chore: security hardening (RBAC, validation, ESLint headers, scripts)

Author: shadil-rayyan

app/api/categories/route.ts

@@ -1,9 +1,11 @@
 import { NextResponse, NextRequest } from "next/server";
 import { db } from "@/lib/db";
 import { categories, categoryOptionValues, hostelOptions } from "@/lib/schema";
-import { sql, eq } from "drizzle-orm";
+import { eq } from "drizzle-orm";
+import { requireAdmin } from "@/lib/auth/server";
+import { CreateCategorySchema, UpdateCategorySchema } from "@/lib/validation";
 
-export async function GET(req: NextRequest) {
+export async function GET() {
   try {
     const allCategories = await db.select().from(categories);
 
@@ -23,99 +25,14 @@ export async function GET(req: NextRequest) {
     return NextResponse.json(categoriesWithOptions);
   } catch (error) {
     console.error('Error fetching categories:', error);
-    
-    // Return sample categories for testing when database is not connected
-    if (error instanceof Error && error.message.includes('DATABASE_URL')) {
-      console.log('Database not connected, returning sample categories for testing');
-      return NextResponse.json([
-        {
-          categoryId: 1,
-          categoryName: "Amenities",
-          options: [
-            { optionId: 1, optionName: "Free WiFi" },
-            { optionId: 2, optionName: "Kitchen" },
-            { optionId: 3, optionName: "Laundry" },
-            { optionId: 4, optionName: "Common Room" },
-            { optionId: 5, optionName: "Garden/Terrace" },
-            { optionId: 6, optionName: "Bar" },
-            { optionId: 7, optionName: "Breakfast Included" },
-            { optionId: 8, optionName: "Air Conditioning" },
-            { optionId: 9, optionName: "Heating" },
-            { optionId: 10, optionName: "Luggage Storage" },
-            { optionId: 11, optionName: "24/7 Reception" },
-            { optionId: 12, optionName: "Security Lockers" },
-            { optionId: 13, optionName: "Bicycle Rental" },
-            { optionId: 14, optionName: "Tour Desk" },
-            { optionId: 15, optionName: "BBQ Area" }
-          ]
-        },
-        {
-          categoryId: 2,
-          categoryName: "Room Type",
-          options: [
-            { optionId: 16, optionName: "Dormitory" },
-            { optionId: 17, optionName: "Private Room" },
-            { optionId: 18, optionName: "Double Room" },
-            { optionId: 19, optionName: "Twin Room" },
-            { optionId: 20, optionName: "Single Room" },
-            { optionId: 21, optionName: "Family Room" },
-            { optionId: 22, optionName: "Female Only Dorm" },
-            { optionId: 23, optionName: "Male Only Dorm" },
-            { optionId: 24, optionName: "Mixed Dorm" }
-          ]
-        },
-        {
-          categoryId: 3,
-          categoryName: "Location Type",
-          options: [
-            { optionId: 25, optionName: "City Center" },
-            { optionId: 26, optionName: "Near Train Station" },
-            { optionId: 27, optionName: "Near Airport" },
-            { optionId: 28, optionName: "Beachfront" },
-            { optionId: 29, optionName: "Mountain View" },
-            { optionId: 30, optionName: "Rural Area" },
-            { optionId: 31, optionName: "University District" },
-            { optionId: 32, optionName: "Shopping District" },
-            { optionId: 33, optionName: "Historic District" },
-            { optionId: 34, optionName: "Business District" }
-          ]
-        },
-        {
-          categoryId: 4,
-          categoryName: "Price Range",
-          options: [
-            { optionId: 35, optionName: "Budget ($10-25)" },
-            { optionId: 36, optionName: "Economy ($25-50)" },
-            { optionId: 37, optionName: "Mid-range ($50-100)" },
-            { optionId: 38, optionName: "Premium ($100-200)" },
-            { optionId: 39, optionName: "Luxury ($200+)" }
-          ]
-        },
-        {
-          categoryId: 5,
-          categoryName: "Atmosphere",
-          options: [
-            { optionId: 40, optionName: "Party/Social" },
-            { optionId: 41, optionName: "Quiet/Relaxed" },
-            { optionId: 42, optionName: "Family Friendly" },
-            { optionId: 43, optionName: "Backpacker" },
-            { optionId: 44, optionName: "Digital Nomad" },
-            { optionId: 45, optionName: "Student" },
-            { optionId: 46, optionName: "Eco-friendly" },
-            { optionId: 47, optionName: "Boutique" },
-            { optionId: 48, optionName: "Traditional" }
-          ]
-        }
-      ]);
-    }
-    
     return NextResponse.json({ message: 'Failed to fetch categories.' }, { status: 500 });
   }
 }
 
