security+infra: CSP enforcing, structured logging, cleanup dead refs

Partha-dev01 · Partha-dev01 · commit ca8bd3f4fd4c · 2026-04-05T18:26:39.000+05:30
Content-Security-Policy:
- Promoted from Report-Only to enforcing mode (same policy, tested stable)
- Added img.youtube.com to img-src for YouTube thumbnail

Structured Logging:
- Created app/lib/logger.ts — JSON logger with timestamp, level, route, message
- Replaced all 23 console.* calls across 12 API routes with structured log.info/warn/error
- Zero unstructured console calls remain in API routes
- CloudWatch Logs Insights can now query by route, level, timestamp

Dead Reference Cleanup:
- Removed S3_MODELS_BUCKET from next.config.ts env: block (not used at runtime)
- Updated README: Zustand → React useState + Context (zustand was never imported)
- Updated DOCS.md: S3 SDK references corrected (removed, not used at runtime)
- Updated Amazon_usage.md: S3 SDK status corrected
diff --git a/README.md b/README.md
@@ -37,7 +37,7 @@ AutiSense is a web application that captures behavioral biomarkers using real-ti
 | Framework | Next.js 16.2.2 (App Router, React 19.2.4) |
 | Language | TypeScript 5 |
 | Styling | Tailwind CSS v4 + CSS custom properties |
-| State | Zustand (global) + React useState (local) |
+| State | React useState (local) + React Context (auth) |
 | On-device AI | ONNX Runtime Web 1.24.2 (WebGPU/WASM) |
 | Face Analysis | @mediapipe/tasks-vision (478 landmarks, 52 blendshapes) |
 | Client Database | Dexie.js v4 (IndexedDB, 10 tables) |
diff --git a/app/api/auth/callback/google/route.ts b/app/api/auth/callback/google/route.ts
@@ -13,6 +13,9 @@
 import { NextRequest, NextResponse } from "next/server";
 import { AUTH_CONFIG } from "@/app/lib/auth/config";
 import { upsertGoogleUser, createSessionForUser } from "@/app/lib/auth/dynamodb";
+import { logger } from "@/app/lib/logger";
+
+const log = logger("auth/callback");
 
 export async function GET(request: NextRequest) {
   const { searchParams } = new URL(request.url);
@@ -25,7 +28,7 @@ export async function GET(request: NextRequest) {
 
   // ─── Error from Google ──────────────────────────────────────────
   if (error) {
-    console.error("[auth/callback/google] OAuth error:", error);
+    log.error("OAuth error", { error });
     return NextResponse.redirect(`${appUrl}/auth/login?error=${encodeURIComponent(error)}`);
   }
 
@@ -56,7 +59,7 @@ export async function GET(request: NextRequest) {
 
     if (!tokenResponse.ok) {
       const errorBody = await tokenResponse.text();
-      console.error("[auth/callback/google] Token exchange failed:", errorBody);
+      log.error("Token exchange failed", { error: errorBody });
       return NextResponse.redirect(`${appUrl}/auth/login?error=token_exchange_failed`);
     }
 
@@ -74,7 +77,7 @@ export async function GET(request: NextRequest) {
     });
 
     if (!profileResponse.ok) {
-      console.error("[auth/callback/google] Profile fetch failed:", profileResponse.status);
+      log.error("Profile fetch failed", { error: profileResponse.status });
       return NextResponse.redirect(`${appUrl}/auth/login?error=profile_fetch_failed`);
     }
 
@@ -120,7 +123,7 @@ export async function GET(request: NextRequest) {
 
     return response;
   } catch (err) {
-    console.error("[auth/callback/google] Unexpected error:", err);
+    log.error("Unexpected error", { error: err });
     return NextResponse.redirect(`${appUrl}/auth/login?error=server_error`);
   }
 }
diff --git a/app/api/auth/logout/route.ts b/app/api/auth/logout/route.ts
@@ -10,6 +10,9 @@
 import { NextRequest, NextResponse } from "next/server";
 import { AUTH_CONFIG } from "@/app/lib/auth/config";
 import { deleteAuthSession } from "@/app/lib/auth/dynamodb";
+import { logger } from "@/app/lib/logger";
+
+const log = logger("auth/logout");
 
