DevLoversTeam
diff --git a/‎frontend/.env.example‎
Lines changed: 15 additions & 0 deletions b/‎frontend/.env.example‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎frontend/app/[locale]/dashboard/page.tsx‎
Lines changed: 5 additions & 3 deletions b/‎frontend/app/[locale]/dashboard/page.tsx‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎frontend/app/[locale]/login/page.tsx‎
Lines changed: 0 additions & 48 deletions b/‎frontend/app/[locale]/login/page.tsx‎
Lines changed: 0 additions & 48 deletions
diff --git a/‎frontend/app/api/auth/google/callback/route.ts‎
Lines changed: 1 addition & 1 deletion b/‎frontend/app/api/auth/google/callback/route.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎frontend/app/api/quiz/guest-result/route.ts‎
Lines changed: 17 additions & 9 deletions b/‎frontend/app/api/quiz/guest-result/route.ts‎
Lines changed: 17 additions & 9 deletions
diff --git a/‎frontend/app/api/shop/checkout/route.ts‎
Lines changed: 18 additions & 6 deletions b/‎frontend/app/api/shop/checkout/route.ts‎
Lines changed: 18 additions & 6 deletions
diff --git a/‎frontend/app/api/shop/webhooks/stripe/route.ts‎
Lines changed: 12 additions & 13 deletions b/‎frontend/app/api/shop/webhooks/stripe/route.ts‎
Lines changed: 12 additions & 13 deletions
diff --git a/‎frontend/components/auth/PostAuthQuizSync.tsx‎
Lines changed: 63 additions & 0 deletions b/‎frontend/components/auth/PostAuthQuizSync.tsx‎
Lines changed: 63 additions & 0 deletions
@@ -70,8 +70,23 @@ CSRF_SECRET=
 CHECKOUT_RATE_LIMIT_MAX=10
 CHECKOUT_RATE_LIMIT_WINDOW_SECONDS=300
 
+# Stripe webhook rate limit envs (applied per reason; reason-specific overrides generic).
+# Missing signature has its own envs with fallback to generic, then legacy invalid_sig.
+STRIPE_WEBHOOK_MISSING_SIG_RL_MAX=30
+STRIPE_WEBHOOK_MISSING_SIG_RL_WINDOW_SECONDS=60
+
+# Generic Stripe webhook rate limit fallback (applies to missing_sig and invalid_sig).
+STRIPE_WEBHOOK_RL_MAX=30
+STRIPE_WEBHOOK_RL_WINDOW_SECONDS=60
+
+# Invalid signature envs (canonical for invalid_sig, legacy fallback for missing_sig).
 STRIPE_WEBHOOK_INVALID_SIG_RL_MAX=30
 STRIPE_WEBHOOK_INVALID_SIG_RL_WINDOW_SECONDS=60
 
+# SECURITY: If true, trust x-real-ip / x-forwarded-for headers for rate limiting.
+# Enable ONLY behind Cloudflare or a trusted reverse proxy that overwrites these headers.
+# Default: false (empty/0/false).
+TRUST_FORWARDED_HEADERS=0
+
 # emergency switch
 RATE_LIMIT_DISABLED=0
@@ -7,6 +7,7 @@ import { getUserQuizStats } from '@/db/queries/quiz';
 import { ProfileCard } from '@/components/dashboard/ProfileCard';
 import { StatsCard } from '@/components/dashboard/StatsCard';
 import { QuizSavedBanner } from '@/components/dashboard/QuizSavedBanner';
+import { PostAuthQuizSync } from "@/components/auth/PostAuthQuizSync";
 
 export const metadata = {
   title: 'Dashboard | DevLovers',
@@ -28,9 +29,9 @@ export default async function DashboardPage({ params }: { params: Promise<{ loca
   const averageScore =
     totalAttempts > 0
       ? Math.round(
-          attempts.reduce((acc, curr) => acc + Number(curr.percentage), 0) /
-            totalAttempts
-        )
+        attempts.reduce((acc, curr) => acc + Number(curr.percentage), 0) /
+        totalAttempts
+      )
       : 0;
 
   const lastActiveDate =
@@ -57,6 +58,7 @@ export default async function DashboardPage({ params }: { params: Promise<{ loca
 
   return (
     <main className="relative min-h-[calc(100vh-80px)] overflow-hidden">
+      <PostAuthQuizSync />
       <div
         className="absolute inset-0 pointer-events-none -z-10"
         aria-hidden="true"
 
