Tests

Author: IgorWounds

README.md

@@ -1,36 +1,130 @@
-This is a [Next.js](https://nextjs.org) project bootstrapped with [`create-next-app`](https://nextjs.org/docs/app/api-reference/cli/create-next-app).
+# ChatGPT Clone
+
+A production-grade ChatGPT-like clone built with Next.js, Supabase, Together.ai, Tailwind CSS, and modern best practices. Real-time chat, file attachments, model selection, user settings, and more.
+
+---
+
+## Features
+
+- **Authentication**: Email/password signup & login, protected routes, session management
+- **Chat Interface**: Real-time streaming, markdown/code, reactions, editing, mobile-responsive
+- **Conversation Management**: Create, rename, delete, search, filter, optimistic UI
+- **File Attachments**: Drag & drop, preview, validation, secure storage
+- **Model Selection**: Switch Together.ai models, per-conversation, token/cost tracking
+
+---
+
+## Tech Stack
+
+- **Frontend**: Next.js 14 (App Router, RSC), TypeScript, Tailwind CSS, shadcn/ui
+- **Backend**: Next.js API Routes (Edge), Supabase (Postgres, Auth, Storage)
+- **State**: Zustand, TanStack Query, React Hook Form, Zod
+- **LLM**: Together.ai API
+- **Testing**: Vitest
+
+---
 
 ## Getting Started
 
-First, run the development server:
+### 1. Clone & Install
+
+```bash
+git clone https://github.com/your-org/chatgpt-clone.git
+cd chatgpt-clone
+npm install # or yarn or pnpm
+```
+
+### 2. Environment Setup
+
+Copy `.env.example` to `.env.local` and fill in:
+
+```env
+NEXT_PUBLIC_SUPABASE_URL=...
+NEXT_PUBLIC_SUPABASE_ANON_KEY=...
+SUPABASE_SERVICE_ROLE_KEY=...
+TOGETHER_API_KEY=...
+```
+
+- [Create a Supabase project](https://app.supabase.com/)
+- [Get a Together.ai API key](https://platform.together.ai/)
+
+### 3. Database Setup
+
+- Run the SQL in `knowledge_base/context.md` to create tables: `users`, `conversations`, `messages`, `attachments`.
+- Set up Supabase Storage bucket for file uploads.
+
+### 4. Run Locally
 
 ```bash
 npm run dev
-# or
-yarn dev
-# or
-pnpm dev
-# or
-bun dev
 ```
+Visit [http://localhost:3000](http://localhost:3000)
+
+---
+
+## Scripts
+
+- `npm run dev` — Start dev server
+- `npm run build` — Build for production
+- `npm start` — Start production server
+- `npm run lint` — Lint code
+- `npm test` — Run all tests (Jest/Vitest)
+
+---
+
+## Testing
+
+- **Unit/Integration**: `npm test` (Jest/Vitest)
+- **E2E**: See `integration/e2e-chat-auth-flow.test.tsx`
+- Tests cover auth, chat, file upload, and more
+
+---
+
+## Production Environment
+
+- Set `NODE_ENV=production` in your deployment platform (Vercel does this automatically)
+- Use Node.js 18+ runtime
+- Set all required environment variables (see `.env.example`)
+- Enable HTTPS (Vercel/most hosts do this by default)
+- Configure Supabase CORS for your domain
+- Set up Supabase Storage bucket for file uploads
+- Set JWT expiration and security settings in Supabase Auth
+- Review rate limits and security headers in `middleware.ts` and API routes
+
+## Deployment
+
+### Deploy to Vercel (Recommended)
+
+1. Push your code to GitHub
+2. [Import your repo to Vercel](https://vercel.com/import)
+3. Set all environment variables in Vercel dashboard
+4. Click Deploy
+
+### Manual/Other Node Hosts
 
-Open [http://localhost:3000](http://localhost:3000) with your browser to see the result.
+- Build: `npm run build`
+- Start: `npm start`
+- Set all env vars from `.env.example`
 
-You can start editing the page by modifying `app/page.tsx`. The page auto-updates as you edit the file.
+---
 
-This project uses [`next/font`](https://nextjs.org/docs/app/building-your-application/optimizing/fonts) to automatically optimize and load [Geist](https://vercel.com/font), a new font family for Vercel.
+## Security & Best Practices
 
-## Learn More
+- Input validation (Zod, server-side checks)
+- XSS/CSRF/CORS protection (Next.js, Supabase)
+- Rate limiting on API routes
+- Use HTTPS in production
+- Store Together.ai API keys securely (never commit to repo)
 
-To learn more about Next.js, take a look at the following resources:
+---
 
-- [Next.js Documentation](https://nextjs.org/docs) - learn about Next.js features and API.
-- [Learn Next.js](https://nextjs.org/learn) - an interactive Next.js tutorial.
+## Contributing
 
-You can check out [the Next.js GitHub repository](https://github.com/vercel/next.js) - your feedback and contributions are welcome!
+- PRs welcome! Follow conventional commits and run lint/tests before submitting.
+- See `knowledge_base/tasks.md` for roadmap and features.
 
