feat: Phase 2 — Gemini migration, OAuth expansion, validation, rate limiting, security headers

Author: Aymanseif

app/(auth)/signup/page.tsx

@@ -1,17 +1,47 @@
 "use client";
 
-import { signIn } from "next-auth/react";
-import { useState } from "react";
+import { signIn, getProviders } from "next-auth/react";
+import { useState, useEffect } from "react";
 import Link from "next/link";
 import { useLocale } from "@/components/LocaleProvider";
 
+type Providers = Record<string, { id: string; name: string }>;
+
+const providerIcons: Record<string, JSX.Element> = {
+  google: (
+    <svg className="w-5 h-5" viewBox="0 0 24 24">
+      <path fill="#4285F4" d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92a5.06 5.06 0 01-2.2 3.32v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.1z" />
+      <path fill="#34A853" d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z" />
+      <path fill="#FBBC05" d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z" />
+      <path fill="#EA4335" d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z" />
+    </svg>
+  ),
+  twitter: (
+    <svg className="w-5 h-5" viewBox="0 0 24 24" fill="currentColor">
+      <path d="M18.244 2.25h3.308l-7.227 8.26 8.502 11.24H16.17l-5.214-6.817L4.99 21.75H1.68l7.73-8.835L1.254 2.25H8.08l4.713 6.231zm-1.161 17.52h1.833L7.084 4.126H5.117z" />
+    </svg>
+  ),
+  linkedin: (
+    <svg className="w-5 h-5" viewBox="0 0 24 24" fill="currentColor">
+      <path d="M20.447 20.452h-3.554v-5.569c0-1.328-.027-3.037-1.852-3.037-1.853 0-2.136 1.445-2.136 2.939v5.667H9.351V9h3.414v1.561h.046c.477-.9 1.637-1.85 3.37-1.85 3.601 0 4.267 2.37 4.267 5.455v6.286zM5.337 7.433a2.062 2.062 0 01-2.063-2.065 2.064 2.064 0 112.063 2.065zm1.782 13.019H3.555V9h3.564v11.452zM22.225 0H1.771C.792 0 0 .774 0 1.729v20.542C0 23.227.792 24 1.771 24h20.451C23.2 24 24 23.227 24 22.271V1.729C24 .774 23.2 0 22.222 0h.003z" />
+    </svg>
+  ),
+};
+
 export default function SignupPage() {
   const { t } = useLocale();
   const [email, setEmail] = useState("");
   const [name, setName] = useState("");
   const [password, setPassword] = useState("");
   const [loading, setLoading] = useState(false);
   const [error, setError] = useState("");
+  const [providers, setProviders] = useState<Providers>({});
+
+  useEffect(() => {
+    getProviders().then((p) => {
+      if (p) setProviders(p as Providers);
+    });
+  }, []);
 
   async function handleSignup(e: React.FormEvent) {
     e.preventDefault();
@@ -46,6 +76,10 @@ export default function SignupPage() {
     }
   }
 
+  const oauthProviders = Object.values(providers).filter(
+    (p) => p.id !== "credentials"
+  );
+
   return (
     <div className="min-h-screen bg-bg flex items-center justify-center p-4">
       <div className="max-w-sm w-full">
@@ -98,24 +132,28 @@ export default function SignupPage() {
           </button>
         </form>
 
-        <div className="mt-6 flex items-center gap-3">
-          <div className="flex-1 h-px bg-white/[0.06]" />
-          <span className="text-xs text-[#5a5870]">or</span>
-          <div className="flex-1 h-px bg-white/[0.06]" />
-        </div>
+        {oauthProviders.length > 0 && (
+          <>
+            <div className="mt-6 flex items-center gap-3">
+              <div className="flex-1 h-px bg-white/[0.06]" />
+              <span className="text-xs text-[#5a5870]">or</span>
+              <div className="flex-1 h-px bg-white/[0.06]" />
+            </div>
 
