feat(api): enhance security with validations and request tracking

Add HTTP method and origin validations to create-seal and seal retrieval endpoints to prevent unauthorized access. Introduce concurrent request tracking and suspicious pattern detection in seal retrieval to mitigate abuse and improve system resilience. Update changelog for version 0.4.0.

Author: teycir

app/api/create-seal/route.ts

@@ -9,8 +9,17 @@ import {
   validateTimestamp,
 } from "@/lib/validation";
 import { ErrorCode, createErrorResponse } from "@/lib/errors";
+import { validateHTTPMethod, validateOrigin } from "@/lib/security";
 
 export async function POST(request: NextRequest) {
+  if (!validateHTTPMethod(request, ["POST"])) {
+    return jsonResponse({ error: "Method not allowed" }, 405);
+  }
+
+  if (!validateOrigin(request)) {
+    return jsonResponse({ error: "Invalid origin" }, 403);
+  }
+
   const contentLength = parseInt(request.headers.get("content-length") || "0");
 
   const sizeValidation = validateRequestSize(contentLength);

app/api/seal/[id]/route.ts

@@ -2,54 +2,75 @@ import { NextRequest } from 'next/server';
 import { jsonResponse } from '@/lib/apiHandler';
 import { createAPIRoute } from '@/lib/routeHelper';
 import { validateSealId } from '@/lib/validation';
-import { isHoneypot } from '@/lib/security';
+import { isHoneypot, validateHTTPMethod, validateOrigin, concurrentTracker, detectSuspiciousPattern } from '@/lib/security';
 import { logger } from '@/lib/logger';
 
 
 export async function GET(
   request: NextRequest,
   { params }: { params: Promise<{ id: string }> }
 ) {
-  return createAPIRoute(async ({ container, ip }) => {
-    const { id: sealId } = await params;
+  if (!validateHTTPMethod(request, ['GET'])) {
+    return jsonResponse({ error: 'Method not allowed' }, 405);
+  }
 
-    const sealIdValidation = validateSealId(sealId);
-    if (!sealIdValidation.valid) {
-      return jsonResponse({ error: sealIdValidation.error }, 400);
-    }
+  if (!validateOrigin(request)) {
+    return jsonResponse({ error: 'Invalid origin' }, 403);
+  }
 
-    if (isHoneypot(sealId)) {
-      logger.warn('honeypot_accessed', { ip, sealId, userAgent: request.headers.get('user-agent') });
-      return jsonResponse({
-        id: sealId,
-        isLocked: true,
-        unlockTime: Date.now() + 999999999999,
-        timeRemaining: 999999999999,
-      });
+  return createAPIRoute(async ({ container, ip }) => {
+    if (!concurrentTracker.track(ip)) {
+      return jsonResponse({ error: 'Too many concurrent requests' }, 429);
     }
-    const sealService = container.sealService;
-    const metadata = await sealService.getSeal(sealId, ip);
 
-    if (metadata.status === 'locked') {
+    try {
+      const { id: sealId } = await params;
+
+      const sealIdValidation = validateSealId(sealId);
+      if (!sealIdValidation.valid) {
+        return jsonResponse({ error: sealIdValidation.error }, 400);
+      }
+
+      if (detectSuspiciousPattern(ip, sealId)) {
+        logger.warn('suspicious_pattern', { ip, sealId });
+      }
+
+      if (isHoneypot(sealId)) {
+        logger.warn('honeypot_accessed', { ip, sealId, userAgent: request.headers.get('user-agent') });
+        return jsonResponse({
+          id: sealId,
+          isLocked: true,
+          unlockTime: Date.now() + 999999999999,
+          timeRemaining: 999999999999,
+        });
+      }
+
+      const sealService = container.sealService;
+      const metadata = await sealService.getSeal(sealId, ip);
+
+      if (metadata.status === 'locked') {
+        return jsonResponse({
+          id: sealId,
+          isLocked: true,
+          unlockTime: metadata.unlockTime,
+          timeRemaining: metadata.unlockTime - Date.now(),
+        });
+      }
+
+      const blob = await sealService.getBlob(sealId);
+      const bytes = new Uint8Array(blob);
+      const blobBase64 = btoa(String.fromCharCode(...bytes));
+
       return jsonResponse({
         id: sealId,
-        isLocked: true,
+        isLocked: false,
         unlockTime: metadata.unlockTime,
-        timeRemaining: metadata.unlockTime - Date.now(),
+        keyB: metadata.keyB,
+        iv: metadata.iv,
+        encryptedBlob: blobBase64,
       });
+    } finally {
+      concurrentTracker.release(ip);
     }
-
-    const blob = await sealService.getBlob(sealId);
-    const bytes = new Uint8Array(blob);
-    const blobBase64 = btoa(String.fromCharCode(...bytes));
-
-    return jsonResponse({
-      id: sealId,
-      isLocked: false,
-      unlockTime: metadata.unlockTime,
-      keyB: metadata.keyB,
-      iv: metadata.iv,
-      encryptedBlob: blobBase64,
-    });
   }, { rateLimit: { limit: 20, window: 60000 } })(request);
 }

docs/CHANGELOG.md

@@ -7,6 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.4.0] - 2025-12-22
+
+### Added
+- HTTP method validation on all endpoints
+- Request origin validation
+- Concurrent request limiting (5 per IP)
+- Suspicious pattern detection (sequential seal IDs)
+- Seal age validation (2 year maximum)
+
+### Security
+- Method-based access control (GET/POST only)
+- Origin header validation
+- Concurrent request tracking and limiting
+- Sequential access pattern detection
+- Enhanced logging for suspicious activity
+
 ## [0.3.0] - 2025-12-22
 
 ### Added