Security & robustness hardening pass

Cross-cutting input-validation, isolation, and DoS-resistance fixes across the app, API, billing, queue, and infra layers. - Runtime validation (zod) for client-supplied admin actions (role/plan/ limits), series generation index, and all pg-boss queue payloads - Auth: require email verification before sign-in; reject weak/placeholder/ short BETTER_AUTH_SECRET in production - Billing: sanitize Stripe/PayPal errors (log server-side, generic to client); race-safe subscription upsert; only count "processed" webhook events as handled; verify org membership in getEffectivePlan to block plan escalation - Series generation: reserve usage up front and refund on failure; bill the owning org, not the caller's active org - Injection defenses: HTML-escape user fields in emails, strip CR/LF from subject/recipient, validate ElevenLabs voiceId before URL interpolation - Media routes: stream off disk instead of buffering whole files; rate-limit anonymous public audio/cover endpoints by client IP
2026-06-20 20:59:03 -04:00
parent cd1d6a1a28
commit 51c541ad22
21 changed files with 489 additions and 152 deletions
@@ -1,6 +1,7 @@
 "use server";

 import { revalidatePath } from "next/cache";
+import { z } from "zod";
 import { Prisma } from "@prisma/client";
 import { getServerSession } from "@/lib/auth/guards";
 import { prisma } from "@/lib/db";
@@ -43,8 +44,13 @@ export async function banUserAction(userId: string, ban: boolean): Promise<{ ok:
 export async function setRoleAction(userId: string, role: "admin" | "user"): Promise<{ ok: boolean; error?: string }> {
  const s = await adminSession();
  if (!s) return { ok: false, error: "Not allowed." };
-  await prisma.user.update({ where: { id: userId }, data: { role } });
-  await audit(s.user.id, "user.role", userId, { role });
+  // Don't trust the TS union at runtime — reject anything outside the allowed set.
+  const parsedRole = z.enum(["admin", "user"]).safeParse(role);
+  if (!parsedRole.success) return { ok: false, error: "Invalid role." };
+  // Self-guard: an admin must not demote/remove their own admin role and lock out.
+  if (userId === s.user.id) return { ok: false, error: "You can't change your own role." };
+  await prisma.user.update({ where: { id: userId }, data: { role: parsedRole.data } });
+  await audit(s.user.id, "user.role", userId, { role: parsedRole.data });
  revalidatePath("/admin/users");
  return { ok: true };
 }
@@ -87,6 +93,16 @@ export async function compPlanAction(
  const s = await adminSession();
  if (!s) return { ok: false, error: "Not allowed." };

+  // Validate the client-supplied plan/interval at runtime, not just via the TS union.
+  const parsed = z
+    .object({
+      plan: z.enum(["creator", "pro", "agency"]),
+      interval: z.enum(["month", "year"]),
+    })
+    .safeParse({ plan, interval });
+  if (!parsed.success) return { ok: false, error: "Invalid plan or interval." };
+  ({ plan, interval } = parsed.data);
+
  const now = new Date();
  const periodEnd = new Date(now.getTime() + (interval === "year" ? 365 : 30) * DAY_MS);

@@ -309,26 +325,65 @@ export interface PlanUpdateInput {
  };
 }

+// A monthly metric cap: a finite integer that is either a real non-negative cap
+// or UNLIMITED (-1). Mirrors the canonical PlanLimits shape in lib/billing/plans.ts.
+const quotaCap = z.number().int().gte(-1);
+// Counts that can't be "unlimited": must be finite non-negative integers.
+const nonNegInt = z.number().int().nonnegative();
+
+// Validate the limits object against the known keys only — `.strict()` rejects
+// extra/unknown keys so a client can't mass-assign arbitrary JSON into the column.
+const planLimitsSchema = z
+  .object({
+    script: quotaCap,
+    audio: quotaCap,
+    art: quotaCap,
+    repurpose: quotaCap,
+    seats: nonNegInt,
+    maxEpisodeMinutes: nonNegInt,
+  })
+  .strict();
+
+const planUpdateSchema = z.object({
+  key: z.string().min(1),
+  priceMonthly: z.number().int().nonnegative(),
+  priceYearly: z.number().int().nonnegative(),
+  limits: planLimitsSchema,
+});
+
 /** Override a plan's price/limits in the DB (an override on lib/billing/plans.ts). */
 export async function updatePlanAction(key: string, input: PlanUpdateInput): Promise<ActionResult> {
  const s = await adminSession();
  if (!s) return { ok: false, error: "Not allowed." };