-        <button
-          onClick={() => signIn("google", { callbackUrl: "/dashboard" })}
-          className="w-full flex items-center justify-center gap-3 rounded-xl border border-white/[0.1] bg-white/[0.03] px-4 py-3 text-sm text-[#e8e6f0] hover:bg-white/[0.06] transition-colors mt-4"
-        >
-          <svg className="w-5 h-5" viewBox="0 0 24 24">
-            <path fill="#4285F4" d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92a5.06 5.06 0 01-2.2 3.32v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.1z" />
-            <path fill="#34A853" d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z" />
-            <path fill="#FBBC05" d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z" />
-            <path fill="#EA4335" d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z" />
-          </svg>
-          {t("signup.google")}
-        </button>
+            <div className="mt-4 space-y-3">
+              {oauthProviders.map((provider) => (
+                <button
+                  key={provider.id}
+                  onClick={() => signIn(provider.id, { callbackUrl: "/dashboard" })}
+                  className="w-full flex items-center justify-center gap-3 rounded-xl border border-white/[0.1] bg-white/[0.03] px-4 py-3 text-sm text-[#e8e6f0] hover:bg-white/[0.06] transition-colors"
+                >
+                  {providerIcons[provider.id]}
+                  {t("login.continueWith").replace("{provider}", provider.name)}
+                </button>
+              ))}
+            </div>
+          </>
+        )}
 
         <div className="mt-8 text-center text-xs text-[#5a5870] space-y-2">
           <p>

app/api/auth/reset-confirm/route.ts

@@ -2,23 +2,34 @@ import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
 import { hashPassword } from "@/lib/password";
 import { createAuditLog } from "@/lib/session";
+import { isAllowedOrigin } from "@/lib/origin";
+import { resetConfirmSchema } from "@/lib/validation";
+import { rateLimitMiddleware } from "@/lib/rateLimit";
 
 export async function POST(req: Request) {
   try {
-    const body = await req.json();
-    const { token, email, password } = body;
+    if (!isAllowedOrigin(req)) {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
 
-    if (!token || !email || !password) {
-      return NextResponse.json({ error: "All fields are required" }, { status: 400 });
+    const rl = rateLimitMiddleware(req, "reset-confirm", 5, 60_000);
+    if (!rl.allowed) {
+      return NextResponse.json(
+        { error: "Too many requests. Try again later." },
+        { status: 429, headers: { "Retry-After": String(Math.ceil((rl.resetAt - Date.now()) / 1000)) } }
+      );
     }
 
-    if (password.length < 6) {
-      return NextResponse.json({ error: "Password must be at least 6 characters" }, { status: 400 });
+    const body = await req.json();
+    const parsed = resetConfirmSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json({ error: "Invalid request data" }, { status: 400 });
     }
 
-    const normalizedEmail = email.trim().toLowerCase();
+    const { token, email, password } = parsed.data;
+    const ip = req.headers.get("x-forwarded-for") ?? undefined;
 
-    const user = await prisma.user.findUnique({ where: { email: normalizedEmail } });
+    const user = await prisma.user.findUnique({ where: { email } });
     if (!user) {
       return NextResponse.json({ error: "Invalid or expired reset link" }, { status: 400 });
     }
@@ -49,7 +60,7 @@ export async function POST(req: Request) {
       }),
     ]);
 
-    await createAuditLog(user.id, "password-reset-completed", {}, req.headers.get("x-forwarded-for") ?? undefined);
+    await createAuditLog(user.id, "password-reset-completed", {}, ip);
 
     return NextResponse.json({ success: true });
   } catch (error) {

app/api/auth/reset-password/route.ts

@@ -2,23 +2,34 @@ import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
 import { hashPassword } from "@/lib/password";
 import { createAuditLog } from "@/lib/session";
+import { isAllowedOrigin } from "@/lib/origin";
+import { resetConfirmSchema } from "@/lib/validation";
+import { rateLimitMiddleware } from "@/lib/rateLimit";
 
 export async function POST(req: Request) {
   try {
-    const body = await req.json();
-    const { token, email, password } = body;
+    if (!isAllowedOrigin(req)) {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
 
-    if (!token || !email || !password) {
-      return NextResponse.json({ error: "All fields are required" }, { status: 400 });
+    const rl = rateLimitMiddleware(req, "reset-confirm", 5, 60_000);
+    if (!rl.allowed) {
+      return NextResponse.json(
+        { error: "Too many requests. Try again later." },
+        { status: 429, headers: { "Retry-After": String(Math.ceil((rl.resetAt - Date.now()) / 1000)) } }
+      );
     }
 
-    if (password.length < 6) {
-      return NextResponse.json({ error: "Password must be at least 6 characters" }, { status: 400 });
+    const body = await req.json();
+    const parsed = resetConfirmSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json({ error: "Invalid request data" }, { status: 400 });
     }
 
-    const normalizedEmail = email.trim().toLowerCase();
+    const { token, email, password } = parsed.data;
+    const ip = req.headers.get("x-forwarded-for") ?? undefined;
 