 export async function POST(request: NextRequest) {
   const token = request.cookies.get(AUTH_CONFIG.sessionCookieName)?.value;
@@ -18,7 +21,7 @@ export async function POST(request: NextRequest) {
     try {
       await deleteAuthSession(token);
     } catch (err) {
-      console.error("[auth/logout] Error deleting session:", err);
+      log.error("Error deleting session", { error: err });
       // Continue with logout even if DynamoDB delete fails
     }
   }
diff --git a/app/api/auth/session/route.ts b/app/api/auth/session/route.ts
@@ -8,6 +8,9 @@
 import { NextRequest, NextResponse } from "next/server";
 import { AUTH_CONFIG } from "@/app/lib/auth/config";
 import { getAuthSession, getUserById } from "@/app/lib/auth/dynamodb";
+import { logger } from "@/app/lib/logger";
+
+const log = logger("auth/session");
 
 export async function GET(request: NextRequest) {
   const token = request.cookies.get(AUTH_CONFIG.sessionCookieName)?.value;
@@ -38,7 +41,7 @@ export async function GET(request: NextRequest) {
       authenticated: true,
     });
   } catch (err) {
-    console.error("[auth/session] Error validating session:", err);
+    log.error("Error validating session", { error: err });
     return NextResponse.json({ user: null, authenticated: false }, { status: 401 });
   }
 }
diff --git a/app/api/chat/conversation/route.ts b/app/api/chat/conversation/route.ts
@@ -19,6 +19,9 @@ import {
   InvokeModelCommand,
 } from "@aws-sdk/client-bedrock-runtime";
 import { getAppCredentials } from "../../../lib/aws/credentials";
+import { logger } from "../../../lib/logger";
+
+const log = logger("chat/conversation");
 
 /* ------------------------------------------------------------------ */
 /*  Types                                                              */
@@ -335,19 +338,19 @@ export async function POST(req: NextRequest) {
       "";
 
     if (!rawText) {
-      console.warn("[Chat] Empty response from Bedrock, using fallback");
+      log.warn("Empty response from Bedrock, using fallback");
       return NextResponse.json(buildFallbackTurn(childName, turnNumber, animalPersonality));
     }
 
     const parsed = parseAgentResponse(rawText);
     if (!parsed) {
-      console.warn("[Chat] Failed to parse LLM JSON, using fallback. Raw:", rawText);
+      log.warn("Failed to parse LLM JSON, using fallback", { raw: rawText });
       return NextResponse.json(buildFallbackTurn(childName, turnNumber, animalPersonality));
     }
 
     return NextResponse.json({ ...parsed, fallback: false } satisfies ConversationResponse);
   } catch (err) {
-    console.error("[Chat] Bedrock invocation failed:", err);
+    log.error("Bedrock invocation failed", { error: err });
     return NextResponse.json(buildFallbackTurn(childName, turnNumber, animalPersonality));
   }
 }
diff --git a/app/api/chat/generate-words/route.ts b/app/api/chat/generate-words/route.ts
@@ -18,6 +18,9 @@ import {
   InvokeModelCommand,
 } from "@aws-sdk/client-bedrock-runtime";
 import { getAppCredentials } from "../../../lib/aws/credentials";
+import { logger } from "../../../lib/logger";
+
+const log = logger("chat/generate-words");
 
 /* ------------------------------------------------------------------ */
 /*  Types                                                              */
@@ -287,7 +290,7 @@ export async function POST(request: NextRequest) {
       fallback: true,
     });
   } catch (err) {
-    console.error("[generate-words] Unexpected error:", err);
+    log.error("Unexpected error", { error: err });
     return NextResponse.json(
       { error: "Failed to generate words" },
       { status: 500 },
diff --git a/app/api/feed/route.ts b/app/api/feed/route.ts
@@ -2,6 +2,9 @@ import { NextRequest, NextResponse } from "next/server";
 import { AUTH_CONFIG } from "@/app/lib/auth/config";
 import { getAuthSession, getUserById } from "@/app/lib/auth/dynamodb";
 import { getAppCredentials, getAppRegion } from "@/app/lib/aws/credentials";
+import { logger } from "@/app/lib/logger";
+
+const log = logger("feed");
 
