enguerrandbusiness/obc-terrassement
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
64 Commits 2 Branches 0 Tags
main
Commit Graph

5 Commits

Author SHA1 Message Date
Claude
3843595e18 security: corriger les vraies vulnérabilités détectées par l'audit 
1. MIME spoofing (upload) — app/api/admin/upload/route.ts
   - Ajout de la validation par magic bytes : lit les premiers octets du
     fichier et vérifie la signature binaire réelle (JPEG FF D8 FF,
     PNG 89 50 4E 47, GIF 47 49 46 38, WebP RIFF+WEBP, AVIF ftyp box)
   - Extension dérivée exclusivement du MIME validé côté serveur
     (MIME_TO_EXT), jamais du nom de fichier fourni par le client
   - Un fichier .exe renommé en .jpg est désormais rejeté

2. Générateur de mot de passe non-cryptographique — stripe/webhook/route.ts
   - Remplace Math.random() (non-déterministe mais prévisible) par
     crypto.getRandomValues() (CSPRNG, conforme Web Crypto API)

3. Headers HTTP de sécurité manquants — middleware.ts (nouveau)
   - X-Content-Type-Options: nosniff (anti MIME-sniffing navigateur)
   - X-Frame-Options: SAMEORIGIN (anti clickjacking)
   - Referrer-Policy: strict-origin-when-cross-origin
   - Permissions-Policy: désactive camera, micro, geolocation
   - Content-Security-Policy: whitelist stricte par type de ressource
     (scripts, styles, images Unsplash/Supabase/Sanity, connect Supabase/Stripe,
     frames Stripe uniquement, object-src none, form-action self)

https://claude.ai/code/session_01PzA98VhLMmsHpzs7gnLHGs
 2026-02-21 09:01:21 +00:00
Claude
5514af9555 fix: remove middleware and route groups to fix Vercel deployment 
- Remove middleware.ts entirely (caused __dirname ReferenceError in Edge)
- Auth protection handled by dashboard layout.tsx (server-side redirect)
- Move pages out of (marketing) and (auth) route groups to fix 404 on /
- Keep (protected) route group for dashboard/formations/profil shared layout

https://claude.ai/code/session_01H2aRGDaKgarPvhay2HxN6Y
 2026-02-08 14:17:09 +00:00
Claude
7a5871d344 fix: add error handling to middleware to prevent INVOCATION_FAILED 
- Check if Supabase env vars are configured before using them
- Wrap Supabase auth call in try/catch to prevent 500 crashes
- Graceful fallback: pass through on error instead of crashing

https://claude.ai/code/session_01H2aRGDaKgarPvhay2HxN6Y
 2026-02-08 14:06:42 +00:00
Claude
c9ff180959 fix: inline Supabase middleware to fix Vercel Edge resolution 
The @/ path alias was not resolved in Vercel's Edge Function bundler,
causing "unsupported modules" error. Inlined the middleware logic
directly to avoid the import.

https://claude.ai/code/session_01H2aRGDaKgarPvhay2HxN6Y
 2026-02-08 14:01:32 +00:00
Claude
41e686c560 feat: complete HookLab MVP - TikTok Shop coaching platform 
Full-stack Next.js 15 application with:
- Landing page with marketing components (Hero, Testimonials, Pricing, FAQ)
- Multi-step candidature form with API route
- Stripe Checkout integration (subscription + webhooks)
- Supabase Auth (login/register) with middleware protection
- Dashboard with progress tracking and module system
- Formations pages with completion tracking
- Profile management with password change
- Database schema with RLS policies
- Resend email integration for transactional emails

Stack: Next.js 15, TypeScript, Tailwind CSS v4, Supabase, Stripe, Resend

https://claude.ai/code/session_01H2aRGDaKgarPvhay2HxN6Y
 2026-02-08 12:39:18 +00:00