-    const user = await prisma.user.findUnique({ where: { email: normalizedEmail } });
+    const user = await prisma.user.findUnique({ where: { email } });
     if (!user) {
       return NextResponse.json({ error: "Invalid or expired reset link" }, { status: 400 });
     }
@@ -49,7 +60,7 @@ export async function POST(req: Request) {
       }),
     ]);
 
-    await createAuditLog(user.id, "password-reset-completed", {}, req.headers.get("x-forwarded-for") ?? undefined);
+    await createAuditLog(user.id, "password-reset-completed", {}, ip);
 
     return NextResponse.json({ success: true });
   } catch (error) {

app/api/auth/reset-request/route.ts

@@ -2,16 +2,33 @@ import { NextResponse } from "next/server";
 import crypto from "crypto";
 import { prisma } from "@/lib/prisma";
 import { createAuditLog } from "@/lib/session";
+import { isAllowedOrigin } from "@/lib/origin";
+import { resetRequestSchema } from "@/lib/validation";
+import { rateLimitMiddleware } from "@/lib/rateLimit";
 
 export async function POST(req: Request) {
   try {
-    const body = await req.json();
-    const email = String(body?.email || "").trim().toLowerCase();
+    if (!isAllowedOrigin(req)) {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
+    const rl = rateLimitMiddleware(req, "reset-request", 5, 60_000);
+    if (!rl.allowed) {
+      return NextResponse.json(
+        { error: "Too many requests. Try again later." },
+        { status: 429, headers: { "Retry-After": String(Math.ceil((rl.resetAt - Date.now()) / 1000)) } }
+      );
+    }
 
-    if (!email) {
-      return NextResponse.json({ error: "Email is required" }, { status: 400 });
+    const body = await req.json();
+    const parsed = resetRequestSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json({ error: "Invalid email" }, { status: 400 });
     }
 
+    const { email } = parsed.data;
+    const ip = req.headers.get("x-forwarded-for") ?? undefined;
+
     const user = await prisma.user.findUnique({ where: { email } });
     if (!user) {
       return NextResponse.json({ ok: true });
@@ -29,7 +46,7 @@ export async function POST(req: Request) {
       data: { userId: user.id, token, expiresAt },
     });
 
-    await createAuditLog(user.id, "password-reset-requested", { email }, req.headers.get("x-forwarded-for") ?? undefined);
+    await createAuditLog(user.id, "password-reset-requested", { email }, ip);
 
     const resetUrl = `${process.env.NEXTAUTH_URL || "http://localhost:3000"}/reset-password?token=${token}&email=${encodeURIComponent(email)}`;
 

app/api/generate/route.ts

@@ -1,36 +1,54 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { getServerSession } from 'next-auth';
 import { authOptions } from '@/lib/auth';
-import { generatePost } from '@/lib/claude';
+import { generatePost } from '@/lib/ai';
 import { canUserPost, appendPost, ensureUserExists } from '@/lib/db';
+import { generatePostSchema } from '@/lib/validation';
+import { rateLimitMiddleware } from '@/lib/rateLimit';
+import { isAllowedOrigin } from '@/lib/origin';
 
 export async function POST(req: NextRequest) {
   try {
+    if (!isAllowedOrigin(req)) {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
+    const rl = rateLimitMiddleware(req, "generate", 20, 60_000);
+    if (!rl.allowed) {
+      return NextResponse.json(
+        { error: "Rate limit exceeded. Try again later." },
+        { status: 429, headers: { "Retry-After": String(Math.ceil((rl.resetAt - Date.now()) / 1000)) } }
+      );
+    }
+
     const session = await getServerSession(authOptions);
     if (!session?.user?.email) {
       return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
     }
 
-    const { prompt, platform } = await req.json();
-    if (!prompt) {
-      return NextResponse.json({ error: "Prompt is required" }, { status: 400 });
+    const body = await req.json();
+    const parsed = generatePostSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json(
+        { error: "Invalid input. Prompt must be 10-500 characters." },
+        { status: 400 }
+      );
     }
 
-    // Ensure user exists and check limits
+    const { prompt, platform } = parsed.data;
+
     const user = await ensureUserExists(session.user.email, session.user.name || undefined);
-    
+
     const check = await canUserPost(user.id, user.plan);
     if (!check.allowed) {
-      return NextResponse.json({ 
+      return NextResponse.json({
         error: check.reason,
-        limitReached: true 
+        limitReached: true
       }, { status: 429 });
     }
 
-    // Generate post using Claude
-    const result = await generatePost(prompt, platform);
+    const result = await generatePost({ prompt, platform });
 
-    // Save post and update usage
     await appendPost({
       userId: user.id,
       content: result.post,