-## Deploy on Vercel
+---
 
-The easiest way to deploy your Next.js app is to use the [Vercel Platform](https://vercel.com/new?utm_medium=default-template&filter=next.js&utm_source=create-next-app&utm_campaign=create-next-app-readme) from the creators of Next.js.
+## License
 
-Check out our [Next.js deployment documentation](https://nextjs.org/docs/app/building-your-application/deploying) for more details.
+MIT. Not affiliated with OpenAI or ChatGPT. For educational/research use.

app/api/chat/route.ts

@@ -5,6 +5,11 @@ const together = new Together();
 
 type Message = CompletionCreateParams.Message;
 
+// Simple in-memory rate limiter (per IP, per minute)
+const rateLimitMap = new Map<string, { count: number, last: number }>()
+const RATE_LIMIT = 30 // requests
+const RATE_WINDOW = 60 * 1000 // 1 minute
+
 async function createChatCompletionWithFallback({ model, messages }: { model: string, messages: Message[] }) {
   try {
     return await together.chat.completions.create({
@@ -31,6 +36,20 @@ async function createChatCompletionWithFallback({ model, messages }: { model: st
 }
 
 export async function POST(request: Request) {
+  // Rate limiting
+  const ip = request.headers.get('x-forwarded-for') || 'unknown'
+  const now = Date.now()
+  const entry = rateLimitMap.get(ip) || { count: 0, last: now }
+  if (now - entry.last > RATE_WINDOW) {
+    entry.count = 0
+    entry.last = now
+  }
+  entry.count++
+  rateLimitMap.set(ip, entry)
+  if (entry.count > RATE_LIMIT) {
+    return new Response(JSON.stringify({ error: 'Too many requests' }), { status: 429, headers: { 'Content-Type': 'application/json' } })
+  }
+
   try {
     const { messages, model = "meta-llama/Meta-Llama-3.1-8B-Instruct-Turbo", attachments } = await request.json();
 

app/api/generate-image/route.ts

@@ -1,7 +1,26 @@
 import { NextRequest, NextResponse } from 'next/server'
 import { createClient } from '@supabase/supabase-js'
 
+// Simple in-memory rate limiter (per IP, per minute)
+const rateLimitMap = new Map<string, { count: number, last: number }>()
+const RATE_LIMIT = 10 // requests
+const RATE_WINDOW = 60 * 1000 // 1 minute
+
 export async function POST(req: NextRequest) {
+  // Rate limiting
+  const ip = req.headers.get('x-forwarded-for') || 'unknown'
+  const now = Date.now()
+  const entry = rateLimitMap.get(ip) || { count: 0, last: now }
+  if (now - entry.last > RATE_WINDOW) {
+    entry.count = 0
+    entry.last = now
+  }
+  entry.count++
+  rateLimitMap.set(ip, entry)
+  if (entry.count > RATE_LIMIT) {
+    return NextResponse.json({ error: 'Too many requests' }, { status: 429 })
+  }
+
   const { prompt } = await req.json()
   if (!prompt) return NextResponse.json({ error: 'Missing prompt' }, { status: 400 })
 

app/api/models/route.ts

@@ -2,14 +2,32 @@ let cachedModels: { name: string; description: string; price_per_million: number
 let cacheTimestamp = 0;
 const CACHE_TTL = 60 * 60 * 1000; // 60 minutes
 
-export async function GET() {
+// Simple in-memory rate limiter (per IP, per minute)
+const rateLimitMap = new Map<string, { count: number, last: number }>()
+const RATE_LIMIT = 30 // requests
+const RATE_WINDOW = 60 * 1000 // 1 minute
+
+export async function GET(request: Request) {
   const apiKey = process.env.TOGETHER_API_KEY;
 
   if (!apiKey) {
     return new Response(JSON.stringify({ error: 'Missing Together.AI API key' }), { status: 500 });
   }
 
