Files
Momento/memento-note/app/api/ai/test-chat/route.ts
sepehr fa72672aac
Some checks failed
Deploy to Production / Build and Deploy (push) Failing after 39s
security: fix critical auth gaps, SSRF, IDOR, and embedding error handling
CRITICAL:
- Add auth + admin check to 10 unprotected API routes (test-*, debug/*,
  config, models, fix-labels)
- Add CRON_SECRET bearer auth to /api/cron/reminders (was fully open)
- Add SSRF protection to getOllamaModels (blocks private/internal IPs)

HIGH:
- Fix getAllLabels() missing userId filter (leaked all users' labels)
- Fix /api/labels OR clause leaking other users' labels
- Fix IDOR in toggleAgent/getAgentActions (add ownership check)
- Fix getEmbeddings() returning [] on error in all 5 providers (corrupted
  semantic search with NaN cosine similarity) — now throws instead

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-30 21:02:13 +02:00

56 lines
1.6 KiB
TypeScript

import { NextRequest, NextResponse } from 'next/server'
import { getChatProvider } from '@/lib/ai/factory'
import { getSystemConfig } from '@/lib/config'
import { auth } from '@/auth'
export async function POST(request: NextRequest) {
const session = await auth()
if (!session?.user?.id) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
if ((session.user as any).role !== 'ADMIN') {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
}
try {
const config = await getSystemConfig()
const provider = getChatProvider(config)
const testMessage = 'Réponds en exactement 3 mots : quel est ton nom ?'
const startTime = Date.now()
const response = await provider.generateText(testMessage)
const endTime = Date.now()
if (!response || response.trim().length === 0) {
return NextResponse.json(
{
success: false,
error: 'No response from chat provider',
model: config.AI_MODEL_CHAT || 'granite4:latest',
},
{ status: 500 }
)
}
return NextResponse.json({
success: true,
model: config.AI_MODEL_CHAT || 'granite4:latest',
chatResponse: response.trim(),
responseTime: endTime - startTime,
})
} catch (error: any) {
const config = await getSystemConfig()
return NextResponse.json(
{
success: false,
error: error.message || 'Unknown error',
model: config.AI_MODEL_CHAT || 'granite4:latest',
stack: process.env.NODE_ENV === 'development' ? error.stack : undefined,
},
{ status: 500 }
)
}
}