Comprehensive audit fixes: security, stability, and UX improvements

- CRITICAL: Fixed folder hierarchy to include batchId/semesterId
- CRITICAL: Fixed signup flow to show verification screen
- CRITICAL: Fixed memory leaks in UndoContext with proper cleanup
- CRITICAL: Removed unsafe beforeunload handler
- MAJOR: Created centralized config for domain, files, passwords
- MAJOR: Added file type whitelist validation
- MAJOR: Added input sanitization to prevent XSS
- MAJOR: Implemented password strength validation
- MAJOR: Standardized error handling with toast notifications
- MINOR: Fixed placeholder text to match required domain
- MINOR: Added alt text for accessibility

Author: html-proof

src/app/auth/login/page.tsx

@@ -5,6 +5,7 @@ import { signIn } from "@/lib/firebase/auth";
 import { useRouter } from "next/navigation";
 import Link from "next/link";
 import { Lock, Mail, Eye, EyeOff } from "lucide-react";
+import { CONFIG } from "@/lib/config";
 
 export default function LoginPage() {
     const [email, setEmail] = useState("");
@@ -19,23 +20,15 @@ export default function LoginPage() {
         setLoading(true);
         setError("");
 
-
-
-
-
-        // Secure Domain Validation
-        if (!email.endsWith("@cep.ac.in")) {
-            setError("Access Denied. You are not authorized to access this application.");
-            setLoading(false);
-            return;
-        }
-
         try {
             await signIn(email, password);
             router.push("/dashboard");
         } catch (err: any) {
-            setError("Invalid email or password.");
-            console.error(err);
+            if (err.message === "ACCESS_DENIED") {
+                setError("Access Denied. You are not authorized to access this application.");
+            } else {
+                setError("Invalid email or password.");
+            }
         } finally {
             setLoading(false);
         }
@@ -81,7 +74,7 @@ export default function LoginPage() {
                                     color: "var(--text-main)",
                                     fontFamily: "inherit"
                                 }}
-                                placeholder="teacher@university.edu"
+                                placeholder={`teacher${CONFIG.ALLOWED_EMAIL_DOMAIN}`}
                             />
                         </div>
                     </div>

src/app/auth/signup/page.tsx

@@ -5,6 +5,7 @@ import { signUp } from "@/lib/firebase/auth";
 import { useRouter } from "next/navigation";
 import Link from "next/link";
 import { Lock, Mail, UserPlus, User, Eye, EyeOff } from "lucide-react";
+import { CONFIG, validatePassword } from "@/lib/config";
 
 export default function SignupPage() {
     const [name, setName] = useState("");
@@ -21,28 +22,26 @@ export default function SignupPage() {
         setLoading(true);
         setError("");
 
-
-
-
-
-        // Secure Domain Validation
-        if (!email.endsWith("@cep.ac.in")) {
-            setError("Access Denied. You are not authorized to access this application.");
+        // Validate password strength
+        const passwordValidation = validatePassword(password);
+        if (!passwordValidation.valid) {
+            setError(passwordValidation.message || "Invalid password");
             setLoading(false);
             return;
         }
 
         try {
             await signUp(name, email, password);
-            router.push("/auth/verify-email");
+            setSuccess(true);
         } catch (err: any) {
-            if (err.code === 'auth/email-already-in-use') {
+            if (err.message === "ACCESS_DENIED") {
+                setError("Access Denied. You are not authorized to access this application.");
+            } else if (err.code === 'auth/email-already-in-use') {
                 setError("Email already in use.");
             } else if (err.code === 'auth/weak-password') {
                 setError("Password should be at least 6 characters.");
             } else {
                 setError("Failed to create account. Try again.");
-                console.error(err);
             }
         } finally {
             setLoading(false);
@@ -134,7 +133,7 @@ export default function SignupPage() {
                                     color: "var(--text-main)",
                                     fontFamily: "inherit"
                                 }}
-                                placeholder="teacher@university.edu"
+                                placeholder={`teacher${CONFIG.ALLOWED_EMAIL_DOMAIN}`}
                             />
                         </div>
                     </div>
@@ -148,7 +147,7 @@ export default function SignupPage() {
                                 value={password}
                                 onChange={(e) => setPassword(e.target.value)}
                                 required
-                                minLength={6}
+                                minLength={CONFIG.PASSWORD_MIN_LENGTH}
                                 style={{
                                     width: "100%",
                                     padding: "0.75rem 2.5rem 0.75rem 2.5rem",