 export async function POST(req: NextRequest) {
   try {
-    const { categoryName, options } = await req.json();
+    await requireAdmin(req);
+    const { categoryName, options } = CreateCategorySchema.parse(await req.json());
 
     const [newCategory] = await db.insert(categories).values({
       category: categoryName
@@ -139,7 +56,8 @@ export async function POST(req: NextRequest) {
 
 export async function PUT(req: NextRequest) {
   try {
-    const { categoryId, categoryName, options } = await req.json();
+    await requireAdmin(req);
+    const { categoryId, categoryName, options } = UpdateCategorySchema.parse(await req.json());
 
     console.log('PUT /api/categories - Incoming data:', { categoryId, categoryName, options });
 
@@ -208,6 +126,7 @@ export async function PUT(req: NextRequest) {
 
 export async function DELETE(req: NextRequest) {
   try {
+    await requireAdmin(req);
     const { categoryId } = await req.json();
 
     if (!categoryId) {

app/api/hostels/route.ts

@@ -1,9 +1,11 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { db } from '../../../lib/db';
-import { hostels, hostelImages, ratings, comments, hostelOptions, categories, categoryOptionValues } from '../../../lib/schema';
+import { db } from '@/lib/db';
+import { hostels, hostelImages, ratings, comments, hostelOptions, categories, categoryOptionValues } from '@/lib/schema';
 import { eq, and, sql, avg, count } from 'drizzle-orm';
+import { requireAdmin } from '@/lib/auth/server';
+import { CreateHostelSchema, UpdateHostelSchema } from '@/lib/validation';
 
-export async function GET(req: NextRequest) {
+export async function GET() {
   try {
     const allHostels = await db.select().from(hostels).where(eq(hostels.isActive, true));
 
