security: critical fixes from audit
CI / test (push) Successful in 1m58s

- Rotate 5 exposed production secrets (JWT, ENCRYPTION, ADMIN, POSTGRES, REDIS)
- Fix MOCK_PAYMENTS opt-in (now defaults to disabled)
- HMAC-SHA256 webhook verification with timing-safe comparison
- Purge dangling git blobs (git gc --prune=now)
- Rate limiting on auth routes (10/15min per IP)
- CORS middleware restricted to falahos.my
- Fix walletBalance → flhBalance (Prisma schema mismatch)
This commit is contained in:
2026-06-27 17:54:34 +08:00
parent bfd3509add
commit 0c3521ba4c
8 changed files with 127 additions and 24 deletions
+39
View File
@@ -0,0 +1,39 @@
import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";
const ALLOWED_ORIGINS = [
"https://falahos.my",
"https://www.falahos.my",
"http://localhost:3000",
"http://localhost:4013",
"http://localhost:4014",
];
export function middleware(request: NextRequest) {
const origin = request.headers.get("origin") || "";
const isAllowed = !origin || ALLOWED_ORIGINS.includes(origin);
const response = NextResponse.next();
if (origin && isAllowed) {
response.headers.set("Access-Control-Allow-Origin", origin);
response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
response.headers.set("Access-Control-Max-Age", "86400");
} else if (origin && !isAllowed) {
response.headers.set("Access-Control-Allow-Origin", "https://falahos.my");
}
if (request.method === "OPTIONS") {
return new NextResponse(null, {
status: 204,
headers: response.headers,
});
}
return response;
}
export const config = {
matcher: "/api/:path*",
};