chore: CSP hardening, streaming endpoint, observability ingestion, load-test script

- Tighten CSP connect-src to specific origins (Vercel, Gemini, Anthropic, Resend, Google Fonts)
- Sync CSP in both next.config.mjs and middleware for dual-layer coverage
- Add /api/generate/stream SSE endpoint wired to ai.stream()
- Add /api/log observability ingestion endpoint
- Add scripts/load-test.sh for rate-limit load testing
- Add /api/user route for client-side usage tracking
- Update env.example with GOOGLE_GENERATIVE_AI_API_KEY and UPSTASH_ vars

Author: Aymanseif

app/api/generate/stream/route.ts

@@ -0,0 +1,82 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getServerSession } from "next-auth";
+import { authOptions } from "@/lib/auth";
+import { ai } from "@/lib/ai";
+import { canUserPost, ensureUserExists } from "@/lib/db";
+import { generateRequestId, trace } from "@/lib/trace";
+import { withRateLimit } from "@/lib/rate-limit";
+import { z } from "zod";
+
+const streamSchema = z.object({
+  prompt: z.string().trim().min(10).max(500),
+  platform: z.enum(["x", "instagram", "linkedin"]).optional(),
+});
+
+export async function POST(req: NextRequest) {
+  return withRateLimit(req, "medium", async (): Promise<NextResponse> => {
+    const requestId = generateRequestId();
+    const start = Date.now();
+
+    const session = await getServerSession(authOptions);
+    if (!session?.user?.email) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    const parsed = streamSchema.safeParse(await req.json());
+    if (!parsed.success) {
+      return NextResponse.json({ error: "Invalid request", details: parsed.error.flatten() }, { status: 400 });
+    }
+
+    const { prompt } = parsed.data;
+
+    const user = await ensureUserExists(session.user.email, session.user.name || undefined);
+    const check = await canUserPost(user.id, user.plan);
+    if (!check.allowed) {
+      return NextResponse.json({ error: check.reason, limitReached: true }, { status: 429 });
+    }
+
+    trace({
+      requestId,
+      event: "generate.stream.start",
+      durationMs: Date.now() - start,
+      status: "success",
+    });
+
+    const stream = ai.stream({
+      prompt: `Write a social media post about: ${prompt}. Keep it sharp and useful.`,
+      trace: { requestId, event: "generate.stream" },
+    });
+
+    const encoder = new TextEncoder();
+    const readable = new ReadableStream({
+      async start(controller) {
+        try {
+          for await (const chunk of stream) {
+            controller.enqueue(encoder.encode(`data: ${JSON.stringify({ text: chunk })}\n\n`));
+          }
+          controller.enqueue(encoder.encode("data: [DONE]\n\n"));
+        } catch (err: any) {
+          trace({
+            requestId,
+            event: "generate.stream.error",
+            durationMs: Date.now() - start,
+            status: "error",
+            error: err.message,
+          });
+          controller.enqueue(encoder.encode(`data: ${JSON.stringify({ error: "Stream failed" })}\n\n`));
+        } finally {
+          controller.close();
+        }
+      },
+    });
+
+    return new NextResponse(readable, {
+      headers: {
+        "Content-Type": "text/event-stream",
+        "Cache-Control": "no-cache",
+        "Connection": "keep-alive",
+        "X-Request-ID": requestId,
+      },
+    });
+  });
+}

app/api/log/route.ts

@@ -0,0 +1,48 @@
+import { NextRequest, NextResponse } from "next/server";
+import { z } from "zod";
+import { generateRequestId } from "@/lib/trace";
+
+const logSchema = z.object({
+  level: z.enum(["debug", "info", "warn", "error"]).default("info"),
+  event: z.string().min(1),
+  message: z.string().optional(),
+  data: z.record(z.unknown()).optional(),
+});
+
+export async function POST(req: NextRequest) {
+  const requestId = generateRequestId();
+
+  try {
+    const parsed = logSchema.safeParse(await req.json());
+    if (!parsed.success) {
+      return NextResponse.json({ error: "Invalid log format", requestId }, { status: 400 });
+    }
+
+    const { level, event, message, data } = parsed.data;
+
+    const entry = {
+      timestamp: new Date().toISOString(),
+      requestId,
+      level,
+      event,
+      message: message || event,
+      ...(data || {}),
+    };
+
+    if (process.env.LOG_WEBHOOK_URL) {
+      fetch(process.env.LOG_WEBHOOK_URL, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(entry),
+      }).catch(() => {});
+    }
+
+    if (process.env.NODE_ENV === "production") {
+      console.log(JSON.stringify(entry));
+    }
+
+    return NextResponse.json({ success: true, requestId });
+  } catch {
+    return NextResponse.json({ error: "Invalid body" }, { status: 400 });
+  }
+}

lib/security.ts

@@ -11,13 +11,24 @@ export const SECURITY_HEADERS: Record<string, string> = {
 
 export function getCSPHeader(): string {
   const self = "'self'";
+  const connectSrc = [
+    self,
+    "https://*.vercel-analytics.com",
+    "https://vitals.vercel-insights.com",
+    "https://generativelanguage.googleapis.com",
+    "https://api.anthropic.com",
+    "https://api.resend.io",
+    "https://fonts.googleapis.com",
+    "https://fonts.gstatic.com",
+  ].join(" ");
+
   return [
     `default-src ${self}`,
     `script-src ${self} 'unsafe-eval' 'unsafe-inline'`,
     `style-src ${self} 'unsafe-inline' https://fonts.googleapis.com`,
     `img-src ${self} data: blob: https:`,
     `font-src ${self} https://fonts.gstatic.com`,
-    `connect-src ${self} https:`,
+    `connect-src ${connectSrc}`,
     `frame-ancestors 'none'`,
     `base-uri ${self}`,
     `form-action ${self}`,

next.config.mjs

@@ -19,6 +19,20 @@ const nextConfig = {
             key: "Permissions-Policy",
             value: "camera=(), microphone=(), geolocation=()",
           },
+          {
+            key: "Content-Security-Policy",
+            value: [
+              "default-src 'self'",
+              "script-src 'self' 'unsafe-eval' 'unsafe-inline'",
+              "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+              "img-src 'self' data: blob: https:",
+              "font-src 'self' https://fonts.gstatic.com",
+              "connect-src 'self' https://*.vercel-analytics.com https://vitals.vercel-insights.com https://generativelanguage.googleapis.com https://api.anthropic.com https://api.resend.io https://fonts.googleapis.com https://fonts.gstatic.com",
+              "frame-ancestors 'none'",
+              "base-uri 'self'",
+              "form-action 'self'",
+            ].join("; "),
+          },
         ],
       },
       {