@@ -62,103 +64,14 @@ export async function GET(req: NextRequest) {
     return NextResponse.json(finalHostels);
   } catch (error) {
     console.error('Error fetching hostels:', error);
-    
-    // Return sample data for testing when database is not connected
-    if (error instanceof Error && error.message.includes('DATABASE_URL')) {
-      console.log('Database not connected, returning sample data for testing');
-      return NextResponse.json([
-        {
-          hostelId: 1,
-          hostelName: "Sample Hostel - Backpacker's Paradise",
-          hostelDescription: "A vibrant hostel in the heart of the city, perfect for budget travelers looking to meet fellow adventurers. Features a lively common room, free breakfast, and organized tours.",
-          location: "https://maps.google.com/?q=123+Main+St+City+Center",
-          address: "123 Main Street, City Center, 12345",
-          phoneNumber: "+1 555 123 4567",
-          email: "info@backpackersparadise.com",
-          website: "https://www.backpackersparadise.com",
-          priceRange: "$25-50",
-          createdAt: new Date().toISOString(),
-          isActive: true,
-          categories: [
-            { categoryName: "Amenities", optionName: "Free WiFi" },
-            { categoryName: "Room Type", optionName: "Dormitory" },
-            { categoryName: "Location Type", optionName: "City Center" },
-            { categoryName: "Price Range", optionName: "Economy ($25-50)" },
-            { categoryName: "Atmosphere", optionName: "Party/Social" }
-          ],
-          images: [
-            {
-              imageId: 1,
-              imageUrl: "https://images.unsplash.com/photo-1566073771259-6a8506099945?w=800",
-              imageType: "general",
-              isPrimary: true,
-              uploadedAt: new Date().toISOString()
-            }
-          ],
-          averageRating: 4.5,
-          totalRatings: 127,
-          comments: [
-            {
-              commentId: 1,
-              commentText: "Great atmosphere and friendly staff! Perfect for meeting other travelers.",
-              userName: "Sarah M.",
-              userEmail: "sarah@example.com",
-              isVerified: true,
-              createdAt: new Date().toISOString()
-            }
-          ]
-        },
-        {
-          hostelId: 2,
-          hostelName: "Mountain View Lodge",
-          hostelDescription: "Peaceful hostel with stunning mountain views. Perfect for nature lovers and those seeking a quiet retreat. Features hiking trails, garden, and cozy common areas.",
-          location: "https://maps.google.com/?q=456+Mountain+Rd+Scenic+View",
-          address: "456 Mountain Road, Scenic View, 67890",
-          phoneNumber: "+1 555 987 6543",
-          email: "hello@mountainviewlodge.com",
-          website: "https://www.mountainviewlodge.com",
-          priceRange: "$50-100",
-          createdAt: new Date().toISOString(),
-          isActive: true,
-          categories: [
-            { categoryName: "Amenities", optionName: "Garden/Terrace" },
-            { categoryName: "Room Type", optionName: "Private Room" },
-            { categoryName: "Location Type", optionName: "Mountain View" },
-            { categoryName: "Price Range", optionName: "Mid-range ($50-100)" },
-            { categoryName: "Atmosphere", optionName: "Quiet/Relaxed" }
-          ],
-          images: [
-            {
-              imageId: 2,
-              imageUrl: "https://images.unsplash.com/photo-1571896349842-33c89424de2d?w=800",
-              imageType: "general",
-              isPrimary: true,
-              uploadedAt: new Date().toISOString()
-            }
-          ],
-          averageRating: 4.8,
-          totalRatings: 89,
-          comments: [
-            {
-              commentId: 2,
-              commentText: "Absolutely beautiful location and very peaceful. Perfect for a relaxing getaway.",
-              userName: "Mike R.",
-              userEmail: "mike@example.com",
-              isVerified: true,
-              createdAt: new Date().toISOString()
-            }
-          ]
-        }
-      ]);
-    }
-    
     return NextResponse.json({ message: 'Failed to fetch hostels.' }, { status: 500 });
   }
 }
 
 export async function POST(req: NextRequest) {
   try {
-    const { hostelName, hostelDescription, location, address, phoneNumber, email, website, priceRange, hostelCategoryOptions } = await req.json();
+    await requireAdmin(req);
+    const { hostelName, hostelDescription, location, address, phoneNumber, email, website, priceRange, hostelCategoryOptions } = CreateHostelSchema.parse(await req.json());
 
     console.log('POST /api/hostels - Incoming hostel data:', { hostelName, hostelDescription, hostelCategoryOptions });
 
@@ -226,7 +139,8 @@ export async function POST(req: NextRequest) {
 
 export async function PUT(req: NextRequest) {
   try {
-    const { hostelId, hostelName, hostelDescription, location, address, phoneNumber, email, website, priceRange, hostelCategoryOptions } = await req.json();
+    await requireAdmin(req);
+    const { hostelId, hostelName, hostelDescription, location, address, phoneNumber, email, website, priceRange, hostelCategoryOptions } = UpdateHostelSchema.parse(await req.json());
 
     console.log('PUT /api/hostels - Incoming hostel data:', { hostelId, hostelName, hostelDescription, hostelCategoryOptions });
 