src/components/dashboard/UploadFlow.tsx

@@ -15,6 +15,7 @@ import { FolderPlus, Folder } from "lucide-react";
 import { uploadFile } from "@/lib/supabase/storage";
 import { useAuth } from "@/lib/firebase/auth";
 import { useToast } from "@/context/ToastContext";
+import { CONFIG, isAllowedFileType, sanitizeInput } from "@/lib/config";
 import styles from "./UploadFlow.module.css";
 
 export default function UploadFlow() {
@@ -112,8 +113,10 @@ export default function UploadFlow() {
         try {
             await createFolder({
                 subjectId: selectedSub,
-                departmentId: selectedDept, // Denormalize for easier querying if needed
-                name: newFolderName.trim(),
+                semesterId: selectedSem,
+                batchId: selectedBatch,
+                departmentId: selectedDept,
+                name: sanitizeInput(newFolderName.trim()),
                 createdBy: user?.uid
             });
             setNewFolderName("");
@@ -141,20 +144,26 @@ export default function UploadFlow() {
     };
 
     const addFiles = (newFiles: File[]) => {
-        const MAX_SIZE = 50 * 1024 * 1024; // 50 MB
         const validFiles: File[] = [];
         const invalidFiles: string[] = [];
+        const unsupportedFiles: string[] = [];
 
         newFiles.forEach(file => {
-            if (file.size <= MAX_SIZE) {
-                validFiles.push(file);
-            } else {
+            if (file.size > CONFIG.MAX_FILE_SIZE) {
                 invalidFiles.push(file.name);
+            } else if (!isAllowedFileType(file.type)) {
+                unsupportedFiles.push(file.name);
+            } else {
+                validFiles.push(file);
             }
         });
 
         if (invalidFiles.length > 0) {
-            addToast(`Skipped files larger than 50MB: ${invalidFiles.join(", ")}`, "warning");
+            addToast(`Files larger than 50MB were skipped: ${invalidFiles.join(", ")}`, "warning");
+        }
+
+        if (unsupportedFiles.length > 0) {
+            addToast(`Unsupported file types were skipped: ${unsupportedFiles.join(", ")}`, "warning");
         }
 
         setFiles(prev => [...prev, ...validFiles]);
@@ -217,6 +226,8 @@ export default function UploadFlow() {
                     // Create it
                     const ref = await createFolder({
                         subjectId: selectedSub,
+                        semesterId: selectedSem,
+                        batchId: selectedBatch,
                         departmentId: selectedDept,
                         name: folderName,
                         createdBy: user.uid

src/context/UndoContext.tsx

@@ -23,23 +23,24 @@ export function UndoProvider({ children }: { children: React.ReactNode }) {
     const timerRef = useRef<NodeJS.Timeout | null>(null);
     const intervalRef = useRef<NodeJS.Timeout | null>(null);
 
-    // Force execute if pending item exists on unmount/reload
+    // Cleanup timers on unmount
     useEffect(() => {
-        const handleUnload = () => {
-            if (pendingItem) {
-                pendingItem.action(); // Try to fire before close (unreliable but best effort)
-            }
+        return () => {
+            if (timerRef.current) clearTimeout(timerRef.current);
+            if (intervalRef.current) clearInterval(intervalRef.current);
         };
-        window.addEventListener("beforeunload", handleUnload);
-        return () => window.removeEventListener("beforeunload", handleUnload);
-    }, [pendingItem]);
+    }, []);
 
     const scheduleDelete = (id: string, action: DeleteAction, description: string, onUndo?: () => void) => {
         // If there's already a pending item, force execute it immediately to clear queue
         if (pendingItem) {
             executeNow();
         }
 
