up deps and improve login

src/app/components/Account/AccountCard.tsx

@@ -255,7 +255,7 @@ export const AccountCard = ({ characters, isCollapsed: propIsCollapsed }: { char
         const newIds = ids.filter(id => !valid.includes(id));
         return [...valid, ...newIds];
       }
-    } catch {}
+    } catch (_) { /* ignore corrupt localStorage */ }
     return characters.map(c => c.character.characterId);
   });
 
@@ -278,7 +278,7 @@ export const AccountCard = ({ characters, isCollapsed: propIsCollapsed }: { char
     try {
       const saved = localStorage.getItem(`collapsedCharacters-${accountName}`);
       if (saved) return new Set<number>(JSON.parse(saved));
-    } catch {}
+    } catch (_) { /* ignore corrupt localStorage */ }
     return new Set<number>();
   });
 

src/app/components/Login/LoginDialog.tsx

@@ -19,7 +19,6 @@ export const LoginDialog = ({
     DEFAULT_SCOPES_TO_SELECT
   );
   const [ssoUrl, setSsoUrl] = useState<string | undefined>(undefined);
-  const [loginUrl, setLoginUrl] = useState<string | undefined>(undefined);
 
   const { EVE_SSO_CLIENT_ID, EVE_SSO_CALLBACK_URL } =
     useContext(SessionContext);
@@ -30,15 +29,6 @@ export const LoginDialog = ({
     });
   }, []);
 
-  useEffect(() => {
-    if (!ssoUrl || selectedScopes.length === 0) return;
-    loginParameters(
-      selectedScopes,
-      EVE_SSO_CLIENT_ID,
-      EVE_SSO_CALLBACK_URL
-    ).then((res) => setLoginUrl(ssoUrl + "?" + res));
-  }, [selectedScopes, ssoUrl, EVE_SSO_CLIENT_ID, EVE_SSO_CALLBACK_URL]);
-
   return (
     <Dialog open={open} onClose={closeDialog}>
       <DialogTitle>Select scopes to login with</DialogTitle>
@@ -59,8 +49,11 @@ export const LoginDialog = ({
       <DialogActions>
         <Button
           variant="contained"
+          disabled={!ssoUrl || selectedScopes.length === 0}
           onClick={() => {
-            window.open(loginUrl, "_self");
+            if (!ssoUrl) return;
+            const params = loginParameters(selectedScopes, EVE_SSO_CLIENT_ID, EVE_SSO_CALLBACK_URL);
+            window.open(ssoUrl + "?" + params, "_self");
           }}
         >
           Login

src/app/page.tsx

@@ -3,7 +3,7 @@ import "@fontsource/roboto/300.css";
 import "@fontsource/roboto/400.css";
 import "@fontsource/roboto/500.css";
 import "@fontsource/roboto/700.css";
-import { memo, useCallback, useEffect, useState, Suspense } from "react";
+import { memo, useCallback, useEffect, useRef, useState, Suspense } from "react";
 import { AccessToken, CharacterUpdate, Env, PlanetWithInfo } from "../types";
 import { MainGrid } from "./components/MainGrid";
 import { refreshToken } from "@/esi-sso";
@@ -37,6 +37,7 @@ const processInBatches = async <T, R>(
 
 const Home = () => {
   const searchParams = useSearchParams();
+  const callbackHandled = useRef(false);
   const [characters, setCharacters] = useState<AccessToken[]>([]);
   const [sessionReady, setSessionReady] = useState(false);
   const [environment, setEnvironment] = useState<Env | undefined>(undefined);
@@ -93,7 +94,16 @@ const Home = () => {
     characters: AccessToken[],
   ): Promise<AccessToken[]> => {
     const code = searchParams?.get("code");
-    if (code) {
+    const returnedState = searchParams?.get("state");
+    if (code && !callbackHandled.current) {
+      callbackHandled.current = true;
+      const expectedState = localStorage.getItem("oauth_state");
+      localStorage.removeItem("oauth_state");
+      if (!expectedState || returnedState !== expectedState) {
+        console.error("OAuth state mismatch — possible CSRF attack");
+        window.history.replaceState(null, "", "/");
+        return Promise.resolve(characters);
+      }
       window.history.replaceState(null, "", "/");
       const res = await fetch(`api/token?code=${code}`);
       const newCharacter: AccessToken = await res.json();

src/esi-sso.ts

@@ -37,17 +37,19 @@ export const revokeToken = async (
   });
 };
 
-export const loginParameters = async (
+export const loginParameters = (
   selectedScopes: string[],
   EVE_SSO_CLIENT_ID: string,
   EVE_SSO_CALLBACK_URL: string,
 ) => {
+  const state = crypto.randomUUID();
+  localStorage.setItem("oauth_state", state);
   return new URLSearchParams({
     response_type: "code",
     redirect_uri: EVE_SSO_CALLBACK_URL,
     client_id: EVE_SSO_CLIENT_ID,
     scope: selectedScopes.join(" "),
-    state: "asfe",
+    state,
   }).toString();
 };
 

src/pages/api/praisal.ts

@@ -9,11 +9,25 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
     });
 
     try {
-      const praisalRequest: { quantity: number; type_id: number }[] = JSON.parse(
+      const parsed = JSON.parse(req.body);
-        req.body
+
+      if (!Array.isArray(parsed)) {
+        return res.status(400).json({ error: 'Invalid input' });
+      }
+
+      const praisalRequest: { quantity: number; type_id: number }[] = parsed.filter(
+        (item): item is { quantity: number; type_id: number } =>
+          item !== null &&
+          typeof item === 'object' &&
+          typeof item.quantity === 'number' &&
+          Number.isFinite(item.quantity) &&
+          item.quantity >= 0 &&
+          typeof item.type_id === 'number' &&
+          Number.isInteger(item.type_id) &&
+          item.type_id > 0
       );
 
-      logger.info({ 
+      logger.info({
         event: 'praisal_request_parsed',
         items: praisalRequest.length
       });
@@ -27,10 +41,9 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
 
       return res.json(praisal);
     } catch (e) {
-      logger.error({ 
+      logger.error({
         event: 'praisal_request_failed',
         error: e,
-        body: req.body
       });
       return res.status(500).json({ error: 'Failed to get praisal' });
     }

src/pages/api/token.ts

@@ -20,9 +20,8 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
       return res.status(404).end();
     }
 
-    logger.info({ 
+    logger.info({
       event: 'token_request_start',
-      code: code
     });
 
     const params = new URLSearchParams({
@@ -88,11 +87,10 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
       };
       return res.json(token);
     } catch (e) {
-      logger.error({ 
+      logger.error({
         event: 'token_request_failed',
         reason: 'api_error',
         error: e,
-        code: code
       });
       return res.status(500).end();
     }

src/planets.ts

@@ -31,6 +31,7 @@ const CACHE_DURATION_MS = 60_000; // 1 minute
 const CACHE_STORAGE_KEY = "planet_cache";
 
 const loadCacheFromStorage = (): Map<string, CachedPlanetData> => {
+  if (typeof window === "undefined") return new Map();
   try {
     const stored = localStorage.getItem(CACHE_STORAGE_KEY);
     if (stored) {
@@ -44,6 +45,7 @@ const loadCacheFromStorage = (): Map<string, CachedPlanetData> => {
 };
 
 const saveCacheToStorage = (cache: Map<string, CachedPlanetData>) => {
+  if (typeof window === "undefined") return;
   try {
     const obj = Object.fromEntries(cache);
     localStorage.setItem(CACHE_STORAGE_KEY, JSON.stringify(obj));