v1.0.4: Security hardening - rate limiting, middleware, HSTS, password strength, anti-enumeration

This commit is contained in:
Pepe Ziberi
2026-02-21 18:55:10 +01:00
parent b75bf9bb30
commit 8ef2cbe68e
15 changed files with 289 additions and 14 deletions

View File

@@ -1,16 +1,21 @@
import { NextRequest, NextResponse } from 'next/server'
import { prisma } from '@/lib/db'
import { hashPassword } from '@/lib/auth'
import { resetPasswordLimiter, getClientIp, rateLimitResponse } from '@/lib/rate-limit'
export async function POST(req: NextRequest) {
try {
const ip = getClientIp(req)
const rl = resetPasswordLimiter.check(ip)
if (!rl.success) return rateLimitResponse(rl.resetAt)
const { token, password } = await req.json()
if (!token || !password) {
return NextResponse.json({ error: 'Token und Passwort erforderlich' }, { status: 400 })
}
if (password.length < 6) {
return NextResponse.json({ error: 'Passwort muss mindestens 6 Zeichen lang sein' }, { status: 400 })
if (password.length < 8) {
return NextResponse.json({ error: 'Passwort muss mindestens 8 Zeichen lang sein' }, { status: 400 })
}
const user = await (prisma as any).user.findFirst({