fix(security): reduce client-side exposure and harden CI

DongDuong2001 · DongDuong2001 · commit 6bd7ad503c10 · 2026-05-20T13:04:02.000+07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 env:
   NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL || 'https://placeholder.supabase.co' }}
   NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY || 'placeholder-key' }}
@@ -14,6 +17,8 @@ jobs:
   lint-and-build:
     name: Lint, Type Check & Build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
 
@@ -40,6 +45,9 @@ jobs:
     name: E2E Tests (Playwright)
     runs-on: ubuntu-latest
     needs: lint-and-build
+    permissions:
+      contents: read
+      actions: read
     steps:
       - uses: actions/checkout@v4
 
@@ -68,6 +76,8 @@ jobs:
   security-scan:
     name: Security Scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:
diff --git a/app/api/auth/signup/route.ts b/app/api/auth/signup/route.ts
@@ -38,8 +38,14 @@ export async function POST(request: NextRequest) {
     }
 
     // 4. Validate email format
-    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/
-    if (!emailRegex.test(email)) {
+    const atIndex = email.lastIndexOf('@')
+    const hasValidEmailShape =
+      atIndex > 0 &&
+      atIndex < email.length - 3 &&
+      !email.includes(' ') &&
+      email.slice(atIndex + 1).includes('.')
+
+    if (!hasValidEmailShape) {
       return NextResponse.json(
         { error: 'Invalid email format' },
         { status: 400 }
diff --git a/app/dashboard/layout.tsx b/app/dashboard/layout.tsx
@@ -59,8 +59,24 @@ export default async function DashboardLayout({
       }
     : null
 
+  const dashboardUserSnapshot = sidebarUser
+    ? Buffer.from(
+        JSON.stringify({
+          id: sidebarUser.id,
+          email: sidebarUser.email,
+          name: sidebarUser.name,
+          avatar: sidebarUser.avatar,
+          createdAt: user?.created_at || "",
+          language: "en",
+        }),
+      ).toString("base64")
+    : ""
+
   return (
-    <div className="min-h-screen bg-background text-foreground transition-colors duration-300">
+    <div
+      className="min-h-screen bg-background text-foreground transition-colors duration-300"
+      data-lab68-user={dashboardUserSnapshot}
+    >
       <SkipNav />
       <DashboardSidebar user={sidebarUser} />
 
diff --git a/lib/config/i18n.ts b/lib/config/i18n.ts
@@ -1764,7 +1764,12 @@ export function getTranslations(lang: Language): Translations {
   const clone = JSON.parse(JSON.stringify(base)) as Translations
 
   const merge = (target: Record<string, any>, source: Record<string, any>) => {
+    const blockedKeys = new Set(["__proto__", "constructor", "prototype"])
     Object.keys(source).forEach((key) => {
+      if (blockedKeys.has(key)) {
+        return
+      }
+
       const value = source[key]
       if (value === undefined || value === null) {
         return
diff --git a/lib/features/auth/auth-service.ts b/lib/features/auth/auth-service.ts
@@ -18,11 +18,60 @@ export interface AuthState {
   isAuthenticated: boolean
 }
 
-// Get current user from localStorage cache (for immediate UI rendering)
+type MinimalCachedUser = Pick<User, "id" | "email" | "name" | "language" | "avatar">
+
+let inMemoryUser: User | null = null
+
+function readDashboardUserSnapshot(): User | null {
+  if (typeof document === "undefined") return null
+  const root = document.querySelector("[data-lab68-user]")
+  const encoded = root?.getAttribute("data-lab68-user")
+  if (!encoded) return null
+
+  try {
+    const decoded = window.atob(encoded)
+    const parsed = JSON.parse(decoded) as Partial<User>
+    if (!parsed?.id) return null
+
+    return {
+      id: parsed.id,
+      email: parsed.email || "",
+      name: parsed.name || "User",
+      createdAt: parsed.createdAt || "",
+      language: parsed.language,
+      avatar: parsed.avatar,
+    }
+  } catch {
+    return null
+  }
+}
+
+function toCachedUser(user: User): MinimalCachedUser {
+  return {
+    id: user.id,
+    email: user.email,
+    name: user.name,
+    language: user.language,
+    avatar: user.avatar,
+  }
+}
+
+export function setCachedUser(user: User | null) {
+  inMemoryUser = user
+}
+
+// Get current user from memory or dashboard server snapshot
 export function getCurrentUser(): User | null {
+  if (inMemoryUser) return inMemoryUser
   if (typeof window === "undefined") return null
-  const session = localStorage.getItem("lab68_session")
-  return session ? JSON.parse(session) : null
+
+  const snapshot = readDashboardUserSnapshot()
+  if (snapshot) {
+    inMemoryUser = snapshot
+    return snapshot
+  }
+
+  return null
 }
 
 // Get current user session from Supabase (authoritative source)
@@ -51,7 +100,7 @@ export async function getCurrentUserAsync(): Promise<User | null> {
         createdAt: authUser.created_at,
         language: 'en'
       }
-      localStorage.setItem("lab68_session", JSON.stringify(user))
+      setCachedUser(user)
       return user
     }
 
