Merge pull request #237 from blessme247/feat/request-validation

Feat/request validation

Author: Baskarayelu

.env.example

@@ -1,5 +1,11 @@
 # Anchor API variables
 ANCHOR_API_BASE_URL=https://api.example.com/anchor
+STELLAR_NETWORK="testnet"
+STELLAR_RPC_URL="https://soroban-testnet.stellar.org"
+INSURANCE_CONTRACT_ID="CACDYF3CYMJEJTIVFESQYZTN67GO2R5D5IUABTCUG3HXQSRXCSOROBAN"
+REMITTANCE_CONTRACT_ID="CACDYF3CYMJEJTIVFESQYZTN67GO2R5D5IUABTCUG3HXQSRXCSOROBAN"
+SAVINGS_CONTRACT_ID="CACDYF3CYMJEJTIVFESQYZTN67GO2R5D5IUABTCUG3HXQSRXCSOROBAN"
+BILLS_CONTRACT_ID="CACDYF3CYMJEJTIVFESQYZTN67GO2R5D5IUABTCUG3HXQSRXCSOROBAN"
 
 # Session encryption for wallet-based auth (required for /api/auth/*).
 # Generate with: openssl rand -base64 32

app/api/bills/route.ts

@@ -1,3 +1,44 @@
+
+import { NextRequest, NextResponse } from "next/server";
+import { z } from "zod";
+import { compose, validatedRoute, withAuth } from "@/lib/auth/middleware";
+
+const billSchema = z.object({
+  name: z.string().min(4, "Name is too short"),
+  amount: z.coerce.number().positive().gt(0),
+  dueDate: z.coerce.date(),
+  recurring: z.preprocess((val) => val === "on" || val === true, z.boolean()),
+});
+
+const addBillHandler = validatedRoute(billSchema, "body", async (req, data) => {
+  // data is fully typed as { name: string, amount: number, dueDate: Date, recurring: boolean }
+//   console.log(data, 'data in handler');
+
+  // your DB logic here
+
+  return NextResponse.json({
+    success: "Bill added successfully",
+    name: data.name,
+    amount: data.amount,
+  });
+});
+
+// if auth is needed on a route
+// compose auth + validation — order matters: auth runs first
+// export const POST = compose(withAuth)(addBillHandler);
+
+// if you don't need auth on a route, just export directly:
+// export const POST = addBillHandler;
+// import { withAuth } from '@/lib/auth';
+
+async function getHandler(request: NextRequest) {
+  // TODO: Fetch bills from Soroban bill_payments contract
+  return NextResponse.json({ bills: [] });
+}
+
+
+export const GET = compose(withAuth)(getHandler);
+export const POST = compose(withAuth)(addBillHandler);
 import { NextRequest, NextResponse } from 'next/server';
 import { withAuth } from '@/lib/auth';
 import { getAllBills, getBill } from '@/lib/contracts/bill-payments';
@@ -61,4 +102,4 @@ async function postHandler(request: NextRequest, session: string) {
 }
 
 export const GET = withAuth(getHandler);
-export const POST = withAuth(postHandler);
+export const POST = withAuth(postHandler);

app/api/dashboard/route.ts

@@ -0,0 +1,54 @@
+import { compose, withAuth } from "@/lib/auth/middleware";
+import { NextRequest, NextResponse } from "next/server";
+
+/**
+ * GET /api/dashboard
+ * ─────────────────────────────────────────────────────────────────────────────
+ * Returns all data needed to render the dashboard in a single round-trip.
+ *
+ * Authentication:
+ *  Uses validatedRoute middleware with a Zod schema that reads the user's
+ *  wallet address from the Authorization header (Bearer <wallet-address>)
+ *  or from a `address` query param for local dev.
+ *
+ * Caching:
+ *  Results are cached in-process for 30 s (DASHBOARD_TTL_SECONDS env var).
+ *  The `meta.fromCache` field in the response tells the client whether it
+ *  received a cached or freshly-fetched result.
+ *  Cache-Control is set to `private, max-age=30` so browsers/CDNs won't
+ *  cache across users, but the client can use the response for 30 s.
+ *
+ * Partial failures:
+ *  If any contract dependency (RPC call) fails, the affected section returns
+ *  `{ status: "error", error: "<message>" }` while all other sections return
+ *  normally. The HTTP status is always 200 — check each section's `status`
+ *  field to detect partial failures.
+ *
+ * Response shape: see DashboardResponse in dashboardAggregator.ts
+ */
+
+import { getDashboardData } from "@/lib/dashboard";
+import { getSession } from "@/lib/session";
+
+const DASHBOARD_TTL_S = Number(process.env.DASHBOARD_TTL_SECONDS) || 30;
+
+
+
+export const getHandler = async (req: NextRequest) => {
+    const session = await getSession();
+
+    const dashboard = await getDashboardData(session?.address || "");
+
+    return NextResponse.json(dashboard, {
+      status: 200,
+      headers: {
+        // private = per-user, not cacheable by shared CDN/proxy
+        "Cache-Control": `private, max-age=${DASHBOARD_TTL_S}, stale-while-revalidate=${DASHBOARD_TTL_S * 2}`,
+        "X-Cache": dashboard.meta.fromCache ? "HIT" : "MISS",
+      },
+    });
+  }
+
+
+
+export const GET = compose(withAuth)(getHandler);