 /**
  * Community Feed API — DynamoDB table: autisense-feed-posts
@@ -93,7 +96,7 @@ export async function GET(request: NextRequest) {
         source: "dynamodb",
       });
     } catch (err) {
-      console.error("[feed] DynamoDB GET failed, falling back:", err);
+      log.error("DynamoDB GET failed, falling back", { error: err });
       dynamoFailedUntil = Date.now() + 30_000;
     }
   }
@@ -160,7 +163,7 @@ async function handleCreate(body: Record<string, unknown>, userId: string) {
       await docClient.send(new PutCommand({ TableName: TABLE, Item: post }));
       return NextResponse.json({ success: true, post: toClient(post), source: "dynamodb" });
     } catch (err) {
-      console.error("[feed] DynamoDB PUT failed, falling back:", err);
+      log.error("DynamoDB PUT failed, falling back", { error: err });
       dynamoFailedUntil = Date.now() + 30_000;
     }
   }
@@ -218,7 +221,7 @@ async function handleReaction(body: Record<string, unknown>, userId: string) {
         return NextResponse.json({ toggled: true });
       }
     } catch (err) {
-      console.error("[feed] DynamoDB reaction failed, falling back:", err);
+      log.error("DynamoDB reaction failed, falling back", { error: err });
       dynamoFailedUntil = Date.now() + 30_000;
     }
   }
@@ -264,7 +267,7 @@ async function handleDelete(body: Record<string, unknown>, userId: string) {
       await docClient.send(new DeleteCommand({ TableName: TABLE, Key: key }));
       return NextResponse.json({ success: true });
     } catch (err) {
-      console.error("[feed] DynamoDB delete failed, falling back:", err);
+      log.error("DynamoDB delete failed, falling back", { error: err });
       dynamoFailedUntil = Date.now() + 30_000;
     }
   }
diff --git a/app/api/nearby/route.ts b/app/api/nearby/route.ts
@@ -9,6 +9,9 @@
  */
 
 import { NextRequest, NextResponse } from "next/server";
+import { logger } from "@/app/lib/logger";
+
+const log = logger("nearby");
 
 interface NearbyResult {
   id: number;
@@ -117,7 +120,7 @@ export async function POST(req: NextRequest) {
       },
     );
   } catch (err) {
-    console.error("[Nearby] Overpass query failed:", err);
+    log.error("Overpass query failed", { error: err });
     return NextResponse.json(
       { error: "Failed to query nearby facilities", results: [], source: "overpass" },
       { status: 500 },
diff --git a/app/api/report/clinical/route.ts b/app/api/report/clinical/route.ts
@@ -29,6 +29,9 @@ import {
 } from "@aws-sdk/client-bedrock-runtime";
 import type { BiomarkerAggregate } from "../../../types/biomarker";
 import { getAppCredentials } from "../../../lib/aws/credentials";
+import { logger } from "../../../lib/logger";
+
+const log = logger("report/clinical");
 
 interface ClinicalRequestBody {
   sessionId: string;
@@ -271,13 +274,13 @@ export async function POST(req: NextRequest) {
 
     const insights = parseInsights(text);
     if (!insights) {
-      console.warn("[Report/Clinical] Could not parse AI insights, using template only");
+      log.warn("Could not parse AI insights, using template only");
       return NextResponse.json({ ...baseReport, aiEnriched: false });
     }
 
     return NextResponse.json({ ...mergeAiInsights(baseReport, insights), aiEnriched: true });
   } catch (err) {
-    console.error("[Report/Clinical] Bedrock invocation failed:", err);
+    log.error("Bedrock invocation failed", { error: err });
     return NextResponse.json({ ...baseReport, aiEnriched: false });
   }
 }
diff --git a/app/api/report/pdf/route.ts b/app/api/report/pdf/route.ts
@@ -21,6 +21,9 @@
 
 import { NextRequest, NextResponse } from "next/server";
 import { PDFDocument, rgb, StandardFonts, PDFPage } from "pdf-lib";
+import { logger } from "../../../lib/logger";
+
+const log = logger("report/pdf");
 
