Merge pull request #20 from Prismer-AI/fix/security-hardening

fix(security): auth on internal APIs, secure UUID, SSRF blocklist (#10 #12 #14)

Author: willamhou

server/src/app/api/compress/route.ts

@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server';
 import OpenAI from 'openai';
 import { SOURCE_QUALIFIER_SYSTEM, getPromptForStrategy } from '@/lib/prompts';
 import { ensureNacosConfig } from '@/lib/nacos-config';
+import { apiGuard } from '@/lib/api-guard';
 import { metrics } from '@/lib/metrics';
 
 // Token limit configuration
@@ -98,9 +99,12 @@ function truncateContent(content: string, maxChars: number = MAX_CONTENT_CHARS):
 export async function POST(request: NextRequest) {
   const reqStart = Date.now();
   try {
+    const guard = await apiGuard(request, { tier: 'billable', estimatedCost: 1 });
+    if (!guard.ok) return guard.response;
+
     // Ensure Nacos config is loaded before accessing env vars
     await initNacos();
-    
+
     const config = getOpenAIConfig();
 
     if (!config.apiKey) {

server/src/app/api/content/route.ts

@@ -1,6 +1,7 @@
 import { NextRequest, NextResponse } from 'next/server';
 import Exa from 'exa-js';
 import { ensureNacosConfig } from '@/lib/nacos-config';
+import { apiGuard } from '@/lib/api-guard';
 import { metrics } from '@/lib/metrics';
 
 // Initialize Nacos config on module load (singleton pattern)
@@ -32,9 +33,12 @@ function getContentApiKey(): string | undefined {
 export async function POST(request: NextRequest) {
   const reqStart = Date.now();
   try {
+    const guard = await apiGuard(request, { tier: 'billable', estimatedCost: 1 });
+    if (!guard.ok) return guard.response;
+
     // Ensure Nacos config is loaded before accessing env vars
     await initNacos();
-    
+
     const CONTENT_API_KEY = getContentApiKey();
 
     if (!CONTENT_API_KEY) {
@@ -54,10 +58,34 @@ export async function POST(request: NextRequest) {
       );
     }
 
-    // Validate all URLs
+    // Validate all URLs — block private/internal networks
     for (const url of urls) {
       try {
-        new URL(url);
+        const parsed = new URL(url);
+        if (!['http:', 'https:'].includes(parsed.protocol)) {
+          return NextResponse.json(
+            { error: `Invalid URL scheme: ${parsed.protocol} (only http/https allowed)` },
+            { status: 400 }
+          );
+        }
+        const host = parsed.hostname.toLowerCase();
+        if (
+          host === 'localhost' ||
+          host === '127.0.0.1' ||
+          host === '::1' ||
+          host === '0.0.0.0' ||
+          host.startsWith('10.') ||
+          host.startsWith('172.') ||
+          host.startsWith('192.168.') ||
+          host.startsWith('169.254.') ||
+          host.endsWith('.internal') ||
+          host.endsWith('.local')
+        ) {
+          return NextResponse.json(
+            { error: `Blocked URL: private/internal network addresses are not allowed` },
+            { status: 400 }
+          );
+        }
       } catch {
         return NextResponse.json(
           { error: `Invalid URL: ${url}` },

server/src/app/api/context/load/route.ts

@@ -199,7 +199,7 @@ async function handleSingleUrl(
 
     const contentRes = await fetch(`${baseUrl}/api/content`, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers: { 'Content-Type': 'application/json', ...(authHeader ? { 'Authorization': authHeader } : {}) },
       body: JSON.stringify({ urls: [url] }),
     });
 
@@ -270,7 +270,7 @@ async function handleSingleUrl(
 
     const compressRes = await fetch(`${baseUrl}/api/compress`, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers: { 'Content-Type': 'application/json', ...(authHeader ? { 'Authorization': authHeader } : {}) },
       body: JSON.stringify({
         content: content.text,
         url: content.url || url,
@@ -457,7 +457,7 @@ async function handleBatchUrls(
         // 批量获取内容
         const contentRes = await fetch(`${baseUrl}/api/content`, {
           method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
+          headers: { 'Content-Type': 'application/json', ...(authHeader ? { 'Authorization': authHeader } : {}) },
           body: JSON.stringify({ urls: uncachedUrls }),
         });
 
@@ -480,7 +480,7 @@ async function handleBatchUrls(
               try {
                 const compressRes = await fetch(`${baseUrl}/api/compress`, {
                   method: 'POST',
-                  headers: { 'Content-Type': 'application/json' },
+                  headers: { 'Content-Type': 'application/json', ...(authHeader ? { 'Authorization': authHeader } : {}) },
                   body: JSON.stringify({
                     content: content.text,
                     url: content.url || url,
@@ -642,7 +642,7 @@ async function handleQuery(
     // Step 1: Exa 外部搜索
     const searchRes = await fetch(`${baseUrl}/api/search`, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers: { 'Content-Type': 'application/json', ...(authHeader ? { 'Authorization': authHeader } : {}) },
       body: JSON.stringify({ query }),
     });
 
@@ -723,7 +723,7 @@ async function handleQuery(
         try {
           const compressRes = await fetch(`${baseUrl}/api/compress`, {
             method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
+            headers: { 'Content-Type': 'application/json', ...(authHeader ? { 'Authorization': authHeader } : {}) },
             body: JSON.stringify({
               content: result.text,
               url: result.url,

server/src/app/api/search/route.ts

@@ -1,6 +1,7 @@
 import { NextRequest, NextResponse } from 'next/server';
 import Exa from 'exa-js';
 import { ensureNacosConfig } from '@/lib/nacos-config';
+import { apiGuard } from '@/lib/api-guard';
 import { metrics } from '@/lib/metrics';
 
 // Initialize Nacos config on module load (singleton pattern)
@@ -32,9 +33,12 @@ function getSearchApiKey(): string | undefined {
 export async function POST(request: NextRequest) {
   const reqStart = Date.now();
   try {
+    const guard = await apiGuard(request, { tier: 'billable', estimatedCost: 1 });
+    if (!guard.ok) return guard.response;
+
     // Ensure Nacos config is loaded before accessing env vars
     await initNacos();
-    
+
     const SEARCH_API_KEY = getSearchApiKey();
 
     if (!SEARCH_API_KEY) {