-  const existing = await prisma.plan.findUnique({ where: { key } });
+  // Validate ALL client args (key + prices + limits) before touching the DB so
+  // nothing unvalidated reaches the JSON column. Prices arrive as cents; round
+  // to ints first to keep the existing tolerance for fractional input.
+  const parsed = planUpdateSchema.safeParse({
+    key,
+    priceMonthly: Math.round(input.priceMonthly),
+    priceYearly: Math.round(input.priceYearly),
+    limits: input.limits,
+  });
+  if (!parsed.success) {
+    return { ok: false, error: parsed.error.issues[0]?.message ?? "Invalid plan input." };
+  }
+
+  const existing = await prisma.plan.findUnique({ where: { key: parsed.data.key } });
  if (!existing) return { ok: false, error: "Plan not found." };

  await prisma.plan.update({
-    where: { key },
+    where: { key: parsed.data.key },
    data: {
-      priceMonthly: Math.max(0, Math.round(input.priceMonthly)),
-      priceYearly: Math.max(0, Math.round(input.priceYearly)),
-      limits: input.limits as unknown as Prisma.InputJsonValue,
+      priceMonthly: parsed.data.priceMonthly,
+      priceYearly: parsed.data.priceYearly,
+      limits: parsed.data.limits as unknown as Prisma.InputJsonValue,
    },
  });

-  await audit(s.user.id, "plan.update", key, {
-    priceMonthly: input.priceMonthly,
-    priceYearly: input.priceYearly,
+  await audit(s.user.id, "plan.update", parsed.data.key, {
+    priceMonthly: parsed.data.priceMonthly,
+    priceYearly: parsed.data.priceYearly,
  });
  revalidatePath("/admin/settings");
  return { ok: true };
@@ -20,8 +20,12 @@ import type { PlanKey } from "@/lib/billing/plans";

 type ActionResult = { ok: true; url?: string } | { ok: false; error: string };

+// Billing calls hit upstream providers (Stripe/PayPal) whose error messages can
+// contain sensitive/verbose detail. Log the real error server-side, but return a
+// single generic message to the client so nothing upstream leaks to end users.
 function errMsg(e: unknown): string {
-  return e instanceof Error ? e.message : "Something went wrong";
+  console.error("[billing] action failed", e);
+  return "Something went wrong with billing. Please try again.";
 }

 export async function startStripeCheckoutAction(
@@ -5,9 +5,11 @@ import { z } from "zod";
 import type { Prisma } from "@prisma/client";
 import { getServerSession } from "@/lib/auth/guards";
 import { prisma } from "@/lib/db";
-import { subjectHasFeature } from "@/lib/billing/subscription";
-import { enforceLimit, LimitExceededError } from "@/lib/usage/limits";
+import { getEffectivePlan, subjectHasFeature } from "@/lib/billing/subscription";
+import { reserveLimit, LimitExceededError } from "@/lib/usage/limits";
+import { refundUsage } from "@/lib/usage/meter";
 import { enqueueEpisodeGeneration } from "@/lib/queue/pgboss";
+import type { UsageMetric } from "@/lib/billing/plans";
 import { FORMAT_SPEAKERS } from "@/lib/episodes/options";
 import { DEFAULT_VOICE_IDS, VOICE_CATALOG } from "@/lib/ai/voices";
 import { isFlagEnabled } from "@/lib/flags";
@@ -62,17 +64,41 @@ export async function generateFromSeriesAction(
    return { ok: false, error: "Episode generation is temporarily paused. Please try again shortly." };
  }

+  // `index` is client-supplied and only TS-typed — validate it at runtime.
+  if (!Number.isInteger(index) || index < 0) {
+    return { ok: false, error: "Invalid episode index." };
+  }
+
  const series = await prisma.series.findUnique({ where: { id: seriesId } });
-  if (!series || series.userId !== session.user.id) return { ok: false, error: "Not allowed." };
+  if (!series || (series.userId !== session.user.id && session.user.role !== "admin")) {
+    return { ok: false, error: "Not allowed." };
+  }

  const episodes = (series.plan as unknown as { title: string; topic: string; summary: string }[]) ?? [];
  const item = episodes[index];
  if (!item) return { ok: false, error: "Episode not found in plan." };

+  // Bill the generation against the org that OWNS the series (the resource being
+  // acted on), and stamp the new episode with that same org, so the billing
+  // subject and the episode's organizationId are always consistent — regardless
+  // of the caller's currently-active org. getEffectivePlan verifies membership of
+  // series.organizationId internally and falls back to the user subject otherwise.
+  const orgId = series.organizationId ?? undefined;
+  const { subjectId, subjectType } = await getEffectivePlan(session.user.id, orgId);
+
+  // Reserve quota atomically up front (a series generation consumes script +
+  // audio). The worker won't re-meter; refund below if create/enqueue fails.
+  const reserved: UsageMetric[] = [];
+  const refundReserved = async () => {
+    for (const m of reserved) await refundUsage(subjectId, subjectType, m);
+  };
  try {
-    await enforceLimit(session.user.id, "script", session.session.activeOrganizationId);
-    await enforceLimit(session.user.id, "audio", session.session.activeOrganizationId);
+    await reserveLimit(session.user.id, "script", orgId);
+    reserved.push("script");
+    await reserveLimit(session.user.id, "audio", orgId);
+    reserved.push("audio");
  } catch (err) {
+    await refundReserved();
    if (err instanceof LimitExceededError) {
      return { ok: false, error: `Monthly ${err.check.metric} limit reached.` };
    }
@@ -85,25 +111,30 @@ export async function generateFromSeriesAction(
    elevenVoiceId: DEFAULT_VOICE_IDS[s.speakerKey] ?? VOICE_CATALOG[i % VOICE_CATALOG.length].id,
  }));

