feat: enhance create-seal API with additional input validations

- Add validation for request size, keyB, IV, and unlock timestamp to ensure data integrity and prevent invalid submissions. Reorganize validation order for better error handling.

Author: teycir

app/api/create-seal/route.ts

@@ -1,61 +1,92 @@
-import { NextRequest } from 'next/server';
-import { jsonResponse } from '@/lib/apiHandler';
-import { createAPIRoute } from '@/lib/routeHelper';
-import { validateFileSize, validateUnlockTime } from '@/lib/validation';
-import { ErrorCode, createErrorResponse } from '@/lib/errors';
-
+import { NextRequest } from "next/server";
+import { jsonResponse } from "@/lib/apiHandler";
+import { createAPIRoute } from "@/lib/routeHelper";
+import {
+  validateFileSize,
+  validateUnlockTime,
+  validateRequestSize,
+  validateKey,
+  validateTimestamp,
+} from "@/lib/validation";
+import { ErrorCode, createErrorResponse } from "@/lib/errors";
 
 export async function POST(request: NextRequest) {
-  const contentLength = request.headers.get('content-length');
-  const maxSize = parseInt(process.env.MAX_FILE_SIZE_MB || '10') * 1024 * 1024;
-  
-  if (contentLength && parseInt(contentLength) > maxSize) {
-    return jsonResponse({ 
-      error: `Request body exceeds maximum size of ${maxSize / 1024 / 1024}MB` 
-    }, 413);
+  const contentLength = parseInt(request.headers.get("content-length") || "0");
+
+  const sizeValidation = validateRequestSize(contentLength);
+  if (!sizeValidation.valid) {
+    return jsonResponse({ error: sizeValidation.error }, 413);
   }
-  
-  return createAPIRoute(async ({ container, request: ctx, ip }) => {
-    const formData = await ctx.formData();
-    const encryptedBlob = formData.get('encryptedBlob') as File;
-    const keyB = formData.get('keyB') as string;
-    const iv = formData.get('iv') as string;
-    const unlockTime = parseInt(formData.get('unlockTime') as string);
-    const isDMS = formData.get('isDMS') === 'true';
-    const pulseInterval = formData.get('pulseInterval') ? 
-      parseInt(formData.get('pulseInterval') as string) : undefined;
-
-    if (!encryptedBlob || !keyB || !iv || !unlockTime || isNaN(unlockTime)) {
-      return createErrorResponse(ErrorCode.INVALID_UNLOCK_TIME, 'Missing required fields');
-    }
-
-    const sizeValidation = validateFileSize(encryptedBlob.size);
-    if (!sizeValidation.valid) {
-      return jsonResponse({ error: sizeValidation.error }, 400);
-    }
-
-    const timeValidation = validateUnlockTime(unlockTime);
-    if (!timeValidation.valid) {
-      return createErrorResponse(ErrorCode.INVALID_UNLOCK_TIME, timeValidation.error);
-    }
-
-    const sealService = container.sealService;
-    const blobBuffer = await encryptedBlob.arrayBuffer();
-    const result = await sealService.createSeal({
-      encryptedBlob: blobBuffer,
-      keyB,
-      iv,
-      unlockTime,
-      isDMS,
-      pulseInterval,
-    }, ip);
-
-    return jsonResponse({
-      success: true,
-      sealId: result.sealId,
-      iv: result.iv,
-      publicUrl: `/v/${result.sealId}`,
-      pulseUrl: result.pulseToken ? `/pulse/${result.pulseToken}` : undefined,
-    });
-  }, { rateLimit: { limit: 10, window: 60000 } })(request);
+
+  return createAPIRoute(
+    async ({ container, request: ctx, ip }) => {
+      const formData = await ctx.formData();
+      const encryptedBlob = formData.get("encryptedBlob") as File;
+      const keyB = formData.get("keyB") as string;
+      const iv = formData.get("iv") as string;
+      const unlockTime = parseInt(formData.get("unlockTime") as string);
+      const isDMS = formData.get("isDMS") === "true";
+      const pulseInterval = formData.get("pulseInterval")
+        ? parseInt(formData.get("pulseInterval") as string)
+        : undefined;
+
+      if (!encryptedBlob || !keyB || !iv || !unlockTime || isNaN(unlockTime)) {
+        return createErrorResponse(
+          ErrorCode.INVALID_UNLOCK_TIME,
+          "Missing required fields",
+        );
+      }
+
+      const keyBValidation = validateKey(keyB, "Key B");
+      if (!keyBValidation.valid) {
+        return jsonResponse({ error: keyBValidation.error }, 400);
+      }
+
+      const ivValidation = validateKey(iv, "IV");
+      if (!ivValidation.valid) {
+        return jsonResponse({ error: ivValidation.error }, 400);
+      }
+
+      const timestampValidation = validateTimestamp(unlockTime);
+      if (!timestampValidation.valid) {
+        return jsonResponse({ error: timestampValidation.error }, 400);
+      }
+
+      const fileSizeValidation = validateFileSize(encryptedBlob.size);
+      if (!fileSizeValidation.valid) {
+        return jsonResponse({ error: fileSizeValidation.error }, 400);
+      }
+
+      const timeValidation = validateUnlockTime(unlockTime);
+      if (!timeValidation.valid) {
+        return createErrorResponse(
+          ErrorCode.INVALID_UNLOCK_TIME,
+          timeValidation.error,
+        );
+      }
+
+      const sealService = container.sealService;
+      const blobBuffer = await encryptedBlob.arrayBuffer();
+      const result = await sealService.createSeal(
+        {
+          encryptedBlob: blobBuffer,
+          keyB,
+          iv,
+          unlockTime,
+          isDMS,
+          pulseInterval,
+        },
+        ip,
+      );
+
+      return jsonResponse({
+        success: true,
+        sealId: result.sealId,
+        iv: result.iv,
+        publicUrl: `/v/${result.sealId}`,
+        pulseUrl: result.pulseToken ? `/pulse/${result.pulseToken}` : undefined,
+      });
+    },
+    { rateLimit: { limit: 10, window: 60000 } },
+  )(request);
 }

