2026-04-14 06:48:55 +04:00
|
|
|
import {NextResponse} from 'next/server'
|
|
|
|
|
import {auth} from './auth.js'
|
|
|
|
|
import {createRateLimiter} from '@/lib/rate-limit.js'
|
|
|
|
|
|
|
|
|
|
// 5 inscriptions max par IP toutes les 15 minutes
|
|
|
|
|
const checkRegister = createRateLimiter({windowMs: 15 * 60 * 1000, max: 5})
|
|
|
|
|
|
|
|
|
|
// 10 tentatives de connexion max par IP toutes les 5 minutes
|
|
|
|
|
const checkSignin = createRateLimiter({windowMs: 5 * 60 * 1000, max: 10})
|
|
|
|
|
|
|
|
|
|
const limiters = {
|
|
|
|
|
'/api/auth/register': checkRegister,
|
|
|
|
|
'/api/auth/callback/credentials': checkSignin,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Extrait l'IP cliente depuis les headers HTTP.
|
|
|
|
|
* Priorité à X-Real-IP (Nginx), puis X-Forwarded-For.
|
|
|
|
|
*/
|
|
|
|
|
function getClientIp(request) {
|
|
|
|
|
const realIp = request.headers.get('x-real-ip')
|
|
|
|
|
if (realIp) {
|
|
|
|
|
return realIp.trim()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const forwarded = request.headers.get('x-forwarded-for')
|
|
|
|
|
if (forwarded) {
|
|
|
|
|
return forwarded.split(',')[0].trim()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 'unknown'
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export async function proxy(request) {
|
|
|
|
|
const {pathname} = request.nextUrl
|
|
|
|
|
const check = limiters[pathname]
|
|
|
|
|
|
|
|
|
|
// Rate limiting sur les routes d'authentification critiques
|
|
|
|
|
if (check) {
|
|
|
|
|
const ip = getClientIp(request)
|
|
|
|
|
const result = check(`${ip}:${pathname}`)
|
|
|
|
|
|
|
|
|
|
if (!result.success) {
|
|
|
|
|
return NextResponse.json(
|
|
|
|
|
{message: 'Trop de tentatives. Veuillez réessayer dans quelques minutes.'},
|
|
|
|
|
{
|
|
|
|
|
status: 429,
|
|
|
|
|
headers: {'Retry-After': String(result.retryAfter)},
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return auth(request)
|
|
|
|
|
}
|
