feat: another security sweep

api/src/app/routes/auth/index.ts

@@ -79,8 +79,9 @@ const authRoutes: FastifyPluginAsync = async (app) => {
       // Create or update user in database
       const user = await authService.createOrUpdateUserFromDiscord(userData, inDiscord, isVip, isMod, isStaff);
 
-      // Generate JWT
-      const jwt = await authService.generateToken(user);
+      // Generate access token and refresh token
+      const accessToken = await authService.generateToken(user);
+      const refreshToken = await authService.generateRefreshToken(user.id);
 
       // Log successful login
       await AuditService.log({
@@ -91,13 +92,21 @@ const authRoutes: FastifyPluginAsync = async (app) => {
         success: true,
       }, request);
 
-      // Set signed cookie and redirect to frontend
+      // Set signed cookies and redirect to frontend
       reply
-        .setCookie("auth-token", jwt, {
+        .setCookie("auth-token", accessToken, {
           path: "/",
           httpOnly: true,
           secure: process.env.NODE_ENV === "production",
           sameSite: "lax",
+          maxAge: 15 * 60, // 15 minutes
+          signed: true,
+        })
+        .setCookie("refresh-token", refreshToken, {
+          path: "/api/auth",
+          httpOnly: true,
+          secure: process.env.NODE_ENV === "production",
+          sameSite: "lax",
           maxAge: 7 * 24 * 60 * 60, // 7 days
           signed: true,
         })
@@ -143,11 +152,78 @@ const authRoutes: FastifyPluginAsync = async (app) => {
     }
   );
 
+  /**
+   * Refresh access token using refresh token.
+   */
+  app.post("/refresh", async (request, reply) => {
+    const signedRefreshToken = request.cookies["refresh-token"];
+    if (!signedRefreshToken) {
+      return reply.code(401).send({ error: "No refresh token provided" });
+    }
+
+    const unsignedResult = request.unsignCookie(signedRefreshToken);
+    if (!unsignedResult.valid || !unsignedResult.value) {
+      return reply.code(401).send({ error: "Invalid refresh token" });
+    }
+
+    const refreshToken = unsignedResult.value;
+    const user = await authService.validateRefreshToken(refreshToken);
+
+    if (!user) {
+      reply.clearCookie("refresh-token", { path: "/api/auth", signed: true });
+      return reply.code(401).send({ error: "Refresh token expired or invalid" });
+    }
+
+    if (user.isBanned) {
+      await authService.revokeAllUserTokens(user.id);
+      reply
+        .clearCookie("auth-token", { path: "/", signed: true })
+        .clearCookie("refresh-token", { path: "/api/auth", signed: true });
+      return reply.code(403).send({ error: "Account is banned" });
+    }
+
+    // Rotate refresh token for security
+    const newRefreshToken = await authService.rotateRefreshToken(refreshToken, user.id);
+    if (!newRefreshToken) {
+      return reply.code(401).send({ error: "Failed to rotate refresh token" });
+    }
+
+    const newAccessToken = await authService.generateToken(user);
+
+    reply
+      .setCookie("auth-token", newAccessToken, {
+        path: "/",
+        httpOnly: true,
+        secure: process.env.NODE_ENV === "production",
+        sameSite: "lax",
+        maxAge: 15 * 60, // 15 minutes
+        signed: true,
+      })
+      .setCookie("refresh-token", newRefreshToken, {
+        path: "/api/auth",
+        httpOnly: true,
+        secure: process.env.NODE_ENV === "production",
+        sameSite: "lax",
+        maxAge: 7 * 24 * 60 * 60, // 7 days
+        signed: true,
+      })
+      .send({ user, accessToken: newAccessToken });
+  });
+
   /**
    * Logout.
    */
   app.post("/logout", async (request, reply) => {
-    // Try to get user ID from JWT if available
+    // Revoke refresh token if present
+    const signedRefreshToken = request.cookies["refresh-token"];
+    if (signedRefreshToken) {
+      const unsignedResult = request.unsignCookie(signedRefreshToken);
+      if (unsignedResult.valid && unsignedResult.value) {
+        await authService.revokeRefreshToken(unsignedResult.value);
+      }
+    }
+
+    // Try to get user ID from JWT for audit logging
     try {
       await request.jwtVerify();
       const user = request.user as { id?: string; username?: string };
@@ -169,6 +245,10 @@ const authRoutes: FastifyPluginAsync = async (app) => {
         path: "/",
         signed: true,
       })
+      .clearCookie("refresh-token", {
+        path: "/api/auth",
+        signed: true,
+      })
       .send({ message: "Logged out successfully" });
   });
 

api/src/app/routes/likes/index.ts

@@ -136,6 +136,11 @@ const likesRoutes: FastifyPluginAsync = async (app) => {
         return { error: "Items array is required" };
       }
 
