chore: tighten security checks

Author: joshxfi

apps/www/app/actions/message.ts

@@ -112,16 +112,15 @@ export async function sendMessageAction(
 
     const { question, content, receiverId } = params.data;
     const { session } = await getSession();
+    const senderId = session?.userId ?? null;
 
-    if (receiverId === session?.userId) {
+    if (receiverId === senderId) {
       return { error: "You can't send a message to yourself" };
     }
 
     const formattedContent = formatContent(content);
     const encryptedContent = await aesEncrypt(formattedContent);
 
-    const senderId = session?.userId ?? null;
-
     if (senderId) {
       const blocked = await db.query.userBlockTable.findFirst({
         columns: { id: true },

apps/www/app/api/me/route.ts

@@ -1,18 +1,19 @@
 import { getSession } from "@/lib/auth";
+import { privateJson } from "@/lib/private-json";
 import { getCurrentUserData } from "@/lib/server/data";
 
 export async function GET() {
   try {
     const { session } = await getSession();
 
     if (!session) {
-      return Response.json({ error: "Unauthorized" }, { status: 401 });
+      return privateJson({ error: "Unauthorized" }, { status: 401 });
     }
 
     const result = await getCurrentUserData(session.userId);
-    return Response.json(result);
+    return privateJson(result);
   } catch (error) {
     console.error("Error fetching current user:", error);
-    return Response.json({ error: "Internal server error" }, { status: 500 });
+    return privateJson({ error: "Internal server error" }, { status: 500 });
   }
 }

apps/www/app/api/messages/route.ts

@@ -1,13 +1,14 @@
 import type { NextRequest } from "next/server";
 import { getSession } from "@/lib/auth";
+import { privateJson } from "@/lib/private-json";
 import { getMessagesPage } from "@/lib/server/data";
 
 export async function GET(req: NextRequest) {
   try {
     const { session } = await getSession();
 
     if (!session) {
-      return Response.json({ error: "Unauthorized" }, { status: 401 });
+      return privateJson({ error: "Unauthorized" }, { status: 401 });
     }
 
     const searchParams = req.nextUrl.searchParams;
@@ -21,9 +22,9 @@ export async function GET(req: NextRequest) {
       userId: session.userId,
     });
 
-    return Response.json(result);
+    return privateJson(result);
   } catch (error) {
     console.error("Error fetching messages:", error);
-    return Response.json({ error: "Internal server error" }, { status: 500 });
+    return privateJson({ error: "Internal server error" }, { status: 500 });
   }
 }

apps/www/app/api/notes/current/route.ts

@@ -1,18 +1,19 @@
 import { getSession } from "@/lib/auth";
+import { privateJson } from "@/lib/private-json";
 import { getCurrentNoteData } from "@/lib/server/data";
 
 export async function GET() {
   try {
     const { session } = await getSession();
 
     if (!session?.userId) {
-      return Response.json({ error: "Unauthorized" }, { status: 401 });
+      return privateJson({ error: "Unauthorized" }, { status: 401 });
     }
 
     const result = await getCurrentNoteData(session.userId);
-    return Response.json(result);
+    return privateJson(result);
   } catch (error) {
     console.error("Error fetching current note:", error);
-    return Response.json({ error: "Internal server error" }, { status: 500 });
+    return privateJson({ error: "Internal server error" }, { status: 500 });
   }
 }

apps/www/app/api/user/[username]/viewer/route.ts

@@ -1,4 +1,5 @@
 import { getSession } from "@/lib/auth";
+import { privateJson } from "@/lib/private-json";
 import { getUserProfileViewerData } from "@/lib/server/data";
 import { formatUsername } from "@/lib/utils";
 
@@ -13,12 +14,12 @@ export async function GET(
     const result = await getUserProfileViewerData(username, session?.userId);
 
     if (!result) {
-      return Response.json({ error: "Not found" }, { status: 404 });
+      return privateJson({ error: "Not found" }, { status: 404 });
     }
 
-    return Response.json(result);
+    return privateJson(result);
   } catch (error) {
     console.error("Error fetching user profile viewer overlay:", error);
-    return Response.json({ error: "Internal server error" }, { status: 500 });
+    return privateJson({ error: "Internal server error" }, { status: 500 });
   }
 }

apps/www/app/auth/google/callback/route.ts

@@ -7,6 +7,10 @@ import { cookies } from "next/headers";
 import type { NextRequest } from "next/server";
 import * as z from "zod";
 import { getSession } from "@/lib/auth";
+import {
+  GOOGLE_OAUTH_CODE_VERIFIER_COOKIE_NAME,
+  GOOGLE_OAUTH_STATE_COOKIE_NAME,
+} from "@/lib/cookies";
 import { google } from "@/lib/oauth";
 import {
   createSession,
@@ -28,8 +32,27 @@ export async function GET(req: NextRequest) {
 
   const cookieStore = await cookies();
 