+        // Clear any existing timers before setting new ones
+        if (timerRef.current) clearTimeout(timerRef.current);
+        if (intervalRef.current) clearInterval(intervalRef.current);
+
         const DURATION = 30000; // 30 seconds
         const expiry = Date.now() + DURATION;
 

src/lib/config.ts

@@ -0,0 +1,75 @@
+// Configuration constants for the application
+
+export const CONFIG = {
+    // Authentication
+    ALLOWED_EMAIL_DOMAIN: process.env.NEXT_PUBLIC_ALLOWED_DOMAIN || '@cep.ac.in',
+
+    // File Upload
+    MAX_FILE_SIZE: 50 * 1024 * 1024, // 50MB
+    ALLOWED_FILE_TYPES: [
+        // Documents
+        'application/pdf',
+        'application/msword',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+        'application/vnd.ms-excel',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+        'application/vnd.ms-powerpoint',
+        'application/vnd.openxmlformats-officedocument.presentationml.presentation',
+        'text/plain',
+        // Images
+        'image/jpeg',
+        'image/png',
+        'image/gif',
+        'image/webp',
+        // Videos
+        'video/mp4',
+        'video/webm',
+        'video/quicktime',
+    ],
+
+    // Password Requirements
+    PASSWORD_MIN_LENGTH: 8,
+    PASSWORD_REQUIRE_UPPERCASE: true,
+    PASSWORD_REQUIRE_LOWERCASE: true,
+    PASSWORD_REQUIRE_NUMBER: true,
+    PASSWORD_REQUIRE_SPECIAL: true,
+
+    // Undo
+    UNDO_DURATION_MS: 30000, // 30 seconds
+} as const;
+
+// Utility functions
+export const isAllowedEmail = (email: string): boolean => {
+    return email.endsWith(CONFIG.ALLOWED_EMAIL_DOMAIN);
+};
+
+export const isAllowedFileType = (fileType: string): boolean => {
+    return CONFIG.ALLOWED_FILE_TYPES.includes(fileType as any);
+};
+
+export const validatePassword = (password: string): { valid: boolean; message?: string } => {
+    if (password.length < CONFIG.PASSWORD_MIN_LENGTH) {
+        return { valid: false, message: `Password must be at least ${CONFIG.PASSWORD_MIN_LENGTH} characters` };
+    }
+    if (CONFIG.PASSWORD_REQUIRE_UPPERCASE && !/[A-Z]/.test(password)) {
+        return { valid: false, message: 'Password must contain at least one uppercase letter' };
+    }
+    if (CONFIG.PASSWORD_REQUIRE_LOWERCASE && !/[a-z]/.test(password)) {
+        return { valid: false, message: 'Password must contain at least one lowercase letter' };
+    }
+    if (CONFIG.PASSWORD_REQUIRE_NUMBER && !/\d/.test(password)) {
+        return { valid: false, message: 'Password must contain at least one number' };
+    }
+    if (CONFIG.PASSWORD_REQUIRE_SPECIAL && !/[!@#$%^&*(),.?":{}|<>]/.test(password)) {
+        return { valid: false, message: 'Password must contain at least one special character' };
+    }
+    return { valid: true };
+};
+
+// Input sanitization
+export const sanitizeInput = (input: string): string => {
+    return input
+        .trim()
+        .replace(/[<>]/g, '') // Remove < and > to prevent basic XSS
+        .replace(/\s+/g, ' '); // Normalize whitespace
+};

src/lib/firebase/auth.ts

@@ -10,6 +10,7 @@ import {
     sendEmailVerification
 } from "firebase/auth";
 import { useEffect, useState } from "react";
+import { isAllowedEmail } from "../config";
 
 // Auth Hook
 export function useAuth() {
@@ -29,7 +30,7 @@ export function useAuth() {
 
 // Sign In
 export const signIn = (email: string, pass: string) => {
-    if (!email.endsWith("@cep.ac.in")) {
+    if (!isAllowedEmail(email)) {
         throw new Error("ACCESS_DENIED");
     }
     return signInWithEmailAndPassword(auth, email, pass);
@@ -38,7 +39,7 @@ export const signIn = (email: string, pass: string) => {
 // Sign Up (for initial seeding or admin use)
 export const signUp = async (name: string, email: string, pass: string) => {
 
-    if (!email.endsWith("@cep.ac.in")) {
+    if (!isAllowedEmail(email)) {
         throw new Error("ACCESS_DENIED");
     }