Security First React Components

// ❌ DANGEROUS - Never use dangerouslySetInnerHTML with user input
function UnsafeComponent({ userContent }: { userContent: string }) {
  return <div dangerouslySetInnerHTML={{ __html: userContent }} />;
}

// ✅ SAFE - Let React escape content automatically
function SafeComponent({ userContent }: { userContent: string }) {
  return <div>{userContent}</div>;
}

// ✅ SAFE - Use DOMPurify for rich text (if absolutely necessary)
import DOMPurify from 'isomorphic-dompurify';

function SanitizedContent({ html }: { html: string }) {
  const sanitized = DOMPurify.sanitize(html, {
    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a', 'p', 'br'],
    ALLOWED_ATTR: ['href', 'target', 'rel'],
    ALLOW_DATA_ATTR: false,
  });

  return <div dangerouslySetInnerHTML={{ __html: sanitized }} />;
}

// ❌ DANGEROUS - href with javascript: protocol
function UnsafeLink({ url }: { url: string }) {
  return <a href={url}>Click me</a>;
}

// ✅ SAFE - Validate URL protocol
function SafeLink({ url }: { url: string }) {
  const isValidUrl = (url: string): boolean => {
    try {
      const parsed = new URL(url);
      return ['http:', 'https:', 'mailto:'].includes(parsed.protocol);
    } catch {
      return false;
    }
  };

  if (!isValidUrl(url)) {
    return <span className="text-gray-500">Invalid link</span>;
  }

  return (
    <a 
      href={url} 
      target="_blank" 
      rel="noopener noreferrer"
    >
      {url}
    </a>
  );
}

// next.config.mjs - CSP Configuration
import { nanoid } from 'nanoid';

const cspHeader = `
  default-src 'self';
  script-src 'self' 'nonce-{{NONCE}}' 'strict-dynamic' https://vercel.live;
  style-src 'self' 'nonce-{{NONCE}}' 'unsafe-inline';
  img-src 'self' blob: data: https://*.cloudinary.com;
  font-src 'self' data:;
  connect-src 'self' https://api.yourapp.com wss://*.supabase.co;
  frame-ancestors 'none';
  base-uri 'self';
  form-action 'self';
  upgrade-insecure-requests;
`;

/** @type {import('next').NextConfig} */
const nextConfig = {
  async headers() {
    return [
      {
        source: '/(.*)',
        headers: [
          {
            key: 'Content-Security-Policy',
            value: cspHeader.replace(/\n/g, ''),
          },
          {
            key: 'X-Frame-Options',
            value: 'DENY',
          },
          {
            key: 'X-Content-Type-Options',
            value: 'nosniff',
          },
          {
            key: 'Referrer-Policy',
            value: 'strict-origin-when-cross-origin',
          },
          {
            key: 'Permissions-Policy',
            value: 'camera=(), microphone=(), geolocation=()',
          },
        ],
      },
    ];
  },
};

export default nextConfig;

// middleware.ts - Inject CSP nonce
import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';
import { nanoid } from 'nanoid';

export function middleware(request: NextRequest) {
  const nonce = nanoid();
  const requestHeaders = new Headers(request.headers);
  
  // Pass nonce to page via header
  requestHeaders.set('x-nonce', nonce);

  const response = NextResponse.next({
    request: {
      headers: requestHeaders,
    },
  });

  // Add CSP header with nonce
  const csp = response.headers.get('Content-Security-Policy');
  if (csp) {
    response.headers.set(
      'Content-Security-Policy',
      csp.replace(/{{NONCE}}/g, nonce)
    );
  }

  return response;
}

// app/layout.tsx - Use nonce in scripts
import { headers } from 'next/headers';
import Script from 'next/script';

export default async function RootLayout({
  children,
}: {
  children: React.ReactNode;
}) {
  const headersList = await headers();
  const nonce = headersList.get('x-nonce') ?? undefined;

  return (
    <html lang="en">
      <body>
        {children}
        <Script
          src="/analytics.js"
          strategy="afterInteractive"
          nonce={nonce}
        />
      </body>
    </html>
  );
}

import { z } from 'zod';
import { useState } from 'react';

