implemented a comprehensive security solution to fix the critical input validation issues

Author: Kuzma02

app/api/register/route.ts

@@ -2,30 +2,65 @@ import prisma from "@/utils/db";
 import bcrypt from "bcryptjs";
 import { nanoid } from "nanoid";
 import { NextResponse } from "next/server";
+import { registrationSchema } from "@/utils/schema";
+import { sanitizeInput, commonValidations } from "@/utils/validation";
+import { handleApiError, AppError } from "@/utils/errorHandler";
 
-export const POST = async (request: any) => {
-  const { email, password } = await request.json();
+export const POST = async (request: Request) => {
+  try {
+    // Get client IP for rate limiting
+    const clientIP = request.headers.get("x-forwarded-for") || 
+                    request.headers.get("x-real-ip") || 
+                    "unknown";
 
-  const existingUser = await prisma.user.findFirst({ where: { email } });
+    // Check rate limit
+    if (!commonValidations.checkRateLimit(clientIP, 5, 15 * 60 * 1000)) {
+      throw new AppError("Too many registration attempts. Please try again later.", 429);
+    }
 
-  if (existingUser) {
-    return new NextResponse("Email is already in use", { status: 400 });
-  }
+    const body = await sanitizeInput.validateJsonInput(request);
 
-  const hashedPassword = await bcrypt.hash(password, 14);
+    const validationResult = registrationSchema.safeParse(body);
+    
+    if (!validationResult.success) {
+      throw validationResult.error;
+    }
 
-  try {
-    await prisma.user.create({
+    const { email, password } = validationResult.data;
+
+    const existingUser = await prisma.user.findFirst({ 
+      where: { email } 
+    });
+
+    if (existingUser) {
+      throw new AppError("Email is already in use", 400);
+    }
+
+    const hashedPassword = await bcrypt.hash(password, 14);
+
+    // Create user with proper error handling
+    const newUser = await prisma.user.create({
       data: {
-        id: nanoid() + "",
+        id: nanoid(),
         email,
         password: hashedPassword,
+        role: "user",
       },
     });
-    return new NextResponse("user is registered", { status: 200 });
-  } catch (err: any) {
-    return new NextResponse(err, {
-      status: 500,
-    });
+
+    // Return success response without sensitive data
+    return new NextResponse(
+      JSON.stringify({ 
+        message: "User registered successfully",
+        userId: newUser.id 
+      }),
+      { 
+        status: 200,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+
+  } catch (error) {
+    return handleApiError(error);
   }
 };

app/product/[productSlug]/page.tsx

@@ -49,9 +49,9 @@ const SingleProductPage = async ({ params }: SingleProductPageProps) => {
               className="w-auto h-auto"
             />
             <div className="flex justify-around mt-5 flex-wrap gap-y-1 max-[500px]:justify-center max-[500px]:gap-x-1">
-              {images?.map((imageItem: ImageItem) => (
+              {images?.map((imageItem: ImageItem, key: number) => (
                 <Image
-                  key={imageItem.imageID}
+                  key={imageItem.imageID + key}
                   src={`/${imageItem.image}`}
                   width={100}
                   height={100}

app/register/page.tsx

@@ -22,6 +22,7 @@ const RegisterPage = () => {
     const emailRegex = /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}$/i;
     return emailRegex.test(email);
   };
+  
   const handleSubmit = async (e: any) => {
     e.preventDefault();
     const email = e.target[2].value;
@@ -59,14 +60,27 @@ const RegisterPage = () => {
         }),
       });
 
-      if (res.status === 400) {
-        toast.error("This email is already registered");
-        setError("The email already in use");
-      }
-      if (res.status === 200) {
+      const data = await res.json();
+
+      if (res.ok) {
         setError("");
         toast.success("Registration successful");
         router.push("/login");
+      } else {
+        // Handle different types of errors
+        if (data.details && Array.isArray(data.details)) {
+          // Validation errors
+          const errorMessage = data.details.map((err: any) => err.message).join(", ");
+          setError(errorMessage);
+          toast.error(errorMessage);
+        } else if (data.error) {
+          // General errors
+          setError(data.error);
+          toast.error(data.error);
+        } else {
+          setError("Registration failed");
+          toast.error("Registration failed");
+        }
       }
     } catch (error) {
       toast.error("Error, try again");

components/SingleProductRating.tsx

@@ -27,15 +27,15 @@ const SingleProductRating = ({ rating }: { rating: number }) => {
   return (
     <div className="flex text-2xl items-center max-[500px]:justify-center">
       {ratingArray &&
-        ratingArray.map((singleRating) => {
+        ratingArray.map((singleRating, key: number) => {
           return (
-            <>
+            <div key={key+"rating"}>
               {singleRating === "full star" ? (
                 <AiFillStar className="text-custom-yellow" />
               ) : (
                 <AiOutlineStar className="text-custom-yellow" />
               )}
-            </>
+            </div>
           );
         })}
       <span className="text-xl ml-1">(3 reviews)</span>

