fix: address issues 7, 9, 11 (API errors, payload limits, leaderboard tests)

.github/workflows/auto-process.yml

@@ -35,12 +35,7 @@ jobs:
             echo "PR #${PR_NUMBER} already counted."
             exit 0
           fi
-          if [ ! -f leaderboard.json ]; then
-            printf '{}\n' > leaderboard.json
-          fi
-          tmp_file="$(mktemp)"
-          jq --arg user "${PR_USER}" '.[$user] = ((.[$user] // 0) + 1)' leaderboard.json > "${tmp_file}"
-          mv "${tmp_file}" leaderboard.json
+          node scripts/updateLeaderboard.js leaderboard.json "${PR_USER}"
           git add leaderboard.json
           if git diff --cached --quiet -- leaderboard.json; then
             echo "No leaderboard changes to commit."

apps/api/src/index.ts

@@ -5,7 +5,8 @@ import usersRouter from "./routes/users";
 const app = express();
 const port = process.env.PORT || 4000;
 
-app.use(express.json());
+// Limit JSON payload size to 100kb
+app.use(express.json({ limit: "100kb" }));
 
 app.get("/health", (_req, res) => {
   res.json({ status: "ok", service: "taskflow-api" });

apps/api/src/routes/users.ts

@@ -1,5 +1,7 @@
 import { Router } from "express";
 
+import { sendApiError } from "../utils/error";
+
 const router = Router();
 
 router.get("/", (_req, res) => {
@@ -10,6 +12,10 @@ router.get("/", (_req, res) => {
 });
 
 router.post("/", (req, res) => {
+  if (!req.body || Object.keys(req.body).length === 0) {
+    return sendApiError(res, 400, "User data is required.");
+  }
+
   res.status(201).json({
     data: {
       id: "stub-user-id",

apps/api/src/utils/error.ts

@@ -0,0 +1,14 @@
+import { Response } from "express";
+
+/**
+ * Standardized API error response helper
+ */
+export function sendApiError(res: Response, statusCode: number, message: string, details?: any) {
+  return res.status(statusCode).json({
+    success: false,
+    error: {
+      message,
+      ...(details && { details })
+    }
+  });
+}

apps/web/next-env.d.ts

@@ -0,0 +1,5 @@
+/// <reference types="next" />
+/// <reference types="next/image-types/global" />
+
+// NOTE: This file should not be edited
+// see https://nextjs.org/docs/app/building-your-application/configuring/typescript for more information.

apps/web/next.config.mjs

@@ -0,0 +1,30 @@
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'X-Frame-Options',
+            value: 'DENY',
+          },
+          {
+            key: 'X-Content-Type-Options',
+            value: 'nosniff',
+          },
+          {
+            key: 'Referrer-Policy',
+            value: 'strict-origin-when-cross-origin',
+          },
+          {
+            key: 'Permissions-Policy',
+            value: 'camera=(), microphone=(), geolocation=()',
+          },
+        ],
+      },
+    ];
+  },
+};
+
+export default nextConfig;

apps/web/package.json

@@ -5,7 +5,7 @@
   "description": "Next.js web application for TaskFlow.",
   "scripts": {
     "dev": "next dev",
-    "test": "echo \"No web tests configured yet\"",
+    "test": "node test-security-headers.mjs",
     "lint": "next lint"
   },
   "dependencies": {

apps/web/src/app/layout.tsx

@@ -0,0 +1,16 @@
+export const metadata = {
+  title: 'Next.js',
+  description: 'Generated by Next.js',
+}
+
+export default function RootLayout({
+  children,
+}: {
+  children: React.ReactNode
+}) {
+  return (
+    <html lang="en">
+      <body>{children}</body>
+    </html>
+  )
+}

apps/web/test-security-headers.mjs

@@ -0,0 +1,61 @@
+import { spawn } from "child_process";
+import assert from "assert";
+
+async function runTest() {
+  console.log("Starting Next.js dev server...");
+  const devProcess = spawn("npm", ["run", "dev", "--", "-p", "3002"], {
+    stdio: "pipe",
+    env: { ...process.env, PORT: "3002" },
+  });
+
+  let serverReady = false;
+
+  devProcess.stdout.on("data", (data) => {
+    const output = data.toString();
+    console.log(output);
+    if (output.includes("Ready") || output.includes("started server on")) {
+      serverReady = true;
+    }
+  });
+
+  devProcess.stderr.on("data", (data) => {
+    console.error(data.toString());
+  });
+
+  // Wait for server to be ready
+  let attempts = 0;
+  while (!serverReady && attempts < 30) {
+    await new Promise((resolve) => setTimeout(resolve, 1000));
+    attempts++;
+  }
+
+  if (!serverReady) {
+    console.error("Server failed to start in time.");
+    devProcess.kill();
+    process.exit(1);
+  }
+
+  console.log("Fetching http://localhost:3002...");
+  try {
+    const res = await fetch("http://localhost:3002");
+    console.log("Headers:");
+    res.headers.forEach((value, key) => {
+      console.log(`${key}: ${value}`);
+    });
+
+    assert.strictEqual(res.headers.get("x-frame-options"), "DENY", "X-Frame-Options should be DENY");
+    assert.strictEqual(res.headers.get("x-content-type-options"), "nosniff", "X-Content-Type-Options should be nosniff");
+    assert.strictEqual(res.headers.get("referrer-policy"), "strict-origin-when-cross-origin", "Referrer-Policy should be strict-origin-when-cross-origin");
+    assert.ok(res.headers.get("permissions-policy"), "Permissions-Policy should be set");
+    console.log("SUCCESS: Security headers are correctly set.");
+  } catch (error) {
+    console.error("Test failed:", error);
+    devProcess.kill();
+    process.exit(1);
+  }
+
+  devProcess.kill();
+  process.exit(0);
+}
+
+runTest();

apps/web/tsconfig.json

@@ -0,0 +1,34 @@
+{
+  "compilerOptions": {
+    "lib": [
+      "dom",
+      "dom.iterable",
+      "esnext"
+    ],
+    "allowJs": true,
+    "skipLibCheck": true,
+    "strict": false,
+    "noEmit": true,
+    "incremental": true,
+    "module": "esnext",
+    "esModuleInterop": true,
+    "moduleResolution": "node",
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "jsx": "preserve",
+    "plugins": [
+      {
+        "name": "next"
+      }
+    ]
+  },
+  "include": [
+    "next-env.d.ts",
+    ".next/types/**/*.ts",
+    "**/*.ts",
+    "**/*.tsx"
+  ],
+  "exclude": [
+    "node_modules"
+  ]
+}