// Define strict validation schemas
const userProfileSchema = z.object({
  username: z
    .string()
    .min(3, 'Username must be at least 3 characters')
    .max(20, 'Username must be at most 20 characters')
    .regex(
      /^[a-zA-Z0-9_-]+$/,
      'Username can only contain letters, numbers, underscores, and hyphens'
    ),
  email: z
    .string()
    .email('Invalid email address')
    .toLowerCase(),
  bio: z
    .string()
    .max(500, 'Bio must be at most 500 characters')
    .optional()
    .transform((val) => val?.trim()),
  website: z
    .string()
    .url('Invalid URL')
    .refine(
      (url) => {
        try {
          const parsed = new URL(url);
          return ['http:', 'https:'].includes(parsed.protocol);
        } catch {
          return false;
        }
      },
      { message: 'Only HTTP/HTTPS URLs are allowed' }
    )
    .optional(),
});

type UserProfile = z.infer<typeof userProfileSchema>;

interface ProfileFormProps {
  onSubmit: (data: UserProfile) => Promise<void>;
}

export function ProfileForm({ onSubmit }: ProfileFormProps) {
  const [errors, setErrors] = useState<Record<string, string>>({});
  const [isSubmitting, setIsSubmitting] = useState(false);

  const handleSubmit = async (e: React.FormEvent<HTMLFormElement>) => {
    e.preventDefault();
    setErrors({});
    setIsSubmitting(true);

    const formData = new FormData(e.currentTarget);
    const data = {
      username: formData.get('username') as string,
      email: formData.get('email') as string,
      bio: formData.get('bio') as string | undefined,
      website: formData.get('website') as string | undefined,
    };

    try {
      // Validate with Zod
      const validated = userProfileSchema.parse(data);
      await onSubmit(validated);
    } catch (error) {
      if (error instanceof z.ZodError) {
        const fieldErrors: Record<string, string> = {};
        error.errors.forEach((err) => {
          if (err.path[0]) {
            fieldErrors[err.path[0].toString()] = err.message;
          }
        });
        setErrors(fieldErrors);
      }
    } finally {
      setIsSubmitting(false);
    }
  };

  return (
    <form onSubmit={handleSubmit}>
      <div>
        <label htmlFor="username">Username</label>
        <input
          id="username"
          name="username"
          type="text"
          required
          minLength={3}
          maxLength={20}
          pattern="[a-zA-Z0-9_-]+"
        />
        {errors.username && (
          <span className="text-red-600">{errors.username}</span>
        )}
      </div>

      <div>
        <label htmlFor="email">Email</label>
        <input
          id="email"
          name="email"
          type="email"
          required
        />
        {errors.email && (
          <span className="text-red-600">{errors.email}</span>
        )}
      </div>

      <div>
        <label htmlFor="bio">Bio</label>
        <textarea
          id="bio"
          name="bio"
          maxLength={500}
        />
        {errors.bio && (
          <span className="text-red-600">{errors.bio}</span>
        )}
      </div>

      <div>
        <label htmlFor="website">Website</label>
        <input
          id="website"
          name="website"
          type="url"
        />
        {errors.website && (
          <span className="text-red-600">{errors.website}</span>
        )}
      </div>

      <button type="submit" disabled={isSubmitting}>
        {isSubmitting ? 'Saving...' : 'Save Profile'}
      </button>
    </form>
  );
}

// 1. Broken Access Control - Server-side authorization
// app/api/users/[id]/route.ts
import { NextResponse } from 'next/server';
import { auth } from '@/lib/auth';
import { db } from '@/lib/db';

export async function GET(
  request: Request,
  { params }: { params: { id: string } }
) {
  const session = await auth();

  // Check authentication
  if (!session?.user) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
  }

  // Check authorization - users can only access their own data
  if (session.user.id !== params.id && session.user.role !== 'admin') {
    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
  }

  const user = await db.user.findUnique({
    where: { id: params.id },
    select: {
      id: true,
      email: true,
      name: true,
      // Never expose password hashes, tokens, etc.
    },
  });

  if (!user) {
    return NextResponse.json({ error: 'User not found' }, { status: 404 });
  }

  return NextResponse.json({ user });
}

// 2. Cryptographic Failures - Secure password hashing
import { hash, verify } from '@node-rs/argon2';

const ARGON2_OPTIONS = {
  memoryCost: 19456,
  timeCost: 2,
  outputLen: 32,
  parallelism: 1,
};

export async function hashPassword(password: string): Promise<string> {
  return hash(password, ARGON2_OPTIONS);
}

export async function verifyPassword(
  password: string,
  hash: string
): Promise<boolean> {
  try {
    return await verify(hash, password, ARGON2_OPTIONS);
  } catch {
    return false;
  }
}