app/api/seal/[id]/route.ts

@@ -1,6 +1,9 @@
 import { NextRequest } from 'next/server';
 import { jsonResponse } from '@/lib/apiHandler';
 import { createAPIRoute } from '@/lib/routeHelper';
+import { validateSealId } from '@/lib/validation';
+import { isHoneypot } from '@/lib/security';
+import { logger } from '@/lib/logger';
 
 
 export async function GET(
@@ -9,6 +12,21 @@ export async function GET(
 ) {
   return createAPIRoute(async ({ container, ip }) => {
     const { id: sealId } = await params;
+
+    const sealIdValidation = validateSealId(sealId);
+    if (!sealIdValidation.valid) {
+      return jsonResponse({ error: sealIdValidation.error }, 400);
+    }
+
+    if (isHoneypot(sealId)) {
+      logger.warn('honeypot_accessed', { ip, sealId, userAgent: request.headers.get('user-agent') });
+      return jsonResponse({
+        id: sealId,
+        isLocked: true,
+        unlockTime: Date.now() + 999999999999,
+        timeRemaining: 999999999999,
+      });
+    }
     const sealService = container.sealService;
     const metadata = await sealService.getSeal(sealId, ip);
 

docs/CHANGELOG.md

@@ -7,6 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.0] - 2025-12-22
+
+### Added
+- Request size validation (30MB limit)
+- Seal ID format validation (32 hex characters)
+- Key format validation (base64, length checks)
+- Timestamp validation (prevent overflow)
+- IP address validation (IPv4/IPv6)
+- Honeypot seals for enumeration detection
+- User-agent logging in audit trail
+
+### Security
+- Enhanced input validation across all API endpoints
+- Honeypot IDs: 00000000... and ffffffff...
+- Improved audit logging with user-agent tracking
+
 ## [0.2.0] - 2025-12-22
 
 ### Added