Merge branch 'main' into feat/request-validation

Author: Baskarayelu

.env.example

@@ -13,3 +13,12 @@ SESSION_PASSWORD=your-32-char-minimum-secret-here
 
 # Shared secret used to verify Anchor webhooks
 ANCHOR_WEBHOOK_SECRET=your_shared_anchor_secret_here
+
+# API Middleware Configuration
+# Frontend application URL for CORS policy (required for /api routes)
+# Requests from this origin will be allowed by CORS middleware
+NEXT_PUBLIC_APP_URL=http://localhost:3000
+
+# Maximum request body size for POST/PUT/PATCH in bytes (default 1MB)
+# Requests exceeding this size will receive a 413 Payload Too Large response
+API_MAX_BODY_SIZE=1048576

README.md

@@ -1,53 +1,23 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { randomBytes } from 'crypto';
-import { storeNonce } from '@/lib/auth/nonce-store';
+import { NextRequest, NextResponse } from "next/server";
+import { setNonce } from "@/lib/auth-cache";
+import { randomBytes } from "crypto";
 
-// Force dynamic rendering for this route
-export const dynamic = 'force-dynamic';
-export const runtime = 'nodejs';
+export async function POST(request: NextRequest) {
+  const { publicKey } = await request.json();
 
-/**
- * GET /api/auth/nonce
- * Generate a nonce for signature-based authentication
- * 
- * Query Parameters:
- * - address: Stellar address requesting the nonce
- */
-export async function GET(request: NextRequest) {
-    try {
-        const address = request.nextUrl.searchParams.get('address');
+  if (!publicKey) {
+    return NextResponse.json(
+      { error: "publicKey is required" },
+      { status: 400 },
+    );
+  }
 
-        if (!address) {
-            return NextResponse.json(
-                { error: 'Missing required query parameter: address' },
-                { status: 400 }
-            );
-        }
+  // Generate a random nonce (32 bytes) and convert to hex
+  const nonceBuffer = randomBytes(32);
+  const nonce = nonceBuffer.toString("hex");
 
-        // Validate Stellar address format (G + 55 alphanumeric characters)
-        if (!/^G[A-Z0-9]{55}$/.test(address)) {
-            return NextResponse.json(
-                { error: 'Invalid Stellar address format' },
-                { status: 400 }
-            );
-        }
+  // Store nonce in cache for later verification
+  setNonce(publicKey, nonce);
 
-        // Generate a random nonce
-        const nonce = randomBytes(32).toString('hex');
-
-        // Store nonce with 5 minute expiration
-        storeNonce(address, nonce);
-
-        return NextResponse.json({
-            nonce,
-            address,
-            expiresAt: new Date(Date.now() + 5 * 60 * 1000).toISOString(),
-        });
-    } catch (error) {
-        console.error('Error generating nonce:', error);
-        return NextResponse.json(
-            { error: 'Internal Server Error' },
-            { status: 500 }
-        );
-    }
+  return NextResponse.json({ nonce });
 }

app/api/auth/nonce/route.ts

@@ -0,0 +1,36 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getBill } from '@/lib/contracts/bill-payments';
+import { jsonSuccess, jsonError } from '@/lib/api/types';
+
+export const runtime = 'nodejs';
+
+export async function GET(
+  request: NextRequest,
+  context: { params: Promise<{ id: string }> }
+): Promise<NextResponse> {
+  const authHeader = request.headers.get('authorization') ?? '';
+  const token = authHeader.startsWith('Bearer ') ? authHeader.slice(7).trim() : null;
+
+  if (!token || token !== process.env.AUTH_SECRET) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  try {
+    const { id } = await context.params;
+
+    if (!id) {
+      return jsonError('VALIDATION_ERROR', 'Bill ID is required');
+    }
+
+    const owner = new URL(request.url).searchParams.get('owner') ?? token;
+    const bill = await getBill(id, owner);
+
+    return jsonSuccess({ bill });
+  } catch (err: unknown) {
+    if (err instanceof Error && err.message === 'not-found') {
+      return jsonError('NOT_FOUND', 'Bill not found');
+    }
+    console.error('[GET /api/bills/[id]]', err);
+    return jsonError('INTERNAL_ERROR', 'Failed to fetch bill');
+  }
+}