@@ -4,10 +4,6 @@ import { useLocale } from "next-intl";
 import { Link } from "@/i18n/routing";
 import { useState } from "react";
 import { useSearchParams } from "next/navigation";
-import {
-  getPendingQuizResult,
-  clearPendingQuizResult,
-} from "@/lib/quiz/guest-quiz";
 import { Button } from "@/components/ui/button";
 import { OAuthButtons } from "@/components/auth/OAuthButtons";
 
@@ -74,50 +70,6 @@ export default function LoginPage() {
         return;
       }
 
-      const pendingResult = getPendingQuizResult();
-
-      if (pendingResult && data?.userId) {
-        try {
-          const quizRes = await fetch("/api/quiz/guest-result", {
-            method: "POST",
-            headers: { "Content-Type": "application/json" },
-            body: JSON.stringify({
-              userId: data.userId,
-              quizId: pendingResult.quizId,
-              answers: pendingResult.answers,
-              violations: pendingResult.violations,
-              timeSpentSeconds:
-                pendingResult.timeSpentSeconds,
-            }),
-          });
-
-          if (!quizRes.ok) {
-            throw new Error(
-              `Failed to save quiz result: ${quizRes.status}`
-            );
-          }
-
-          const result = await quizRes.json();
-
-          if (result.success) {
-            sessionStorage.setItem(
-              "quiz_just_saved",
-              JSON.stringify({
-                score: result.score,
-                total: result.totalQuestions,
-                percentage: result.percentage,
-                pointsAwarded: result.pointsAwarded,
-                quizSlug: pendingResult.quizSlug,
-              })
-            );
-          }
-        } catch (err) {
-          console.error("Failed to save quiz result:", err);
-        } finally {
-          clearPendingQuizResult();
-        }
-      }
-
       const redirectTarget =
         returnTo && isSafeRedirectUrl(returnTo)
           ? returnTo
 
@@ -152,5 +152,5 @@ export async function GET(req: NextRequest) {
 
   await setAuthCookie(token);
 
-  return NextResponse.redirect(new URL("/", req.url));
+  return NextResponse.redirect(new URL("/dashboard", req.url));
 }   
@@ -1,7 +1,12 @@
 import { NextResponse } from "next/server";
-import { getCurrentUser } from '@/lib/auth';
+import { getCurrentUser } from "@/lib/auth";
 import { db } from "@/db";
-import { quizAttempts, quizAttemptAnswers, quizQuestions, quizAnswers } from "@/db/schema/quiz";
+import {
+  quizAttempts,
+  quizAttemptAnswers,
+  quizQuestions,
+  quizAnswers,
+} from "@/db/schema/quiz";
 import { awardQuizPoints, calculateQuizPoints } from "@/db/queries/points";
 import { eq, inArray } from "drizzle-orm";
 
@@ -17,23 +22,25 @@ export async function POST(req: Request) {
     );
   }
 
-  const { userId, quizId, answers, violations, timeSpentSeconds } = body;
+  const { quizId, answers, violations, timeSpentSeconds } = body;
 
-  if (!userId || !quizId || !Array.isArray(answers) || answers.length === 0) {
+  if (!quizId || !Array.isArray(answers) || answers.length === 0) {
     return NextResponse.json(
       { success: false, error: "Invalid input" },
       { status: 400 }
     );
   }
 
   const session = await getCurrentUser();
-  if (!session || session.id !== userId) {
+  if (!session) {
     return NextResponse.json(
       { success: false, error: "Unauthorized" },
       { status: 401 }
     );
   }
 