@@ -67,8 +116,7 @@ export async function getCurrentUserAsync(): Promise<User | null> {
       avatar: profile.avatar
     }
 
-    // Cache user in localStorage for immediate UI rendering
-    localStorage.setItem("lab68_session", JSON.stringify(user))
+    setCachedUser(user)
     return user
   } catch (error) {
     console.error('Error getting current user:', error)
@@ -116,8 +164,7 @@ export async function signUp(
       language: language || 'en',
     }
 
-    // Cache user in localStorage
-    localStorage.setItem("lab68_session", JSON.stringify(newUser))
+    setCachedUser(newUser)
 
     return { success: true, user: newUser }
   } catch (error: any) {
@@ -172,8 +219,7 @@ export async function signIn(
       language: 'en'
     }
 
-    // Cache user in localStorage
-    localStorage.setItem("lab68_session", JSON.stringify(user))
+    setCachedUser(user)
 
     if (rememberMe) {
       localStorage.setItem("lab68_remember", "true")
@@ -266,8 +312,7 @@ export async function verifyOtp(
       language: 'en'
     }
 
-    // Cache user in localStorage
-    localStorage.setItem("lab68_session", JSON.stringify(user))
+    setCachedUser(user)
 
     if (rememberMe) {
       localStorage.setItem("lab68_remember", "true")
@@ -305,12 +350,11 @@ export async function signOut(): Promise<void> {
   try {
     const supabase = createClient()
     await supabase.auth.signOut()
-    localStorage.removeItem("lab68_session")
+    setCachedUser(null)
     localStorage.removeItem("lab68_remember")
   } catch (error) {
     console.error('Error signing out:', error)
-    // Still clear localStorage even if Supabase signout fails
-    localStorage.removeItem("lab68_session")
+    setCachedUser(null)
     localStorage.removeItem("lab68_remember")
   }
 }
@@ -357,7 +401,7 @@ export async function updateUserProfile(
     const currentUser = await getCurrentUserAsync()
 
     if (currentUser && currentUser.id === userId) {
-      localStorage.setItem("lab68_session", JSON.stringify(currentUser))
+      setCachedUser(currentUser)
     }
 
     return { success: true, user: currentUser || undefined }
@@ -385,6 +429,6 @@ export async function checkRememberMe(): Promise<User | null> {
 // Clear all auth data (useful for debugging)
 export function clearAuthData(): void {
   if (typeof window === "undefined") return
-  localStorage.removeItem("lab68_session")
+  setCachedUser(null)
   localStorage.removeItem("lab68_remember")
 }
diff --git a/lib/hooks/useAuth.ts b/lib/hooks/useAuth.ts
@@ -2,7 +2,7 @@
 
 import { useEffect, useState } from 'react'
 import { createClient } from '@/lib/database/supabase-client'
-import type { User } from '@/lib/features/auth/auth-service'
+import { setCachedUser, type User } from '@/lib/features/auth/auth-service'
 
 export function useAuth() {
   const [user, setUser] = useState<User | null>(null)
@@ -36,7 +36,7 @@ export function useAuth() {
               avatar: profile.avatar
             }
             setUser(userData)
-            localStorage.setItem("lab68_session", JSON.stringify(userData))
+            setCachedUser(userData)
           }
         }
       } catch (error) {
@@ -70,11 +70,11 @@ export function useAuth() {
             avatar: profile.avatar
           }
           setUser(userData)
-          localStorage.setItem("lab68_session", JSON.stringify(userData))
+          setCachedUser(userData)
         }
       } else {
         setUser(null)
-        localStorage.removeItem("lab68_session")
+        setCachedUser(null)
       }
     })
 

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`
`3`	`3`	`import { useEffect, useState } from 'react'`
`4`	`4`	`import { createClient } from '@/lib/database/supabase-client'`
`5`		`-import type { User } from '@/lib/features/auth/auth-service'`
	`5`	`+import { setCachedUser, type User } from '@/lib/features/auth/auth-service'`
`6`	`6`
`7`	`7`	`export function useAuth() {`
`8`	`8`	`const [user, setUser] = useState<User \| null>(null)`
`@@ -36,7 +36,7 @@ export function useAuth() {`
`36`	`36`	`avatar: profile.avatar`
`37`	`37`	`}`
`38`	`38`	`setUser(userData)`
`39`		`- localStorage.setItem("lab68_session", JSON.stringify(userData))`
	`39`	`+ setCachedUser(userData)`
`40`	`40`	`}`
`41`	`41`	`}`
`42`	`42`	`} catch (error) {`
`@@ -70,11 +70,11 @@ export function useAuth() {`
`70`	`70`	`avatar: profile.avatar`
`71`	`71`	`}`
`72`	`72`	`setUser(userData)`
`73`		`- localStorage.setItem("lab68_session", JSON.stringify(userData))`
	`73`	`+ setCachedUser(userData)`
`74`	`74`	`}`
`75`	`75`	`} else {`
`76`	`76`	`setUser(null)`
`77`		`- localStorage.removeItem("lab68_session")`
	`77`	`+ setCachedUser(null)`
`78`	`78`	`}`
`79`	`79`	`})`
`80`	`80`