Security audit improvements: authentication, path traversal protection, file validation, rate limiting, security headers

app/api/admin/daily-puzzles/route.ts

@@ -1,5 +1,6 @@
 import { NextResponse } from 'next/server';
 import { PrismaClient } from '@prisma/client';
+import { requireAdminAuth } from '@/lib/auth';
 
 const prisma = new PrismaClient();
 
@@ -63,6 +64,10 @@ export async function GET() {
 }
 
 export async function DELETE(request: Request) {
+    // Check authentication
+    const authError = await requireAdminAuth(request as any);
+    if (authError) return authError;
+
     try {
         const { puzzleId } = await request.json();
 

app/api/admin/login/route.ts

@@ -1,7 +1,12 @@
-import { NextResponse } from 'next/server';
+import { NextRequest, NextResponse } from 'next/server';
 import bcrypt from 'bcryptjs';
+import { rateLimit } from '@/lib/rateLimit';
+
+export async function POST(request: NextRequest) {
+    // Rate limiting: 5 login attempts per minute
+    const rateLimitError = rateLimit(request, { windowMs: 60000, maxRequests: 5 });
+    if (rateLimitError) return rateLimitError;
 
-export async function POST(request: Request) {
     try {
         const { password } = await request.json();
         // Default is hash for 'admin123'