+  const userId = session.id;
+
   const questionRows = await db
     .select({ id: quizQuestions.id })
     .from(quizQuestions)
@@ -114,14 +121,13 @@ export async function POST(req: Request) {
       );
     }
 
-    const isCorrect = record.isCorrect;
-    if (isCorrect) correctAnswersCount++;
+    if (record.isCorrect) correctAnswersCount++;
 
     attemptAnswers.push({
       attemptId: "",
       quizQuestionId: answer.questionId,
       selectedAnswerId: answer.selectedAnswerId,
-      isCorrect,
+      isCorrect: record.isCorrect,
       answeredAt: now,
     });
   }
@@ -132,10 +138,12 @@ export async function POST(req: Request) {
   const integrityScore = Math.max(0, 100 - violationsArray.length * 10);
   const safeTimeSpentSeconds = Math.max(0, Number(timeSpentSeconds) || 0);
   const startedAt = new Date(now.getTime() - safeTimeSpentSeconds * 1000);
+
   const pointsEarned = calculateQuizPoints({
     score: correctAnswersCount,
     integrityScore,
   });
+
   try {
     const [attempt] = await db
       .insert(quizAttempts)
@@ -185,4 +193,4 @@ export async function POST(req: Request) {
       { status: 500 }
     );
   }
-}
+}
@@ -1,7 +1,7 @@
 import { NextRequest, NextResponse } from 'next/server';
 import {
   enforceRateLimit,
-  getClientIp,
+  getRateLimitSubject,
   rateLimitResponse,
 } from '@/lib/security/rate-limit';
 import { getCurrentUser } from '@/lib/auth';
@@ -233,14 +233,26 @@ export async function POST(request: NextRequest) {
   }
   // P1: rate limit checkout (cross-instance, DB-backed)
   // Policy: allow reasonable retries; block abusive burst.
-  const checkoutSubject = sessionUserId ?? getClientIp(request) ?? 'anon';
+  const checkoutSubject = sessionUserId ?? getRateLimitSubject(request);
+
+  const limitParsed = Number.parseInt(
+    process.env.CHECKOUT_RATE_LIMIT_MAX ?? '',
+    10
+  );
+  const windowParsed = Number.parseInt(
+    process.env.CHECKOUT_RATE_LIMIT_WINDOW_SECONDS ?? '',
+    10
+  );
+
+  const limit =
+    Number.isFinite(limitParsed) && limitParsed > 0 ? limitParsed : 10;
+  const windowSeconds =
+    Number.isFinite(windowParsed) && windowParsed > 0 ? windowParsed : 300;
 
   const decision = await enforceRateLimit({
     key: `checkout:${checkoutSubject}`,
-    limit: Number(process.env.CHECKOUT_RATE_LIMIT_MAX ?? 10),
-    windowSeconds: Number(
-      process.env.CHECKOUT_RATE_LIMIT_WINDOW_SECONDS ?? 300
-    ),
+    limit,
+    windowSeconds,
   });
 
   if (!decision.ok) {
 
@@ -15,9 +15,10 @@ import {
 import { markStripeAttemptFinal } from '@/lib/services/orders/payment-attempts';
 import {
   enforceRateLimit,
-  getClientIp,
+  getRateLimitSubject,
   rateLimitResponse,
 } from '@/lib/security/rate-limit';
+import { resolveStripeWebhookRateLimit } from '@/lib/security/stripe-webhook-rate-limit';
 
 const REFUND_FULLNESS_UNDETERMINED = 'REFUND_FULLNESS_UNDETERMINED' as const;
 