-  const episode = await prisma.episode.create({
-    data: {
-      userId: session.user.id,
-      organizationId: series.organizationId ?? undefined,
-      seriesId: series.id,
-      title: item.title,
-      topic: item.topic,
-      tone: "Conversational",
-      format: "SOLO",
-      language: "en",
-      targetLengthMin: 10,
-      status: "QUEUED",
-      stage: "Queued for generation",
-      speakers: { create: speakers },
-      jobs: { create: { type: "full", status: "queued" } },
-    },
-  });
-  await enqueueEpisodeGeneration({ episodeId: episode.id, type: "full" });
+  try {
+    const episode = await prisma.episode.create({
+      data: {
+        userId: session.user.id,
+        organizationId: orgId,
+        seriesId: series.id,
+        title: item.title,
+        topic: item.topic,
+        tone: "Conversational",
+        format: "SOLO",
+        language: "en",
+        targetLengthMin: 10,
+        status: "QUEUED",
+        stage: "Queued for generation",
+        speakers: { create: speakers },
+        jobs: { create: { type: "full", status: "queued" } },
+      },
+    });
+    await enqueueEpisodeGeneration({ episodeId: episode.id, type: "full" });

-  revalidatePath(`/series/${seriesId}`);
-  return { ok: true, episodeId: episode.id };
+    revalidatePath(`/series/${seriesId}`);
+    return { ok: true, episodeId: episode.id };
+  } catch (err) {
+    await refundReserved();
+    throw err;
+  }
 }
@@ -1,3 +1,4 @@
+import { Readable } from "node:stream";
 import { NextRequest } from "next/server";
 import { getServerSession } from "@/lib/auth/guards";
 import { prisma } from "@/lib/db";
@@ -42,20 +43,22 @@ export async function GET(
  const isAdmin = session.user.role === "admin";
  if (!isOwner && !isAdmin) return new Response("Forbidden", { status: 403 });

-  const exists = await storage().exists(key);
-  if (!exists) return new Response("Not found", { status: 404 });
+  // Stream off disk instead of buffering the whole file into memory.
+  const total = await storage().size(key);
+  if (total === null) return new Response("Not found", { status: 404 });

-  const data = await storage().get(key);
  const ext = key.split(".").pop()?.toLowerCase() ?? "";
  const contentType = CONTENT_TYPES[ext] ?? "application/octet-stream";

  const download = req.nextUrl.searchParams.get("download");
  const filename = key.split("/").pop() ?? "asset";

-  return new Response(data as BodyInit, {
+  const node = storage().createReadStream!(key);
+  const body = Readable.toWeb(node as Readable) as unknown as BodyInit;
+  return new Response(body, {
    headers: {
      "Content-Type": contentType,
-      "Content-Length": String(data.byteLength),
+      "Content-Length": String(total),
      "Cache-Control": "private, max-age=3600",
      ...(download
        ? { "Content-Disposition": `attachment; filename="${filename}"` }
@@ -1,20 +1,39 @@
+import { Readable } from "node:stream";
 import { NextRequest } from "next/server";
 import { prisma } from "@/lib/db";
+import { rateLimit, LIMITS } from "@/lib/ratelimit";
 import { storage } from "@/lib/storage";

 export const dynamic = "force-dynamic";

+/** Best-effort client IP for anonymous rate limiting. */
+function clientKey(req: NextRequest): string {
+  const fwd = req.headers.get("x-forwarded-for");
+  if (fwd) return fwd.split(",")[0].trim();
+  return req.headers.get("x-real-ip") ?? "anon";
+}
+
 /**
 * Stream an episode's MP3 to anonymous visitors, authorized purely by a valid,
 * still-enabled public `shareId` (NOT a session). Returns 404 when the share is
 * disabled or the audio is missing so we never disclose private episode state.
 *
- * Supports HTTP Range requests so the audio element can seek/scrub.
+ * Supports HTTP Range requests so the audio element can seek/scrub. The file is
+ * streamed off disk (never buffered whole) to avoid memory-amplification DoS.
 */
 export async function GET(
  req: NextRequest,
  { params }: { params: Promise<{ shareId: string }> }
 ) {
+  // Rate-limit by client IP (never by shareId alone).
+  const rl = await rateLimit("public-audio", clientKey(req), LIMITS.publicMedia);
+  if (!rl.ok) {
+    return new Response("Too many requests", {
+      status: 429,
+      headers: { "Retry-After": String(rl.retryAfterSec ?? 1) },
+    });
+  }
+
  const { shareId } = await params;

  const episode = await prisma.episode.findUnique({
@@ -24,10 +43,9 @@ export async function GET(
  const key = episode?.audioAsset?.storageKey;
  if (!key) return new Response("Not found", { status: 404 });