// 3. Injection - Parameterized queries with Prisma
import { db } from '@/lib/db';

// ❌ DANGEROUS - SQL injection vulnerability
export async function searchUsersUnsafe(query: string) {
  // Never do this!
  return db.$queryRaw`SELECT * FROM users WHERE name LIKE '%${query}%'`;
}

// ✅ SAFE - Parameterized query
export async function searchUsersSafe(query: string) {
  return db.user.findMany({
    where: {
      name: {
        contains: query,
        mode: 'insensitive',
      },
    },
  });
}

// 4. Insecure Design - Rate limiting
import { Ratelimit } from '@upstash/ratelimit';
import { Redis } from '@upstash/redis';

const redis = new Redis({
  url: process.env.UPSTASH_REDIS_REST_URL!,
  token: process.env.UPSTASH_REDIS_REST_TOKEN!,
});

const ratelimit = new Ratelimit({
  redis,
  limiter: Ratelimit.slidingWindow(10, '10 s'),
  analytics: true,
});

export async function POST(request: Request) {
  const ip = request.headers.get('x-forwarded-for') ?? 'unknown';
  const { success, limit, remaining, reset } = await ratelimit.limit(ip);

  if (!success) {
    return NextResponse.json(
      { error: 'Too many requests' },
      { 
        status: 429,
        headers: {
          'X-RateLimit-Limit': limit.toString(),
          'X-RateLimit-Remaining': remaining.toString(),
          'X-RateLimit-Reset': reset.toString(),
        },
      }
    );
  }

  // Process request
}

// 5. Security Misconfiguration - Environment validation
import { z } from 'zod';

const envSchema = z.object({
  NODE_ENV: z.enum(['development', 'production', 'test']),
  DATABASE_URL: z.string().url(),
  NEXTAUTH_SECRET: z.string().min(32),
  NEXTAUTH_URL: z.string().url(),
  // Ensure sensitive vars are set in production
  UPSTASH_REDIS_REST_URL: z.string().url(),
  UPSTASH_REDIS_REST_TOKEN: z.string().min(20),
});

// Validate at build time
const env = envSchema.parse(process.env);

export { env };

// 6. Vulnerable Components - Automated dependency scanning
// package.json scripts
{
  "scripts": {
    "audit": "npm audit --audit-level=moderate",
    "audit:fix": "npm audit fix",
    "check:deps": "npx npm-check-updates"
  }
}

// lib/auth/session.ts - Secure session management
import { SignJWT, jwtVerify } from 'jose';
import { cookies } from 'next/headers';
import { nanoid } from 'nanoid';

const SECRET = new TextEncoder().encode(process.env.JWT_SECRET!);

interface SessionPayload {
  userId: string;
  sessionId: string;
  expiresAt: number;
}

export async function createSession(userId: string): Promise<string> {
  const sessionId = nanoid();
  const expiresAt = Date.now() + 7 * 24 * 60 * 60 * 1000; // 7 days

  const token = await new SignJWT({ userId, sessionId, expiresAt })
    .setProtectedHeader({ alg: 'HS256' })
    .setIssuedAt()
    .setExpirationTime('7d')
    .sign(SECRET);

  // Store session server-side for revocation
  await db.session.create({
    data: {
      id: sessionId,
      userId,
      expiresAt: new Date(expiresAt),
    },
  });

  // Set secure cookie
  (await cookies()).set('session', token, {
    httpOnly: true,
    secure: process.env.NODE_ENV === 'production',
    sameSite: 'lax',
    maxAge: 7 * 24 * 60 * 60,
    path: '/',
  });

  return token;
}

export async function verifySession(): Promise<SessionPayload | null> {
  const cookieStore = await cookies();
  const token = cookieStore.get('session')?.value;

  if (!token) return null;

  try {
    const { payload } = await jwtVerify(token, SECRET);

    // Verify session exists and is not revoked
    const session = await db.session.findUnique({
      where: { id: payload.sessionId as string },
    });

    if (!session || session.expiresAt < new Date()) {
      return null;
    }

    return payload as unknown as SessionPayload;
  } catch {
    return null;
  }
}

export async function deleteSession() {
  const session = await verifySession();
  
  if (session) {
    // Revoke server-side
    await db.session.delete({
      where: { id: session.sessionId },
    });
  }

  // Clear cookie
  (await cookies()).delete('session');
}