+      if (items.length > 100) {
+        reply.code(400);
+        return { error: "Maximum 100 items allowed per request" };
+      }
+
       const validTypes = ['book', 'game', 'show', 'manga', 'music', 'art'];
       const results = await Promise.all(
         items.map(async (item) => {

api/src/app/routes/suggestions/index.ts

@@ -7,6 +7,7 @@ import type {
   SuggestionEntity,
   CreateSuggestionDto,
   DeclineSuggestionDto,
+  AcceptWithEditsDto,
 } from "@library/shared-types";
 import { adminGuard } from "../../middleware/admin-guard";
 import { bannedGuard } from "../../middleware/banned-guard";
@@ -132,7 +133,7 @@ export default async function (app: FastifyInstance): Promise<void> {
   );
 
   // Accept a suggestion with edits (admin only)
-  app.put<{ Params: { id: string }; Body: any }>(
+  app.put<{ Params: { id: string }; Body: AcceptWithEditsDto }>(
     "/:id/accept-with-edits",
     {
       preHandler: [app.authenticate, adminGuard, app.csrfProtection],
@@ -192,4 +193,36 @@ export default async function (app: FastifyInstance): Promise<void> {
       }
     }
   );
+
+  // Delete a suggestion (owner or admin only, only if unreviewed)
+  app.delete<{ Params: { id: string } }>(
+    "/:id",
+    {
+      preHandler: [app.authenticate, app.csrfProtection],
+    },
+    async (request, reply) => {
+      const { id } = request.params;
+      const userId = request.user.id;
+      const isAdmin = request.user.isAdmin;
+
+      try {
+        const suggestion = await SuggestionService.deleteSuggestion(id, userId, isAdmin);
+
+        await AuditService.logFromRequest(request, {
+          action: AuditAction.ENTRY_DELETE,
+          category: isAdmin ? AuditCategory.ADMIN : AuditCategory.CONTENT,
+          resourceType: "Suggestion",
+          resourceId: suggestion.id,
+          details: `Deleted ${suggestion.entityType} suggestion: ${suggestion.title}`,
+          success: true,
+        });
+
+        reply.send({ success: true });
+      } catch (error) {
+        return reply.badRequest(
+          error instanceof Error ? error.message : "Failed to delete suggestion"
+        );
+      }
+    }
+  );
 }

api/src/app/services/auth.service.ts

@@ -1,6 +1,10 @@
 import { FastifyInstance } from "fastify";
 import { JwtPayload, User } from "@library/shared-types";
 import { prisma } from "../lib/prisma";
+import { randomBytes } from "crypto";
+
+const ACCESS_TOKEN_EXPIRY = "15m";
+const REFRESH_TOKEN_EXPIRY_DAYS = 7;
 
 export class AuthService {
   private prisma = prisma;
@@ -8,7 +12,7 @@ export class AuthService {
   constructor(private readonly app: FastifyInstance) {}
 
   /**
-   * Generate JWT token for user.
+   * Generate short-lived access token for user.
    */
   async generateToken(user: User): Promise<string> {
     const payload: JwtPayload = {
@@ -19,10 +23,125 @@ export class AuthService {
     };
 
     return this.app.jwt.sign(payload, {
-      expiresIn: "7d",
+      expiresIn: ACCESS_TOKEN_EXPIRY,
     });
   }
 
