Security Review: APIs and Config

<context>
I'm auditing API routes and Server Actions in a Next.js application for the 5 critical security layers:
1. Authentication (verify user identity)
2. Input validation (Zod schema checks)
3. Authorization (user can only access own data)
4. Rate limiting (prevent spam/DDoS)
5. Error handling (no stack trace leaks)
 
My project structure:
- API routes in: apps/web/src/app/api/**/*.ts
- Server Actions in: apps/web/src/app/actions/**/*.ts
- Auth utils in: apps/web/src/lib/auth.ts
</context>
 
<current-implementation>
I have multiple API routes and Server Actions but haven't systematically checked them against the 5-layer security model. Some routes may be missing authentication, validation, or proper error handling.
</current-implementation>
 
<questions>
1. **Audit script structure:** Should I create a Node.js script that:
   - Parses all route files and Server Action files?
   - Checks for presence of auth imports (verifyAuth, getServerSession)?
   - Detects Zod schema usage for validation?
   - Flags missing try/catch blocks or generic error responses?
 
2. **Detection patterns:** What code patterns reliably indicate:
   - Missing authentication (no verifyAuth() call before operations)?
   - Missing validation (direct await request.json() without Zod parse)?
   - Authorization gaps (no user.id === requestedId checks)?
   - Unsafe error handling (raw error.message in responses)?
 
3. **Output format:** Should the audit report show:
   - Per-file checklist of the 5 security layers?
   - Severity ratings (critical, high, medium)?
   - Code snippets showing the vulnerable patterns?
   - Prioritized fix recommendations?
 
4. **Rate limiting detection:** How do I check if routes implement rate limiting?
   - Look for imports like checkRateLimit(), rateLimit()?
   - Check for middleware like rateLimitMiddleware?
   - Flag all routes without rate limit calls as vulnerable?
 
5. **False positives:** How do I avoid flagging:
   - Public endpoints that intentionally don't need auth (e.g., /api/health)?
   - Read-only operations that may have different security requirements?
   - Routes that use authentication middleware instead of inline checks?
</questions>
 
<specific-scenario>
Example API route that should be flagged:
 
    export async function POST(request: Request) {
      const { userId, amount } = await request.json()
      await db.transactions.create({ userId, amount })
      return Response.json({ success: true })
    }
 
Expected audit findings:
- Missing: Authentication check
- Missing: Input validation (Zod schema)
- Missing: Authorization check
- Missing: Rate limiting
- Missing: Error handling (try/catch)
- Severity: CRITICAL
- Recommendation: Add all 5 security layers before deploying
</specific-scenario>
 
Generate a Node.js audit script that scans my Next.js codebase for these security gaps, produces a structured report with severity ratings and code snippets, and prioritizes fixes by impact.

<context>
I need to implement rate limiting for Next.js API routes and Server Actions to prevent abuse and DDoS attacks.
 
My application setup:
- Next.js with App Router
- API routes in apps/web/src/app/api/**/*.ts
- Server Actions in apps/web/src/app/actions/**/*.ts
- Currently NO rate limiting implemented
- Need to support both authenticated and anonymous users
</context>
 
<current-implementation>
I have no rate limiting. All routes are vulnerable to spam and abuse. Users can make unlimited requests to any endpoint.
</current-implementation>
 
<requirements>
1. **Tracking mechanism:** Rate limit by:
   - User ID for authenticated requests
   - IP address for anonymous requests
   - Different limits per endpoint (e.g., login = 5/min, API = 100/min)
 
2. **Storage:** Where to store rate limit counters?
   - In-memory Map (simple, single-server only)
   - Redis (production, multi-server support)
   - Vercel KV (serverless-compatible)
 
3. **Response handling:** When limit exceeded:
   - Return 429 Too Many Requests
   - Include Retry-After header
   - Log abuse attempts for monitoring
 
4. **Configurability:** Need flexible limits like:
   - 5 requests per minute for auth endpoints
   - 100 requests per minute for general API
   - 1000 requests per hour for analytics
 
5. **Performance:** Must NOT slow down every request:
   - Async increment (don't block response)
   - Minimal latency overhead (<5ms)
   - Efficient memory usage
</requirements>
 
<questions>
1. **Implementation pattern:** Should I create:
   - A middleware function that wraps route handlers?
   - A utility function called inside each handler?
   - A higher-order function that decorates handlers?
 
2. **Redis vs in-memory:** For production Next.js on Vercel:
   - Is in-memory Map safe for single-region deployments?
   - Should I use Vercel KV (Redis-compatible) for multi-region?
   - How do I handle counter resets between deployments?
 
3. **Sliding window vs fixed window:**
   - Fixed window: Simple but allows bursts at boundaries
   - Sliding window: More accurate but more complex
   - Which approach balances simplicity and protection?
 
4. **Bypass for internal requests:** Should I:
   - Whitelist certain IP addresses (internal tools)?
   - Skip rate limiting for requests with admin auth tokens?
   - Apply different limits based on user subscription tier?
 
5. **Edge cases:** How do I handle:
   - Clock skew across servers?
   - Distributed counter consistency?
   - Rate limit resets during server restarts?
</questions>
 
<specific-scenario>
Example route that needs rate limiting:
 
    export async function POST(request: Request) {
      // TODO: Rate limit to 5 attempts per minute per IP
      const { email, password } = await request.json()
      const user = await verifyCredentials(email, password)
      return Response.json({ token: generateToken(user) })
    }
 
Expected implementation:
- Track failed login attempts by IP address
- Limit: 5 requests per minute
- Response when exceeded:
    { "error": "Too many requests", "retryAfter": 45 }
  Status: 429
  Header: Retry-After: 45
 
Also need rate limiting for:
- General API routes: 100 requests/min per user
- Server Actions: 50 requests/min per user
- Public endpoints: 20 requests/min per IP
</specific-scenario>
 
Generate a production-ready rate limiting implementation with code examples for Next.js API routes, including Redis-backed storage, sliding window algorithm, and graceful error handling. Provide both the rate limiting utility and example usage in route handlers.