryAfter: '15 minutes'
@@ -76,7 +76,7 @@ const userManagementLimiter = rateLimit({
 // Rate limiter for file uploads
 const uploadLimiter = rateLimit({
   windowMs: 15 * 60 * 1000, // 15 minutes
-  max: 10, // Limit each IP to 10 uploads per windowMs
+  max: 20, // Limit each IP to 10 uploads per windowMs
   message: {
     error: 'Too many file uploads, please try again later.',
     retryAfter: '15 minutes'
@@ -94,7 +94,7 @@ const uploadLimiter = rateLimit({
 // Rate limiter for search endpoints
 const searchLimiter = rateLimit({
   windowMs: 1 * 60 * 1000, // 1 minute
-  max: 30, // Limit each IP to 30 search requests per minute
+  max: 60, // Limit each IP to 30 search requests per minute
   message: {
     error: 'Too many search requests, please try again later.',
     retryAfter: '1 minute'
@@ -112,7 +112,7 @@ const searchLimiter = rateLimit({
 // Rate limiter for order operations
 const orderLimiter = rateLimit({
   windowMs: 15 * 60 * 1000, // 15 minutes
-  max: 15, // Limit each IP to 15 order operations per windowMs
+  max: 20, // Limit each IP to 15 order operations per windowMs
   message: {
     error: 'Too many order operations, please try again later.',
     retryAfter: '15 minutes'

typings.d.ts

@@ -86,6 +86,7 @@ interface WishListItem {
 declare module "next-auth" {
   interface Session {
     user: {
+      id: string;
       name: string;
       email: string;
       image: string;
@@ -94,12 +95,14 @@ declare module "next-auth" {
   }
 
   interface User {
+    id: string;
     role: string;
   }
 }
 
 declare module "next-auth/jwt" {
   interface JWT {
+    id: string;
     role: string;
   }
 }