-  const storedState = cookieStore.get("google_oauth_state")?.value ?? null;
-  const codeVerifier = cookieStore.get("google_code_verifier")?.value ?? null;
+  const storedState =
+    cookieStore.get(GOOGLE_OAUTH_STATE_COOKIE_NAME)?.value ?? null;
+  const codeVerifier =
+    cookieStore.get(GOOGLE_OAUTH_CODE_VERIFIER_COOKIE_NAME)?.value ?? null;
+
+  const clearOauthCookies = () => {
+    cookieStore.set(GOOGLE_OAUTH_STATE_COOKIE_NAME, "", {
+      path: "/",
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      maxAge: 0,
+      sameSite: "lax",
+    });
+    cookieStore.set(GOOGLE_OAUTH_CODE_VERIFIER_COOKIE_NAME, "", {
+      path: "/",
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      maxAge: 0,
+      sameSite: "lax",
+    });
+  };
 
   if (
     code === null ||
@@ -42,6 +65,8 @@ export async function GET(req: NextRequest) {
     });
   }
 
+  clearOauthCookies();
+
   if (state !== storedState) {
     return new Response(null, {
       status: 400,

apps/www/app/auth/google/route.ts

@@ -1,5 +1,9 @@
 import { generateCodeVerifier, generateState } from "arctic";
 import { cookies } from "next/headers";
+import {
+  GOOGLE_OAUTH_CODE_VERIFIER_COOKIE_NAME,
+  GOOGLE_OAUTH_STATE_COOKIE_NAME,
+} from "@/lib/cookies";
 import { google } from "@/lib/oauth";
 
 export async function GET() {
@@ -10,15 +14,15 @@ export async function GET() {
 
   const cookieStore = await cookies();
 
-  cookieStore.set("google_oauth_state", state, {
+  cookieStore.set(GOOGLE_OAUTH_STATE_COOKIE_NAME, state, {
     path: "/",
     httpOnly: true,
     secure: process.env.NODE_ENV === "production",
     maxAge: 60 * 10,
     sameSite: "lax",
   });
 
-  cookieStore.set("google_code_verifier", codeVerifier, {
+  cookieStore.set(GOOGLE_OAUTH_CODE_VERIFIER_COOKIE_NAME, codeVerifier, {
     path: "/",
     httpOnly: true,
     secure: process.env.NODE_ENV === "production",

apps/www/app/feed/page.tsx

@@ -5,6 +5,7 @@ import { getQueryClient } from "@/lib/get-query-client";
 import { queryKeys } from "@/lib/query";
 import type { FeedResponse } from "@/lib/query-types";
 import { getPostsPage } from "@/lib/server/data";
+import { toPublicUser } from "@/types/user";
 import PostForm from "../post/components/post-form";
 import { PostList } from "./components/post-list";
 
@@ -15,9 +16,7 @@ export default async function Feed() {
 
   const { user } = await getSession();
   const queryClient = getQueryClient();
-  const publicUser = user
-    ? (({ passwordHash: _pw, ...rest }) => rest)(user)
-    : null;
+  const publicUser = user ? toPublicUser(user) : null;
 
   await queryClient.prefetchInfiniteQuery({
     queryKey: queryKeys.posts(),

apps/www/app/inbox/page.tsx

@@ -8,6 +8,7 @@ import { getQueryClient } from "@/lib/get-query-client";
 import { queryKeys } from "@/lib/query";
 import type { MessagesResponse } from "@/lib/query-types";
 import { getMessagesPage } from "@/lib/server/data";
+import { toPublicUser } from "@/types/user";
 import { CurrentUserCard } from "./components/current-user-card";
 import { InboxTabs } from "./components/inbox-tabs";
 
@@ -60,7 +61,7 @@ export default async function InboxPage() {
   return (
     <main className="max-w-xl mx-auto min-h-screen container">
       <Suspense fallback={<UserCardSkeleton />}>
-        <CurrentUserCard user={user} />
+        <CurrentUserCard user={user ? toPublicUser(user) : null} />
       </Suspense>
 
       <HydrationBoundary state={dehydrate(queryClient)}>

apps/www/app/layout.tsx

@@ -1,4 +1,3 @@
-import { GoogleTagManager } from "@next/third-parties/google";
 import type { Metadata, Viewport } from "next";
 import { Geist, Geist_Mono } from "next/font/google";
 import Script from "next/script";
@@ -9,6 +8,7 @@ import Providers from "./providers";
 import "./globals.css";
 import { Suspense } from "react";
 import { Menubar } from "@/components/menu-bar";
+import { getGtmInlineScript } from "@/lib/gtm";
 
 const geistSans = Geist({
   variable: "--font-geist-sans",
@@ -83,6 +83,8 @@ export default function RootLayout({
 }: Readonly<{
   children: React.ReactNode;
 }>) {
+  const gtmId = process.env.GOOGLE_TAG_ID;
+
   return (
     <html lang="en" suppressHydrationWarning>
       <body
@@ -97,9 +99,25 @@ export default function RootLayout({
           <div className="pt-24">{children}</div>
           <Footer />
         </Providers>
+
+        {gtmId && (
+          <noscript>
+            <iframe
+              src={`https://www.googletagmanager.com/ns.html?id=${gtmId}`}
+              height="0"
+              width="0"
+              style={{ display: "none", visibility: "hidden" }}
+              title="Google Tag Manager"
+            />
+          </noscript>
+        )}
       </body>
 
-      <GoogleTagManager gtmId={process.env.GOOGLE_TAG_ID ?? ""} />
+      {gtmId && (
+        <Script id="gtm-loader" strategy="afterInteractive">
+          {getGtmInlineScript(gtmId)}
+        </Script>
+      )}
 
       {process.env.NODE_ENV === "production" && (
         <Script