 interface PdfRequestBody {
   report: string;
@@ -565,7 +568,7 @@ export async function POST(req: NextRequest) {
       },
     });
   } catch (err) {
-    console.error("[Report/PDF] PDF generation failed:", err);
+    log.error("PDF generation failed", { error: err });
     return NextResponse.json({ error: "Failed to generate PDF" }, { status: 500 });
   }
 }
diff --git a/app/api/report/summary/route.ts b/app/api/report/summary/route.ts
@@ -19,6 +19,9 @@ import {
 } from "@aws-sdk/client-bedrock-runtime";
 import type { BiomarkerAggregate } from "../../../types/biomarker";
 import { getAppCredentials } from "../../../lib/aws/credentials";
+import { logger } from "../../../lib/logger";
+
+const log = logger("report/summary");
 
 interface SummaryRequestBody {
   sessionId: string;
@@ -116,7 +119,7 @@ Important guidelines:
 
     return NextResponse.json({ summary, fallback: false });
   } catch (err) {
-    console.error("[Report/Summary] Bedrock invocation failed:", err);
+    log.error("Bedrock invocation failed", { error: err });
     return NextResponse.json({ summary: buildTemplateSummary(biomarkers), fallback: true });
   }
 }
diff --git a/app/api/sync/route.ts b/app/api/sync/route.ts
@@ -20,6 +20,9 @@ import { DynamoDBDocumentClient, PutCommand } from "@aws-sdk/lib-dynamodb";
 import type { SessionSyncPayload } from "../../types/session";
 import type { BiomarkerAggregate } from "../../types/biomarker";
 import { getAppCredentials, getAppRegion } from "../../lib/aws/credentials";
+import { logger } from "../../lib/logger";
+
+const log = logger("sync");
 
 function getDocClient() {
   const credentials = getAppCredentials();
@@ -68,7 +71,7 @@ export async function POST(req: NextRequest) {
   const sessionsTable = process.env.DYNAMODB_SESSIONS_TABLE;
   const biomarkersTable = process.env.DYNAMODB_BIOMARKERS_TABLE;
   if (!sessionsTable) {
-    console.error("[Sync API] DYNAMODB_SESSIONS_TABLE not configured");
+    log.error("DYNAMODB_SESSIONS_TABLE not configured");
     return NextResponse.json({ error: "Server misconfigured" }, { status: 500 });
   }
 
@@ -107,7 +110,7 @@ export async function POST(req: NextRequest) {
         note: "already_exists",
       });
     }
-    console.error("[Sync API] DynamoDB sessions write failed:", err);
+    log.error("DynamoDB sessions write failed", { error: err });
     return NextResponse.json(
       { error: "Failed to write session" },
       { status: 500 },
@@ -141,7 +144,7 @@ export async function POST(req: NextRequest) {
         }),
       );
     } catch (err) {
-      console.error("[Sync API] DynamoDB biomarkers write failed:", err);
+      log.error("DynamoDB biomarkers write failed", { error: err });
     }
   }
 
diff --git a/app/api/tts/route.ts b/app/api/tts/route.ts
@@ -19,6 +19,9 @@ import {
   type VoiceId,
 } from "@aws-sdk/client-polly";
 import { getAppCredentials, getAppRegion } from "../../lib/aws/credentials";
+import { logger } from "../../lib/logger";
+
+const log = logger("tts");
 
 interface TtsRequestBody {
   text: string;
@@ -119,7 +122,7 @@ export async function POST(req: NextRequest) {
       },
     });
   } catch (err) {
-    console.error("[TTS] Polly synthesis failed:", err);
+    log.error("Polly synthesis failed", { error: err });
     return NextResponse.json(
       { error: "Text-to-Speech synthesis failed" },
       { status: 503 },
diff --git a/app/lib/logger.ts b/app/lib/logger.ts
@@ -0,0 +1,52 @@
+/**
+ * Structured JSON logger for API routes.
+ *
+ * Outputs JSON lines to stdout (CloudWatch Logs Insights compatible).
+ * Each log includes timestamp, level, route, and message.
+ *
+ * Usage:
+ *   import { logger } from "@/app/lib/logger";
+ *   const log = logger("api/chat/conversation");
+ *   log.info("Processing request", { turnNumber: 3 });
+ *   log.error("Bedrock failed", { error: err });
+ */
+
+type LogLevel = "info" | "warn" | "error";
+
+interface LogEntry {
+  timestamp: string;
+  level: LogLevel;
+  route: string;
+  message: string;
+  [key: string]: unknown;
+}
+
+function emit(entry: LogEntry) {
+  const line = JSON.stringify(entry);
+  if (entry.level === "error") {
+    console.error(line);
+  } else if (entry.level === "warn") {
+    console.warn(line);
+  } else {
+    console.log(line);
+  }
+}
+
+export function logger(route: string) {
+  return {
+    info(message: string, data?: Record<string, unknown>) {
+      emit({ timestamp: new Date().toISOString(), level: "info", route, message, ...data });
+    },
+    warn(message: string, data?: Record<string, unknown>) {
+      emit({ timestamp: new Date().toISOString(), level: "warn", route, message, ...data });
+    },
+    error(message: string, data?: Record<string, unknown>) {
+      // Extract error message safely (don't log full stack to CloudWatch)
+      const cleaned = data ? { ...data } : {};
+      if (cleaned.error instanceof Error) {
+        cleaned.error = { name: cleaned.error.name, message: cleaned.error.message };
+      }
+      emit({ timestamp: new Date().toISOString(), level: "error", route, message, ...cleaned });
+    },
+  };
+}
diff --git a/docs/Amazon_usage.md b/docs/Amazon_usage.md
diff --git a/docs/DOCS.md b/docs/DOCS.md
diff --git a/next.config.ts b/next.config.ts