@@ -317,13 +318,12 @@ export async function POST(request: NextRequest) {
 
   const signature = request.headers.get('stripe-signature');
   if (!signature) {
-    const ip = getClientIp(request) ?? 'anon';
+    const subject = getRateLimitSubject(request);
+    const rateLimit = resolveStripeWebhookRateLimit('missing_sig');
     const decision = await enforceRateLimit({
-      key: `stripe_webhook:missing_sig:${ip}`,
-      limit: Number(process.env.STRIPE_WEBHOOK_INVALID_SIG_RL_MAX ?? 30),
-      windowSeconds: Number(
-        process.env.STRIPE_WEBHOOK_INVALID_SIG_RL_WINDOW_SECONDS ?? 60
-      ),
+      key: `stripe_webhook:missing_sig:${subject}`,
+      limit: rateLimit.max,
+      windowSeconds: rateLimit.windowSeconds,
     });
 
     if (!decision.ok) {
@@ -353,13 +353,12 @@ export async function POST(request: NextRequest) {
       error instanceof Error &&
       error.message === 'STRIPE_INVALID_SIGNATURE'
     ) {
-      const ip = getClientIp(request) ?? 'anon';
+      const subject = getRateLimitSubject(request);
+      const rateLimit = resolveStripeWebhookRateLimit('invalid_sig');
       const decision = await enforceRateLimit({
-        key: `stripe_webhook:invalid_sig:${ip}`,
-        limit: Number(process.env.STRIPE_WEBHOOK_INVALID_SIG_RL_MAX ?? 30),
-        windowSeconds: Number(
-          process.env.STRIPE_WEBHOOK_INVALID_SIG_RL_WINDOW_SECONDS ?? 60
-        ),
+        key: `stripe_webhook:invalid_sig:${subject}`,
+        limit: rateLimit.max,
+        windowSeconds: rateLimit.windowSeconds,
       });
 
       if (!decision.ok) {
 
@@ -0,0 +1,63 @@
+"use client";
+
+import { useEffect } from "react";
+import { useRouter } from "next/navigation";
+import {
+    getPendingQuizResult,
+    clearPendingQuizResult,
+} from "@/lib/quiz/guest-quiz";
+
+
+export function PostAuthQuizSync() {
+    const router = useRouter();
+
+    useEffect(() => {
+
+        queueMicrotask(() => {
+            const pendingResult = getPendingQuizResult();
+            if (!pendingResult) return;
+
+            (async () => {
+                try {
+                    const res = await fetch("/api/quiz/guest-result", {
+                        method: "POST",
+                        headers: { "Content-Type": "application/json" },
+                        body: JSON.stringify({
+                            quizId: pendingResult.quizId,
+                            answers: pendingResult.answers,
+                            violations: pendingResult.violations,
+                            timeSpentSeconds: pendingResult.timeSpentSeconds,
+                        }),
+                    });
+
+                    if (!res.ok) {
+                        throw new Error(`Failed to save quiz result (${res.status})`);
+                    }
+
+                    const result = await res.json();
+
+                    if (!result?.success) {
+                        throw new Error("Quiz save did not succeed");
+                    }
+
+                    sessionStorage.setItem(
+                        "quiz_just_saved",
+                        JSON.stringify({
+                            score: result.score,
+                            total: result.totalQuestions,
+                            percentage: result.percentage,
+                            pointsAwarded: result.pointsAwarded,
+                            quizSlug: pendingResult.quizSlug,
+                        })
+                    );
+                    clearPendingQuizResult();
+                    router.refresh();
+                } catch (error) {
+                    console.error("Failed to sync guest quiz result:", error);
+                }
+            })();
+        });
+    }, [router]);
+
+    return null;
+}
Original file line number	Diff line number	Diff line change
`@@ -152,5 +152,5 @@ export async function GET(req: NextRequest) {`
`152`	`152`
`153`	`153`	`await setAuthCookie(token);`
`154`	`154`
`155`		`- return NextResponse.redirect(new URL("/", req.url));`
	`155`	`+ return NextResponse.redirect(new URL("/dashboard", req.url));`
`156`	`156`	`}`