-  const now = Date.now();
+  // Rate limiting
+  const ip = request.headers.get('x-forwarded-for') || 'unknown'
+  const now = Date.now()
+  const entry = rateLimitMap.get(ip) || { count: 0, last: now }
+  if (now - entry.last > RATE_WINDOW) {
+    entry.count = 0
+    entry.last = now
+  }
+  entry.count++
+  rateLimitMap.set(ip, entry)
+  if (entry.count > RATE_LIMIT) {
+    return new Response(JSON.stringify({ error: 'Too many requests' }), { status: 429, headers: { 'Content-Type': 'application/json' } })
+  }
+
   if (cachedModels && now - cacheTimestamp < CACHE_TTL) {
     return Response.json(cachedModels);
   }

app/api/user-settings/route.ts

@@ -26,7 +26,30 @@ async function getUserFromAuthHeader(req: NextRequest) {
   return user
 }
 
+// Simple in-memory rate limiter (per IP, per minute)
+const rateLimitMap = new Map<string, { count: number, last: number }>()
+const RATE_LIMIT = 30 // requests
+const RATE_WINDOW = 60 * 1000 // 1 minute
+
+function rateLimit(req: NextRequest) {
+  const ip = req.headers.get('x-forwarded-for') || 'unknown'
+  const now = Date.now()
+  const entry = rateLimitMap.get(ip) || { count: 0, last: now }
+  if (now - entry.last > RATE_WINDOW) {
+    entry.count = 0
+    entry.last = now
+  }
+  entry.count++
+  rateLimitMap.set(ip, entry)
+  if (entry.count > RATE_LIMIT) {
+    return NextResponse.json({ error: 'Too many requests' }, { status: 429 })
+  }
+  return null
+}
+
 export async function GET(req: NextRequest) {
+  const limit = rateLimit(req)
+  if (limit) return limit
   const user = await getUserFromAuthHeader(req)
   if (!user) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
   const supabase = getSupabaseAdmin()
@@ -44,6 +67,8 @@ export async function GET(req: NextRequest) {
 }
 
 export async function POST(req: NextRequest) {
+  const limit = rateLimit(req)
+  if (limit) return limit
   const user = await getUserFromAuthHeader(req)
   if (!user) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
   const body = await req.json()
@@ -62,6 +87,8 @@ export async function POST(req: NextRequest) {
 }
 
 export async function PATCH(req: NextRequest) {
+  const limit = rateLimit(req)
+  if (limit) return limit
   const user = await getUserFromAuthHeader(req)
   if (!user) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
   const body = await req.json()

integration/auth-flow.int.test.tsx

@@ -0,0 +1,60 @@
+import React from 'react'
+import { render, screen, fireEvent, waitFor } from '@testing-library/react'
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import '@testing-library/jest-dom'
+
+// Mock next/navigation useRouter
+vi.mock('next/navigation', () => ({
+  useRouter: () => ({ push: vi.fn(), refresh: vi.fn() })
+}))
+
+// Import the sign-in form/component
+import { SignInForm } from '@/app/(auth)/sign-in/sign-in-form'
+
+// Integration test: auth flow
+
+vi.mock('@/lib/supabase/client', () => {
+  const signInWithPassword = vi.fn(async () => ({ data: { user: { id: 'user1', email: '[email protected]' } }, error: null }))
+  // Attach to global for test access
+  globalThis.__signInWithPassword = signInWithPassword
+  return {
+    createSupabaseClient: () => ({
+      auth: { signInWithPassword },
+    }),
+    supabase: {
+      auth: { signInWithPassword },
+    },
+    __esModule: true,
+  }
+})
+
+declare global {
+  // eslint-disable-next-line no-var
+  var __signInWithPassword: ReturnType<typeof vi.fn>
+}
+
+describe('Auth Integration Flow', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('should sign in with email and password and show authenticated UI', async () => {
+    render(<SignInForm />)
+    const emailInput = screen.getByLabelText(/email/i)
+    const passwordInput = screen.getByLabelText(/password/i)
+    const submitBtn = screen.getByRole('button', { name: /sign in/i })
+
+    fireEvent.change(emailInput, { target: { value: '[email protected]' } })
+    fireEvent.change(passwordInput, { target: { value: 'hunter2' } })
+    fireEvent.click(submitBtn)
+
+    await waitFor(() => expect(globalThis.__signInWithPassword).toHaveBeenCalledWith({
+      email: '[email protected]',
+      password: 'hunter2',
+    }))
+
+    // Should show some authenticated UI state (e.g., success message, redirect, etc.)
+    // Adjust this assertion to match your actual UI
+    expect(screen.queryByText(/invalid/i)).not.toBeInTheDocument()
+  })
+})