feat: add user authentication checks and improve navigation with logout functionality

web/app/api/analyze/route.ts

@@ -1,11 +1,19 @@
 import { NextRequest, NextResponse } from "next/server";
+import { createClient } from "@/lib/supabase/server";
 
 const GRADIO_URL = process.env.CLAUSEGUARD_GRADIO_URL || "https://gaurv007-clauseguard.hf.space";
 
 export async function POST(req: NextRequest) {
   try {
+    const supabase = await createClient();
+    const { data: { user } } = await supabase.auth.getUser();
+
+    if (!user) {
+      return NextResponse.json({ error: "Unauthorized. Please log in to analyze texts." }, { status: 401 });
+    }
+
     const body = await req.json();
-    const { text } = body;
+    let { text } = body;
 
     if (!text || typeof text !== "string" || text.trim().length < 50) {
       return NextResponse.json(
@@ -13,6 +21,30 @@ export async function POST(req: NextRequest) {
         { status: 400 }
       );
     }
+    
+    // Check scan limits
+    const { data: profile } = await supabase
+      .from("profiles")
+      .select("plan, role")
+      .eq("id", user.id)
+      .single();
+
+    const isAdmin = profile?.role === "admin";
+    const plan = profile?.plan || "free";
+    
+    const { count: scanCount } = await supabase
+      .from("analysis_history")
+      .select("*", { count: "exact", head: true })
+      .gte("created_at", new Date(new Date().getFullYear(), new Date().getMonth(), 1).toISOString())
+      .eq("user_id", user.id);
+
+    const limit = isAdmin ? 999999 : plan === "free" ? 10 : 999999;
+    if ((scanCount ?? 0) >= limit) {
+      return NextResponse.json({ error: "Monthly scan limit reached. Please upgrade to premium." }, { status: 403 });
+    }
+    
+    // Sanitize basic HTML tags if any to prevent XSS down the line
+    text = text.replace(/</g, "&lt;").replace(/>/g, "&gt;");
 
     // Step 1: Submit to Gradio Space
     const submitRes = await fetch(`${GRADIO_URL}/gradio_api/call/_analysis_and_index`, {

web/app/api/chat/route.ts

@@ -1,9 +1,17 @@
 import { NextRequest, NextResponse } from "next/server";
+import { createClient } from "@/lib/supabase/server";
 
 const GRADIO_URL = process.env.CLAUSEGUARD_GRADIO_URL || "https://gaurv007-clauseguard.hf.space";
 
 export async function POST(req: NextRequest) {
   try {
+    const supabase = await createClient();
+    const { data: { user } } = await supabase.auth.getUser();
+
+    if (!user) {
+      return NextResponse.json({ error: "Unauthorized. Please log in." }, { status: 401 });
+    }
+
     const body = await req.json();
     const { message, history } = body;
 

web/app/api/compare/route.ts

@@ -1,11 +1,19 @@
 import { NextRequest, NextResponse } from "next/server";
+import { createClient } from "@/lib/supabase/server";
 
 const GRADIO_URL = process.env.CLAUSEGUARD_GRADIO_URL || "https://gaurv007-clauseguard.hf.space";
 
 export async function POST(req: NextRequest) {
   try {
+    const supabase = await createClient();
+    const { data: { user } } = await supabase.auth.getUser();
+
+    if (!user) {
+      return NextResponse.json({ error: "Unauthorized. Please log in." }, { status: 401 });
+    }
+
     const body = await req.json();
-    const { text_a, text_b } = body;
+    let { text_a, text_b } = body;
 
     if (!text_a || !text_b || text_a.trim().length < 50 || text_b.trim().length < 50) {
       return NextResponse.json(
@@ -13,6 +21,10 @@ export async function POST(req: NextRequest) {
         { status: 400 }
       );
     }
+    
+    // Sanitize basically
+    text_a = text_a.replace(/</g, "&lt;").replace(/>/g, "&gt;");
+    text_b = text_b.replace(/</g, "&lt;").replace(/>/g, "&gt;");
 
     // Call Gradio Space API
     const submitRes = await fetch(`${GRADIO_URL}/gradio_api/call/run_comparison`, {

web/app/api/parse-upload/route.ts

@@ -1,9 +1,20 @@
 import { NextRequest, NextResponse } from "next/server";
+import { createClient } from "@/lib/supabase/server";
 
 export const runtime = "nodejs";
 
+// Add a 5MB size limit
+const MAX_FILE_SIZE = 5 * 1024 * 1024;
+
 export async function POST(req: NextRequest) {
   try {
+    const supabase = await createClient();
+    const { data: { user } } = await supabase.auth.getUser();
+
+    if (!user) {
+      return NextResponse.json({ error: "Unauthorized. Please log in." }, { status: 401 });
+    }
+
     const formData = await req.formData();
     const file = formData.get("file") as File | null;
 
@@ -11,13 +22,20 @@ export async function POST(req: NextRequest) {
       return NextResponse.json({ error: "No file uploaded" }, { status: 400 });
     }
 