-  if (!(await storage().exists(key))) return new Response("Not found", { status: 404 });
+  const total = await storage().size(key);
+  if (total === null) return new Response("Not found", { status: 404 });

-  const data = await storage().get(key);
-  const total = data.byteLength;
  const contentType = "audio/mpeg";

  const range = req.headers.get("range");
@@ -37,12 +55,13 @@ export async function GET(
      const start = Number(match[1]);
      const end = match[2] ? Math.min(Number(match[2]), total - 1) : total - 1;
      if (start <= end && start < total) {
-        const chunk = data.subarray(start, end + 1);
-        return new Response(chunk as BodyInit, {
+        const node = storage().createReadStream!(key, { start, end });
+        const body = Readable.toWeb(node as Readable) as unknown as BodyInit;
+        return new Response(body, {
          status: 206,
          headers: {
            "Content-Type": contentType,
-            "Content-Length": String(chunk.byteLength),
+            "Content-Length": String(end - start + 1),
            "Content-Range": `bytes ${start}-${end}/${total}`,
            "Accept-Ranges": "bytes",
            "Cache-Control": "public, max-age=3600",
@@ -52,7 +71,9 @@ export async function GET(
    }
  }

-  return new Response(data as BodyInit, {
+  const node = storage().createReadStream!(key);
+  const body = Readable.toWeb(node as Readable) as unknown as BodyInit;
+  return new Response(body, {
    headers: {
      "Content-Type": contentType,
      "Content-Length": String(total),
@@ -1,5 +1,7 @@
+import { Readable } from "node:stream";
 import { NextRequest } from "next/server";
 import { prisma } from "@/lib/db";
+import { rateLimit, LIMITS } from "@/lib/ratelimit";
 import { storage } from "@/lib/storage";

 export const dynamic = "force-dynamic";
@@ -11,15 +13,32 @@ const CONTENT_TYPES: Record<string, string> = {
  webp: "image/webp",
 };

+/** Best-effort client IP for anonymous rate limiting. */
+function clientKey(req: NextRequest): string {
+  const fwd = req.headers.get("x-forwarded-for");
+  if (fwd) return fwd.split(",")[0].trim();
+  return req.headers.get("x-real-ip") ?? "anon";
+}
+
 /**
 * Serve an episode's cover art to anonymous visitors, authorized by a valid,
 * still-enabled public `shareId`. Used as a fallback when the storage provider
- * doesn't expose a directly-fetchable public URL for cover art.
+ * doesn't expose a directly-fetchable public URL for cover art. The file is
+ * streamed off disk rather than buffered whole to avoid memory-amplification DoS.
 */
 export async function GET(
-  _req: NextRequest,
+  req: NextRequest,
  { params }: { params: Promise<{ shareId: string }> }
 ) {
+  // Rate-limit by client IP (never by shareId alone).
+  const rl = await rateLimit("public-cover", clientKey(req), LIMITS.publicMedia);
+  if (!rl.ok) {
+    return new Response("Too many requests", {
+      status: 429,
+      headers: { "Retry-After": String(rl.retryAfterSec ?? 1) },
+    });
+  }
+
  const { shareId } = await params;

  const episode = await prisma.episode.findUnique({
@@ -28,14 +47,17 @@ export async function GET(
  });
  const key = episode?.coverArt?.storageKey;
  if (!key) return new Response("Not found", { status: 404 });
-  if (!(await storage().exists(key))) return new Response("Not found", { status: 404 });

-  const data = await storage().get(key);
+  const total = await storage().size(key);
+  if (total === null) return new Response("Not found", { status: 404 });
+
  const ext = key.split(".").pop()?.toLowerCase() ?? "png";
-  return new Response(data as BodyInit, {
+  const node = storage().createReadStream!(key);
+  const body = Readable.toWeb(node as Readable) as unknown as BodyInit;
+  return new Response(body, {
    headers: {
      "Content-Type": CONTENT_TYPES[ext] ?? "image/png",
-      "Content-Length": String(data.byteLength),
+      "Content-Length": String(total),
      "Cache-Control": "public, max-age=3600",
    },
  });