app/api/goals/route.ts

@@ -1,7 +1,7 @@
 
 import { getAllGoals } from "@/lib/contracts/savings-goal";
 import { NextRequest, NextResponse } from 'next/server';
-import { withAuth } from '@/lib/auth';
+import { withAuth } from '@/lib/auth'; 
 
 import { validatePaginationParams, paginateData, PaginatedResult } from '../../../lib/utils/pagination';
 import { buildCreateGoalTx } from '@/lib/contracts/savings-goals';

app/api/insurance/route.ts

@@ -1,14 +1,44 @@
+
 import { NextRequest, NextResponse } from "next/server";
+import { z } from "zod";
+import { compose, validatedRoute, withAuth } from "@/lib/auth/middleware";
+// import { getActivePolicies } from "@/lib/contracts/insurance";
 import { getActivePolicies } from "@/lib/contracts/insurance-cached";
 import { validateAuth, unauthorizedResponse } from "@/lib/auth";
 
+const billSchema = z.object({
+  policyName: z.string().min(4, "Name is too short"),
+  coverageType: z.enum(["Health", "Emergency", "Life"] as const, "Please select a coverage type"),
+  monthlyPremium: z.coerce.number().positive().gt(0),
+  coverageAmount: z.coerce.number().positive().gt(0)
+});
+
+const addInsuranceHandler = validatedRoute(billSchema, "body", async (req, data) => {
+
+  // DB logic here
+
+  return NextResponse.json({
+    success: "Insurance added successfully",
+    policyName: data.policyName,
+    coverageType: data.coverageType,
+    monthlyPremium: data.monthlyPremium,
+    coverageAmount: data.coverageAmount,
+  });
+});
+
+// if auth is needed on a route
+// compose auth + validation — order matters: auth runs first
+// export const POST = compose(withAuth)(addInsuranceHandler);
+
+// if you don't need auth on a route, just export directly:
+
+
+
 // GET /api/insurance
 // Returns active policies for the authenticated owner.
 // Query param: ?owner=G... (Stellar account address)
-export async function GET(request: NextRequest) {
-  if (!validateAuth(request)) {
-    return unauthorizedResponse();
-  }
+const getInsuranceHandler = async (request: NextRequest)=> {
+
 
   const { searchParams } = new URL(request.url);
   const owner = searchParams.get("owner");
@@ -36,4 +66,9 @@ export async function GET(request: NextRequest) {
       { status: 502 }
     );
   }
+
 }
+
+
+export const POST = compose(withAuth)(addInsuranceHandler);
+export const GET = compose(withAuth)(getInsuranceHandler);