app/api/bills/[id]/route.ts

@@ -38,4 +38,68 @@ async function getHandler(request: NextRequest) {
 
 
 export const GET = compose(withAuth)(getHandler);
-export const POST = compose(withAuth)(addBillHandler);
+export const POST = compose(withAuth)(addBillHandler);
+import { NextRequest, NextResponse } from 'next/server';
+import { withAuth } from '@/lib/auth';
+import { getAllBills, getBill } from '@/lib/contracts/bill-payments';
+import { jsonSuccess, jsonError } from '@/lib/api/types';
+
+async function getHandler(request: NextRequest, session: string) {
+  try {
+    const { searchParams } = new URL(request.url);
+    const id = searchParams.get('id');
+    const unpaidOnly = searchParams.get('unpaid') === 'true';
+    const owner = searchParams.get('owner') ?? session;
+
+    // GET /api/bills?id=1 — return single bill
+    if (id) {
+      try {
+        const bill = await getBill(id, owner);
+        return jsonSuccess({ bill });
+      } catch (err: unknown) {
+        if (err instanceof Error && err.message === 'not-found') {
+          return jsonError('NOT_FOUND', 'Bill not found');
+        }
+        throw err;
+      }
+    }
+
+    // GET /api/bills — return all or unpaid bills
+    const bills = await getAllBills(owner);
+    const result = unpaidOnly ? bills.filter((b) => b.status !== 'paid') : bills;
+    return jsonSuccess({ bills: result });
+  } catch (err) {
+    console.error('[GET /api/bills]', err);
+    return jsonError('INTERNAL_ERROR', 'Failed to fetch bills');
+  }
+}
+
+async function postHandler(request: NextRequest, session: string) {
+  try {
+    const body = await request.json();
+    const { name, amount, dueDate, recurring, frequencyDays } = body;
+
+    if (!name || typeof name !== 'string') {
+      return jsonError('VALIDATION_ERROR', 'name is required');
+    }
+    if (!(amount > 0)) {
+      return jsonError('VALIDATION_ERROR', 'amount must be greater than 0');
+    }
+    if (!dueDate || Number.isNaN(Date.parse(dueDate))) {
+      return jsonError('VALIDATION_ERROR', 'dueDate must be a valid ISO date string');
+    }
+    if (recurring && !(frequencyDays > 0)) {
+      return jsonError('VALIDATION_ERROR', 'frequencyDays must be greater than 0 when recurring is true');
+    }
+
+    return jsonSuccess({
+      message: 'Validation passed. Use POST /api/bills with owner public key to build XDR.',
+    });
+  } catch (err) {
+    console.error('[POST /api/bills]', err);
+    return jsonError('INTERNAL_ERROR', 'Failed to process bill creation');
+  }
+}
+
+export const GET = withAuth(getHandler);
+export const POST = withAuth(postHandler);

app/api/bills/route.ts

@@ -0,0 +1,30 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getTotalUnpaid, getUnpaidBills } from '@/lib/contracts/bill-payments';
+import { jsonSuccess, jsonError } from '@/lib/api/types';
+
+export async function GET(request: NextRequest): Promise<NextResponse> {
+  const authHeader = request.headers.get('authorization') ?? '';
+  const token = authHeader.startsWith('Bearer ') ? authHeader.slice(7).trim() : null;
+
+  if (!token || token !== process.env.AUTH_SECRET) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  try {
+    const owner = new URL(request.url).searchParams.get('owner') ?? token;
+
+    const [total, bills] = await Promise.all([
+      getTotalUnpaid(owner),
+      getUnpaidBills(owner),
+    ]);
+
+    return jsonSuccess({
+      totalUnpaid: total,
+      count: bills.length,
+      bills,
+    });
+  } catch (err) {
+    console.error('[GET /api/bills/total-unpaid]', err);
+    return jsonError('INTERNAL_ERROR', 'Failed to fetch total unpaid bills');
+  }
+}

app/api/bills/total-unpaid/route.ts

@@ -0,0 +1,27 @@
+'use client';
+
+import 'swagger-ui-react/swagger-ui.css';
+import { useEffect, useState } from 'react';
+import SwaggerUI from 'swagger-ui-react';
+
+type SwaggerUIWrapperProps = {
+  specUrl: string;
+};
+
+export default function SwaggerUIWrapper({ specUrl }: SwaggerUIWrapperProps) {
+  const [mounted, setMounted] = useState(false);
+
+  useEffect(() => {
+    setMounted(true);
+  }, []);
+
+  if (!mounted) {
+    return <div className="p-8 text-center text-lg">Loading API Spec...</div>;
+  }
+
+  return (
+    <div className="bg-white min-h-screen">
+      <SwaggerUI url={specUrl} />
+    </div>
+  );
+}

app/api/docs/SwaggerUIWrapper.tsx

@@ -0,0 +1,5 @@
+import SwaggerUIWrapper from './SwaggerUIWrapper';
+
+export default function ApiDocs() {
+  return <SwaggerUIWrapper specUrl="/api/docs/spec" />;
+}

app/api/docs/page.tsx

@@ -0,0 +1,17 @@
+import { NextResponse } from 'next/server';
+import fs from 'fs';
+import path from 'path';
+
+export async function GET() {
+  try {
+    const filePath = path.join(process.cwd(), 'openapi.yaml');
+    const fileContents = fs.readFileSync(filePath, 'utf8');
+    return new NextResponse(fileContents, {
+      status: 200,
+      headers: { 'Content-Type': 'text/yaml' },
+    });
+  } catch (error) {
+    console.error('Failed to read openapi.yaml:', error);
+    return new NextResponse('Internal Server Error', { status: 500 });
+  }
+}

app/api/docs/spec/route.ts

@@ -0,0 +1,39 @@
+import { getGoal, isGoalCompleted } from "@/lib/contracts/savings-goal";
+import { NextResponse, NextRequest } from "next/server";
+
+export async function GET(
+  req: NextRequest,
+  context: { params: Promise<{ id: string }> } // ← note Promise
+) {
+  try {
+    const { id } = await context.params;
+
+    const publicKey = req.headers.get("x-public-key");
+
+    if (!publicKey) {
+      return NextResponse.json(
+        { error: "Unauthorized" },
+        { status: 401 }
+      );
+    }
+
+    const goal = await getGoal(id);
+
+    if (!goal) {
+      return NextResponse.json(
+        { error: "Goal not found" },
+        { status: 404 }
+      );
+    }
+
+    const completed = await isGoalCompleted(id);
+
+    return NextResponse.json({ completed }, { status: 200 });
+  } catch (error) {
+    console.error(`GET /api/goals/${await context.params}/completed error:`, error);
+    return NextResponse.json(
+      { error: "Failed to check goal status" },
+      { status: 500 }
+    );
+  }
+}