utils/errorHandler.ts

@@ -0,0 +1,85 @@
+import { NextResponse } from "next/server";
+import { ZodError } from "zod";
+
+export class AppError extends Error {
+  public statusCode: number;
+  public isOperational: boolean;
+
+  constructor(message: string, statusCode: number = 500, isOperational: boolean = true) {
+    super(message);
+    this.statusCode = statusCode;
+    this.isOperational = isOperational;
+
+    Error.captureStackTrace(this, this.constructor);
+  }
+}
+
+export const handleApiError = (error: unknown) => {
+  // Zod validation errors
+  if (error instanceof ZodError) {
+    const errors = error.errors.map(err => ({
+      field: err.path.join('.'),
+      message: err.message
+    }));
+    
+    return new NextResponse(
+      JSON.stringify({ 
+        error: "Validation failed", 
+        details: errors 
+      }),
+      { 
+        status: 400,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+  }
+
+  // Custom application errors
+  if (error instanceof AppError) {
+    return new NextResponse(
+      JSON.stringify({ error: error.message }),
+      { 
+        status: error.statusCode,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+  }
+
+  // Prisma errors
+  if (error && typeof error === 'object' && 'code' in error) {
+    const prismaError = error as any;
+    
+    switch (prismaError.code) {
+      case 'P2002':
+        return new NextResponse(
+          JSON.stringify({ error: "A record with this information already exists" }),
+          { 
+            status: 409,
+            headers: { "Content-Type": "application/json" }
+          }
+        );
+      case 'P2025':
+        return new NextResponse(
+          JSON.stringify({ error: "Record not found" }),
+          { 
+            status: 404,
+            headers: { "Content-Type": "application/json" }
+          }
+        );
+      default:
+        break;
+    }
+  }
+
+  // Generic server error
+  console.error("Unhandled error:", error);
+  return new NextResponse(
+    JSON.stringify({ 
+      error: "Internal server error. Please try again later." 
+    }),
+    { 
+      status: 500,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+};

utils/schema.ts

@@ -1,9 +1,22 @@
 import { z } from "zod";
+import { commonValidations } from "./validation";
 
+// Registration schema with comprehensive validation
+export const registrationSchema = z.object({
+  email: commonValidations.email,
+  password: commonValidations.password,
+});
+
+// Login schema (for future use)
+export const loginSchema = z.object({
+  email: commonValidations.email,
+  password: z.string().min(1, "Password is required"),
+});
+
+// Generic validation schema (keeping existing for backward compatibility)
 const schema = z.object({
   name: z.string().min(3),
   email: z.string().email()
 });
 
-
 export default schema;

utils/validation.ts

@@ -0,0 +1,99 @@
+import { z } from "zod";
+
+// Common validation patterns
+export const commonValidations = {
+  // Email validation with comprehensive checks
+  email: z
+    .string()
+    .min(1, "Email is required")
+    .max(254, "Email must be no more than 254 characters")
+    .email("Please provide a valid email address")
+    .toLowerCase()
+    .trim()
+    .refine(
+      (email) => {
+
+        const suspiciousPatterns = [
+          /<script/i,
+          /javascript:/i,
+          /on\w+\s*=/i,
+          /data:/i,
+        ];
+        return !suspiciousPatterns.some(pattern => pattern.test(email));
+      },
+      "Email contains invalid characters"
+    ),
+
+  // Strong password validation
+  password: z
+    .string()
+    .min(8, "Password must be at least 8 characters long")
+    .max(128, "Password must be no more than 128 characters")
+    .regex(
+      /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]/,
+      "Password must contain at least one uppercase letter, one lowercase letter, one number, and one special character"
+    )
+    .refine(
+      (password) => {
+        // Check for common weak passwords
+        const commonPasswords = [
+          "password", "123456", "qwerty", "abc123", "password123",
+          "admin", "letmein", "welcome", "monkey", "dragon"
+        ];
+        return !commonPasswords.includes(password.toLowerCase());
+      },
+      "Password is too common, please choose a stronger password"
+    ),
+
+  // Request size validation
+  validateRequestSize: (contentLength: number | null) => {
+    const MAX_REQUEST_SIZE = 1024 * 1024; // 1MB limit
+    if (contentLength && contentLength > MAX_REQUEST_SIZE) {
+      throw new Error("Request payload too large");
+    }
+  },
+
+  // Rate limiting helper (basic implementation)
+  rateLimit: new Map<string, { count: number; resetTime: number }>(),
+  
+  checkRateLimit: (identifier: string, maxRequests: number = 5, windowMs: number = 15 * 60 * 1000) => {
+    const now = Date.now();
+    const userLimit = commonValidations.rateLimit.get(identifier);
+    
+    if (!userLimit || now > userLimit.resetTime) {
+      commonValidations.rateLimit.set(identifier, { count: 1, resetTime: now + windowMs });
+      return true;
+    }
+    
+    if (userLimit.count >= maxRequests) {
+      return false;
+    }
+    
+    userLimit.count++;
+    return true;
+  }
+};
+
+// Sanitization helpers
+export const sanitizeInput = {
+  // Remove potentially dangerous characters
+  sanitizeString: (input: string): string => {
+    return input
+      .replace(/[<>]/g, '') // Remove < and >
+      .replace(/javascript:/gi, '') // Remove javascript: protocol
+      .replace(/on\w+\s*=/gi, '') // Remove event handlers
+      .trim();
+  },
+
+  // Validate and sanitize JSON input
+  validateJsonInput: async (request: Request) => {
+    const contentLength = request.headers.get("content-length");
+    commonValidations.validateRequestSize(contentLength ? parseInt(contentLength) : null);
+
+    try {
+      return await request.json();
+    } catch (error) {
+      throw new Error("Invalid JSON format");
+    }
+  }
+};