app/api/remittance/qoute/route.ts

@@ -0,0 +1,189 @@
+/**
+ * GET /api/remittance/quote
+ *
+ * Query Parameters:
+ * ┌─────────────┬──────────┬──────────────────────────────────────────────────────┐
+ * │ Param       │ Required │ Description                                          │
+ * ├─────────────┼──────────┼──────────────────────────────────────────────────────┤
+ * │ amount      │ Yes      │ Amount to send (positive number, up to 2 decimals)   │
+ * │ currency    │ Yes      │ Source currency ISO code (e.g. "USD")                │
+ * │ toCurrency  │ Yes      │ Destination currency ISO code (e.g. "PHP")           │
+ * └─────────────┴──────────┴──────────────────────────────────────────────────────┘
+ *
+ * Success Response Shape  { sendAmount, receiveAmount, fee, rate, expiry }:
+ * ┌───────────────┬─────────┬───────────────────────────────────────────────────────┐
+ * │ Field         │ Type    │ Description                                           │
+ * ├───────────────┼─────────┼───────────────────────────────────────────────────────┤
+ * │ sendAmount    │ number  │ Amount the sender pays (equals `amount` param)        │
+ * │ receiveAmount │ number  │ Amount recipient gets after fee + exchange conversion │
+ * │ fee           │ number  │ Fee charged in source currency                        │
+ * │ rate          │ number  │ Exchange rate: 1 unit of `currency` → `toCurrency`   │
+ * │ expiry        │ string  │ ISO-8601 datetime — quote valid until this timestamp  │
+ * └───────────────┴─────────┴───────────────────────────────────────────────────────┘
+ *
+ * Integration Strategy:
+ * If ANCHOR_API_BASE_URL is set  → call anchor's GET /quote (SEP-38 compatible)
+ *
+ * Caching: quotes are cached in-memory for QUOTE_TTL_SECONDS (default 60 s).
+ * Cache key = `${amount}:${currency}:${toCurrency}` (lower-cased).
+ */
+
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { validatedRoute } from "@/lib/auth/middleware";
+
+
+/**
+ * Coerce query-string strings into the right types.
+ * `amount` arrives as a string from the URL — coerce to number first.
+ */
+const quoteSchema = z.object({
+  amount: z.coerce
+    .number()
+    .gt(0, "amount must be greater than 0"),
+  currency: z
+    .string()
+    .length(3, "currency must be a 3-letter ISO code")
+    .toUpperCase(),
+
+  toCurrency: z
+    .string()
+    .length(3, "toCurrency must be a 3-letter ISO code")
+    .toUpperCase(),
+});
+
+type QuoteInput = z.infer<typeof quoteSchema>;
+type Response = {
+  sendAmount: number;
+  receiveAmount: number;
+  fee: number;
+  rate: number;
+  expiry: string;
+  source: "anchor" | "stellar" ;
+} 
+
+type QuoteResponse = Response | {message: string}
+
+// ---------------------------------------------------------------------------
+// Simple in-memory cache  (survives across requests in the same server process)
+// ---------------------------------------------------------------------------
+
+const QUOTE_TTL_MS = (Number(process.env.QUOTE_TTL_SECONDS) || 60) * 1_000;
+
+interface CacheEntry {
+  data: QuoteResponse;
+  expiresAt: number; // epoch ms
+}
+
+const quoteCache = new Map<string, CacheEntry>();
+
+function getCached(key: string): QuoteResponse | null {
+  const entry = quoteCache.get(key);
+  if (!entry) return null;
+  if (Date.now() > entry.expiresAt) {
+    quoteCache.delete(key);
+    return null;
+  }
+  return entry.data;
+}
+
+function setCache(key: string, data: QuoteResponse): void {
+  quoteCache.set(key, { data, expiresAt: Date.now() + QUOTE_TTL_MS });
+}
+
+// ---------------------------------------------------------------------------
+// Integration helpers
+// ---------------------------------------------------------------------------
+
+/** Call an SEP-38-compatible anchor /quote endpoint. */
+async function fetchAnchorQuote(input: QuoteInput): Promise<QuoteResponse> {
+  const base = process.env.ANCHOR_API_BASE_URL!.replace(/\/$/, "");
+  const url = new URL(`${base}/quote`);
+  url.searchParams.set("sell_asset", `iso4217:${input.currency}`);
+  url.searchParams.set("sell_amount", String(input.amount));
+  url.searchParams.set("buy_asset", `iso4217:${input.toCurrency}`);
+  url.searchParams.set("type", `firm`); // type can be indicative or firm, see https://developers.stellar.org/docs/platforms/anchor-platform/api-reference/callbacks/get-rates
+
+  const res = await fetch(url.toString(), {
+    headers: { "Content-Type": "application/json" },
+    // next.js fetch — don't cache at the fetch layer; we cache ourselves
+    cache: "no-store",
+  });
+
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new Error(`Anchor quote failed (${res.status}): ${body}`);
+  }
+
+  /**
+   * SEP-38 response shape (simplified):
+   * { id, expires_at, price, sell_asset, sell_amount, buy_asset, buy_amount, fee: { total, asset } }
+   */
+  const json = await res.json();
+
+  const rate = Number(json.price); // buy units per 1 sell unit
+  const fee = Number(json.fee?.total ?? 0);
+  const sendAmount = Number(json.sell_amount ?? input.amount);
+  const receiveAmount = Number(json.buy_amount ?? (sendAmount - fee) * rate);
+
+  return {
+    sendAmount,
+    receiveAmount: round2(receiveAmount),
+    fee: round2(fee),
+    rate,
+    expiry: json.expires_at ?? ttlIso(),
+    source: "anchor",
+  };
+}
+
+
+
+
+async function resolveQuote(input: QuoteInput): Promise<QuoteResponse> {
+  if (process.env.ANCHOR_API_BASE_URL) {
+    return fetchAnchorQuote(input);
+  }
+
+  return {message: "Unable to resolve quote"}
+}
+
+
+
+export const GET = validatedRoute(
+  quoteSchema,
+  "query",
+  async (req, data: QuoteInput) => {
+    const cacheKey = `${data.amount}:${data.currency}:${data.toCurrency}`.toLowerCase();
+
+    // Return cached quote if still fresh
+    const cached = getCached(cacheKey);
+    if (cached) {
+      return NextResponse.json(cached, {
+        headers: { "X-Cache": "HIT", "Cache-Control": `max-age=${QUOTE_TTL_MS / 1000}` },
+      });
+    }
+
+    try {
+      const quote = await resolveQuote(data);
+      setCache(cacheKey, quote);
+
+      return NextResponse.json(quote, {
+        headers: { "X-Cache": "MISS", "Cache-Control": `max-age=${QUOTE_TTL_MS / 1000}` },
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Failed to fetch quote";
+      console.error("[quote] upstream error:", err);
+      return NextResponse.json({ error: message }, { status: 502 });
+    }
+  }
+);
+
+
+function round2(n: number): number {
+  return Math.round(n * 100) / 100;
+}
+
+/** Returns an ISO-8601 string QUOTE_TTL_MS from now. */
+function ttlIso(): string {
+  return new Date(Date.now() + QUOTE_TTL_MS).toISOString();
+}