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,9 @@ import { NextRequest, NextResponse } from "next/server";`
`2`	`2`	`import { AUTH_CONFIG } from "@/app/lib/auth/config";`
`3`	`3`	`import { getAuthSession, getUserById } from "@/app/lib/auth/dynamodb";`
`4`	`4`	`import { getAppCredentials, getAppRegion } from "@/app/lib/aws/credentials";`
	`5`	`+import { logger } from "@/app/lib/logger";`
	`6`	`+`
	`7`	`+const log = logger("feed");`
`5`	`8`
`6`	`9`	`/**`
`7`	`10`	`* Community Feed API — DynamoDB table: autisense-feed-posts`
`@@ -93,7 +96,7 @@ export async function GET(request: NextRequest) {`
`93`	`96`	`source: "dynamodb",`
`94`	`97`	`});`
`95`	`98`	`} catch (err) {`
`96`		`- console.error("[feed] DynamoDB GET failed, falling back:", err);`
	`99`	`+ log.error("DynamoDB GET failed, falling back", { error: err });`
`97`	`100`	`dynamoFailedUntil = Date.now() + 30_000;`
`98`	`101`	`}`
`99`	`102`	`}`
`@@ -160,7 +163,7 @@ async function handleCreate(body: Record<string, unknown>, userId: string) {`
`160`	`163`	`await docClient.send(new PutCommand({ TableName: TABLE, Item: post }));`
`161`	`164`	`return NextResponse.json({ success: true, post: toClient(post), source: "dynamodb" });`
`162`	`165`	`} catch (err) {`
`163`		`- console.error("[feed] DynamoDB PUT failed, falling back:", err);`
	`166`	`+ log.error("DynamoDB PUT failed, falling back", { error: err });`
`164`	`167`	`dynamoFailedUntil = Date.now() + 30_000;`
`165`	`168`	`}`
`166`	`169`	`}`
`@@ -218,7 +221,7 @@ async function handleReaction(body: Record<string, unknown>, userId: string) {`
`218`	`221`	`return NextResponse.json({ toggled: true });`
`219`	`222`	`}`
`220`	`223`	`} catch (err) {`
`221`		`- console.error("[feed] DynamoDB reaction failed, falling back:", err);`
	`224`	`+ log.error("DynamoDB reaction failed, falling back", { error: err });`
`222`	`225`	`dynamoFailedUntil = Date.now() + 30_000;`
`223`	`226`	`}`
`224`	`227`	`}`
`@@ -264,7 +267,7 @@ async function handleDelete(body: Record<string, unknown>, userId: string) {`
`264`	`267`	`await docClient.send(new DeleteCommand({ TableName: TABLE, Key: key }));`
`265`	`268`	`return NextResponse.json({ success: true });`
`266`	`269`	`} catch (err) {`
`267`		`- console.error("[feed] DynamoDB delete failed, falling back:", err);`
	`270`	`+ log.error("DynamoDB delete failed, falling back", { error: err });`
`268`	`271`	`dynamoFailedUntil = Date.now() + 30_000;`
`269`	`272`	`}`
`270`	`273`	`}`