+  /**
+   * Generate a secure refresh token and store it in the database.
+   */
+  async generateRefreshToken(userId: string): Promise<string> {
+    const token = randomBytes(64).toString("hex");
+    const expiresAt = new Date();
+    expiresAt.setDate(expiresAt.getDate() + REFRESH_TOKEN_EXPIRY_DAYS);
+
+    await this.prisma.refreshToken.create({
+      data: {
+        token,
+        userId,
+        expiresAt,
+      },
+    });
+
+    return token;
+  }
+
+  /**
+   * Validate and consume a refresh token, returning the user if valid.
+   */
+  async validateRefreshToken(token: string): Promise<User | null> {
+    const refreshToken = await this.prisma.refreshToken.findUnique({
+      where: { token },
+      include: { user: true },
+    });
+
+    if (!refreshToken) {
+      return null;
+    }
+
+    if (refreshToken.expiresAt < new Date()) {
+      await this.prisma.refreshToken.delete({ where: { id: refreshToken.id } });
+      return null;
+    }
+
+    const dbUser = refreshToken.user;
+    return {
+      id: dbUser.id,
+      discordId: dbUser.discordId,
+      username: dbUser.username,
+      email: dbUser.email,
+      avatar: dbUser.avatar || undefined,
+      isAdmin: dbUser.isAdmin,
+      isBanned: dbUser.isBanned,
+      inDiscord: dbUser.inDiscord,
+      isVip: dbUser.isVip,
+      isMod: dbUser.isMod,
+      isStaff: dbUser.isStaff,
+    };
+  }
+
+  /**
+   * Rotate a refresh token (invalidate old, create new with same expiry).
+   * Preserves original expiry so users must re-auth with Discord every 7 days.
+   */
+  async rotateRefreshToken(oldToken: string, userId: string): Promise<string | null> {
+    const existingToken = await this.prisma.refreshToken.findUnique({
+      where: { token: oldToken },
+    });
+
+    if (!existingToken) {
+      return null;
+    }
+
+    const originalExpiry = existingToken.expiresAt;
+
+    await this.prisma.refreshToken.delete({
+      where: { id: existingToken.id },
+    });
+
+    const newToken = randomBytes(64).toString("hex");
+
+    await this.prisma.refreshToken.create({
+      data: {
+        token: newToken,
+        userId,
+        expiresAt: originalExpiry,
+      },
+    });
+
+    return newToken;
+  }
+
+  /**
+   * Revoke a specific refresh token.
+   */
+  async revokeRefreshToken(token: string): Promise<void> {
+    await this.prisma.refreshToken.deleteMany({
+      where: { token },
+    });
+  }
+
+  /**
+   * Revoke all refresh tokens for a user (logout from all devices).
+   */
+  async revokeAllUserTokens(userId: string): Promise<void> {
+    await this.prisma.refreshToken.deleteMany({
+      where: { userId },
+    });
+  }
+
+  /**
+   * Clean up expired refresh tokens (can be called periodically).
+   */
+  async cleanupExpiredTokens(): Promise<number> {
+    const result = await this.prisma.refreshToken.deleteMany({
+      where: {
+        expiresAt: { lt: new Date() },
+      },
+    });
+    return result.count;
+  }
+
   /**
    * Verify JWT token.
    */

api/src/app/services/suggestion.service.ts

@@ -4,6 +4,7 @@ import type {
   SuggestionStatus,
   SuggestionEntity,
   CreateSuggestionDto,
+  AcceptWithEditsDto,
 } from "@library/shared-types";
 import {
   GameStatus,
@@ -340,7 +341,7 @@ export const SuggestionService = {
     return mapSuggestion(updatedSuggestion);
   },
 
-  async acceptSuggestionWithEdits(id: string, editedData: any): Promise<Suggestion> {
+  async acceptSuggestionWithEdits(id: string, editedData: AcceptWithEditsDto): Promise<Suggestion> {
     const suggestion = await prisma.suggestion.findUnique({
       where: { id },
       include: { user: true },
@@ -453,4 +454,29 @@ export const SuggestionService = {
 
     return mapSuggestion(updatedSuggestion);
   },
+
+  async deleteSuggestion(id: string, userId: string, isAdmin: boolean): Promise<Suggestion> {
+    const suggestion = await prisma.suggestion.findUnique({
+      where: { id },
+      include: { user: true },
+    });
+
+    if (!suggestion) {
+      throw new Error("Suggestion not found");
+    }
+
+    if (!isAdmin && suggestion.userId !== userId) {
+      throw new Error("You can only delete your own suggestions");
+    }
+
+    if (suggestion.status !== "UNREVIEWED") {
+      throw new Error("Cannot delete a suggestion that has already been reviewed");
+    }
+
+    await prisma.suggestion.delete({
+      where: { id },
+    });
+
+    return mapSuggestion(suggestion);
+  },
 };