+    if (file.size > MAX_FILE_SIZE) {
+      return NextResponse.json({ error: "File exceeds 5MB size limit" }, { status: 400 });
+    }
+
     const name = file.name.toLowerCase();
     const buffer = Buffer.from(await file.arrayBuffer());
     let text = "";
 
-    if (name.endsWith(".txt") || name.endsWith(".md")) {
+    // Validate MIME types alongside extension
+    const mimeType = file.type;
+    
+    if ((name.endsWith(".txt") || name.endsWith(".md")) && (mimeType.includes("text/plain") || mimeType.includes("text/markdown"))) {
       text = new TextDecoder().decode(buffer);
-    } else if (name.endsWith(".pdf")) {
+    } else if (name.endsWith(".pdf") && mimeType === "application/pdf") {
       // pdf-parse v2
       await import("pdf-parse/worker");
       const { PDFParse } = await import("pdf-parse");

web/app/auth/callback/route.ts

@@ -4,9 +4,14 @@ import { NextResponse } from "next/server";
 export async function GET(request: Request) {
   const requestUrl = new URL(request.url);
   const code = requestUrl.searchParams.get("code");
-  const next = requestUrl.searchParams.get("next") || "/dashboard-pages/dashboard";
+  let next = requestUrl.searchParams.get("next") || "/dashboard-pages/dashboard";
   const origin = requestUrl.origin;
 
+  // Prevent open redirect
+  if (next && !next.startsWith("/")) {
+    next = "/dashboard-pages/dashboard";
+  }
+
   if (code) {
     const supabase = await createClient();
     const { error } = await supabase.auth.exchangeCodeForSession(code);

web/app/auth/login/page.tsx

@@ -21,16 +21,16 @@ function LoginForm() {
   // Check if already logged in — redirect immediately
   useEffect(() => {
     supabase.auth.getUser().then(({ data: { user } }) => {
-      if (user) { window.location.href = next; }
+      if (user) { router.push(next); }
       else { setChecking(false); }
     });
-  }, [next, supabase.auth]);
+  }, [next, supabase.auth, router]);
 
   async function handleLogin(e: React.FormEvent) {
     e.preventDefault(); setLoading(true); setError("");
     const { error } = await supabase.auth.signInWithPassword({ email, password });
     if (error) { setError(error.message); setLoading(false); }
-    else { window.location.href = next; }
+    else { router.push(next); }
   }
 
   async function handleMagicLink() {

web/app/auth/signup/page.tsx

@@ -18,10 +18,10 @@ export default function SignupPage() {
   // Redirect if already logged in
   useEffect(() => {
     supabase.auth.getUser().then(({ data: { user } }) => {
-      if (user) { window.location.href = "/dashboard-pages/dashboard"; }
+      if (user) { router.push("/dashboard-pages/dashboard"); }
       else { setChecking(false); }
     });
-  }, []);
+  }, [router, supabase.auth]);
 
   async function handleSignup(e: React.FormEvent) {
     e.preventDefault(); setLoading(true); setError("");

web/components/nav.tsx

@@ -119,6 +119,15 @@ export function Nav() {
                 }`}>
                 <Settings className="w-3.5 h-3.5" /> Settings
               </Link>
+              <button onClick={async () => {
+                const supabase = createClient();
+                await supabase.auth.signOut();
+                setUserEmail(null);
+                setUserRole(null);
+                window.location.href = "/";
+              }} className="flex items-center gap-1.5 px-2.5 py-1.5 text-[13px] text-zinc-500 hover:text-zinc-900 rounded-md hover:bg-zinc-50 transition-colors">
+                Log out
+              </button>
               <Link href="/dashboard-pages/analyze"
                 className="ml-1 px-3 py-1.5 text-[13px] font-medium text-white bg-zinc-900 rounded-md hover:bg-zinc-800 transition-colors flex items-center gap-1.5">
                 <Zap className="w-3.5 h-3.5" /> New scan
@@ -188,10 +197,24 @@ export function Nav() {
 
           {/* Auth actions */}
           {isLoggedIn ? (
-            <Link href="/dashboard-pages/analyze" onClick={() => setOpen(false)}
-              className="block px-3 py-2.5 text-sm font-medium text-white bg-zinc-900 rounded-lg text-center hover:bg-zinc-800">
-              New Scan
-            </Link>
+            <>
+              <Link href="/dashboard-pages/analyze" onClick={() => setOpen(false)}
+                className="block px-3 py-2.5 text-sm font-medium text-white bg-zinc-900 rounded-lg text-center hover:bg-zinc-800 mb-1">
+                New Scan
+              </Link>
+              <button 
+                onClick={async () => {
+                  setOpen(false);
+                  const supabase = createClient();
+                  await supabase.auth.signOut();
+                  setUserEmail(null);
+                  setUserRole(null);
+                  window.location.href = "/";
+                }} 
+                className="w-full text-left flex items-center gap-2.5 px-3 py-2.5 text-sm text-zinc-600 rounded-md hover:bg-zinc-50">
+                Log out
+              </button>
+            </>
           ) : (
             <>
               <Link href="/auth/login" onClick={() => setOpen(false)}