@@ -291,6 +205,7 @@ export async function PUT(req: NextRequest) {
 
 export async function DELETE(req: NextRequest) {
   try {
+    await requireAdmin(req);
     const { searchParams } = new URL(req.url);
     const hostelId = searchParams.get('hostelId');
 

lib/auth/server.ts

@@ -0,0 +1,67 @@
+import { NextRequest } from 'next/server';
+import { adminAuth } from '@/lib/firebase/firebaseadmin';
+import { db } from '@/lib/db';
+import { users } from '@/lib/schema';
+import { eq } from 'drizzle-orm';
+
+export type AuthContext = {
+  firebaseUid: string;
+  userId: number; // DB users.uid
+  userRole: string | null;
+  displayName?: string | null;
+};
+
+function getBearerToken(req: NextRequest): string | null {
+  const authHeader = req.headers.get('authorization') || req.headers.get('Authorization');
+  if (!authHeader) return null;
+  const [type, token] = authHeader.split(' ');
+  if (type?.toLowerCase() !== 'bearer' || !token) return null;
+  return token;
+}
+
+export async function verifyRequest(req: NextRequest): Promise<AuthContext | null> {
+  const token = getBearerToken(req);
+  if (!token) return null;
+
+  try {
+    const decoded = await adminAuth.verifyIdToken(token);
+    const firebaseUid = decoded.uid;
+    const name = decoded.name ?? null;
+
+    // Lookup or create DB user mapping
+    let [dbUser] = await db.select().from(users).where(eq(users.firebaseUid, firebaseUid));
+    if (!dbUser) {
+      const inserted = await db
+        .insert(users)
+        .values({ firebaseUid, userRole: 'user', displayName: name ?? undefined })
+        .returning();
+      dbUser = inserted[0];
+    }
+
+    return {
+      firebaseUid,
+      userId: dbUser.uid,
+      userRole: dbUser.userRole ?? null,
+      displayName: dbUser.displayName ?? null,
+    };
+  } catch {
+    return null;
+  }
+}
+
+export async function requireUser(req: NextRequest): Promise<AuthContext> {
+  const ctx = await verifyRequest(req);
+  if (!ctx) {
+    throw new Response('Unauthorized', { status: 401 });
+  }
+  return ctx;
+}
+
+export async function requireAdmin(req: NextRequest): Promise<AuthContext> {
+  const ctx = await requireUser(req);
+  const role = (ctx.userRole || '').toLowerCase();
+  if (!(role === 'admin' || role === 'superadmin' || role === 'super_admin')) {
+    throw new Response('Forbidden', { status: 403 });
+  }
+  return ctx;
+}

lib/db.ts

@@ -1,17 +1,21 @@
-import * as dotenv from "dotenv";
-dotenv.config({ path: ".env" });
+ import { drizzle } from "drizzle-orm/node-postgres";
+ import { Pool } from "pg";
+ import * as schema from "./schema"; // adjust path
 
-import { drizzle } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
-import * as schema from "./schema"; // adjust path
+ // Rely on Next.js to load env vars (e.g., from .env.local) and injected runtime vars in production.
+ const databaseUrl = process.env.DATABASE_URL;
+ if (!databaseUrl) {
+   throw new Error("DATABASE_URL is not set. Please define it in your environment (e.g., .env.local).");
+ }
 
-if (!process.env.DATABASE_URL) {
-  throw new Error("❌ DATABASE_URL not set in .env.local");
-}
+ // Configure SSL only when explicitly requested (e.g., Neon/Render provide sslmode=require)
+ const sslMode = process.env.PGSSLMODE || process.env.SSLMODE || "";
+ const databaseSsl = process.env.DATABASE_SSL || "";
+ const useSsl = [sslMode.toLowerCase(), databaseSsl.toLowerCase()].some((v) => v === "require" || v === "true");
 
-export const pool = new Pool({
-  connectionString: process.env.DATABASE_URL,
-  ssl: { rejectUnauthorized: false }, // Needed for Neon
-});
+ export const pool = new Pool({
+   connectionString: databaseUrl,
+   ssl: useSsl ? { rejectUnauthorized: false } : undefined,
+ });
 
-export const db = drizzle(pool, { schema });
+ export const db = drizzle(pool, { schema });