security: Phase 2 re-audit fixes — auth, input, deps, infra, polish

Auth & Input Security:
- C2: verified_email check now uses !profile.verified_email (catches
  undefined, not just false — blocks unverified Google emails)
- C3: Chat messages sanitized per-message (500 char limit, control
  chars stripped) — prevents prompt injection via conversation history
- H1: IP-based rate limiting (60 req/min) on unauthenticated endpoints
  /api/feed GET and /api/nearby POST (prevents scraping + Overpass abuse)

Infrastructure:
- H4: Node.js 20→22 (20 EOL April 30 2026) in amplify.yml, ci.yml, .nvmrc
- H5: Fix GitHub Actions SHA version comment (v4.1.7→v4.1.1 for checkout)

Dependencies:
- H7: Remove 3 unused deps — @aws-sdk/client-s3, @aws-sdk/s3-request-presigner,
  zustand (zero imports found). Saves 22 packages.
- H8: Add brace-expansion@^2.0.1 npm override (moderate DoS fix)

Production Polish:
- Create app/not-found.tsx — branded 404 page with Go Home + Dashboard links
  (replaces default Next.js 404)

Author: Partha-dev01

.github/workflows/ci.yml

@@ -27,11 +27,11 @@ jobs:
       github.event.pull_request.head.repo.full_name == github.repository
 
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.7
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.3
         with:
-          node-version: 20
+          node-version: 22
           cache: npm
 
       - name: Install dependencies

.nvmrc

@@ -1 +1 @@
-20
+22

amplify.yml

@@ -3,7 +3,7 @@ frontend:
   phases:
     preBuild:
       commands:
-        - nvm use 20
+        - nvm use 22
         - npm ci
     build:
       commands:

app/api/auth/callback/google/route.ts

@@ -87,7 +87,9 @@ export async function GET(request: NextRequest) {
     };
 
     // ─── Verify email is confirmed by Google ─────────────────────
-    if (profile.verified_email === false) {
+    // Use !profile.verified_email (not === false) to also reject
+    // undefined — handles edge case where Google omits the field.
+    if (!profile.verified_email) {
       return NextResponse.redirect(`${appUrl}/auth/login?error=email_not_verified`);
     }
 

app/api/chat/conversation/route.ts

@@ -283,20 +283,25 @@ export async function POST(req: NextRequest) {
     });
 
     for (const msg of messages) {
+      // Sanitize each message: limit length, strip control chars
+      const safeContent = String(msg.content || "")
+        .slice(0, 500)
+        .replace(/[\x00-\x1f\x7f]/g, "");
+
       if (msg.role === "assistant") {
         // Wrap plain-text assistant messages in JSON so Nova stays in JSON-output mode
-        const isJson = msg.content.trimStart().startsWith("{");
+        const isJson = safeContent.trimStart().startsWith("{");
         const wrapped = isJson
-          ? msg.content
-          : JSON.stringify({ text: msg.content, turnType: "question", expectsResponse: true, responseRelevance: 0.5, shouldEnd: false, domain: "general", action: null });
+          ? safeContent
+          : JSON.stringify({ text: safeContent, turnType: "question", expectsResponse: true, responseRelevance: 0.5, shouldEnd: false, domain: "general", action: null });
         novaMessages.push({
           role: "assistant",
           content: [{ text: wrapped }],
         });
       } else {
         novaMessages.push({
           role: "user",
-          content: [{ text: `The child said: "${msg.content}"` }],
+          content: [{ text: `The child said: "${safeContent}"` }],
         });
       }
     }

app/api/feed/route.ts

@@ -64,8 +64,16 @@ async function getUser(request: NextRequest) {
   }
 }
 
-// ─── GET /api/feed — List posts ──────────────────────────────────────
+// ─── GET /api/feed — List posts (public, IP-rate-limited) ───────────
 export async function GET(request: NextRequest) {
+  // IP-based rate limiting for unauthenticated endpoint
+  const { apiRateLimiter } = await import("@/app/lib/rateLimit");
+  const ip = request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+  const rl = apiRateLimiter.check(`feed-get:${ip}`);
+  if (!rl.allowed) {
+    return NextResponse.json({ error: "Rate limit exceeded" }, { status: 429 });
+  }
+
   const { searchParams } = new URL(request.url);
   const limit = Math.min(parseInt(searchParams.get("limit") || "50", 10), 100);
   const category = searchParams.get("category") || undefined;

app/api/nearby/route.ts

@@ -23,6 +23,14 @@ interface NearbyResult {
 const OVERPASS_URL = "https://overpass-api.de/api/interpreter";
 
 export async function POST(req: NextRequest) {
+  // IP-based rate limiting (unauthenticated endpoint, proxies to Overpass)
+  const { apiRateLimiter } = await import("@/app/lib/rateLimit");
+  const ip = req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+  const rl = apiRateLimiter.check(`nearby:${ip}`);
+  if (!rl.allowed) {
+    return NextResponse.json({ error: "Rate limit exceeded" }, { status: 429 });
+  }
+
   let body: { lat: number; lng: number; radius?: number };
 
   try {

app/not-found.tsx

@@ -0,0 +1,73 @@
+import Link from "next/link";
+
+export default function NotFound() {
+  return (
+    <div
+      style={{
+        display: "flex",
+        flexDirection: "column",
+        alignItems: "center",
+        justifyContent: "center",
+        minHeight: "100vh",
+        fontFamily: "'Nunito', system-ui, sans-serif",
+        background: "var(--bg, #fdf9f3)",
+        color: "var(--text-primary, #2d3a30)",
+        padding: "2rem",
+        textAlign: "center",
+      }}
+    >
+      <div style={{ fontSize: "4rem", marginBottom: "1rem" }}>🧩</div>
+      <h1
+        style={{
+          fontFamily: "'Fredoka', sans-serif",
+          fontSize: "1.8rem",
+          fontWeight: 600,
+          marginBottom: "0.5rem",
+        }}
+      >
+        Page not found
+      </h1>
+      <p
+        style={{
+          color: "var(--text-secondary, #5a7060)",
+          marginBottom: "2rem",
+          maxWidth: "400px",
+          lineHeight: 1.6,
+        }}
+      >
+        The page you're looking for doesn't exist or has been moved.
+      </p>
+      <div style={{ display: "flex", gap: "12px", flexWrap: "wrap", justifyContent: "center" }}>
+        <Link
+          href="/"
+          style={{
+            padding: "12px 28px",
+            background: "var(--sage-500, #4d8058)",
+            color: "white",
+            borderRadius: "12px",
+            fontSize: "1rem",
+            fontWeight: 600,
+            textDecoration: "none",
+          }}
+        >
+          Go Home
+        </Link>
+        <Link
+          href="/kid-dashboard"
+          style={{
+            padding: "12px 28px",
+            background: "var(--card, #ffffff)",
+            color: "var(--text-primary, #2d3a30)",
+            border: "2px solid var(--border, #e3ede6)",
+            borderRadius: "12px",
+            fontSize: "1rem",
+            fontWeight: 600,
+            textDecoration: "none",
+          }}
+        >
+          Dashboard
+        </Link>
+      </div>
+    </div>
+  );
+}