Refactor code structure and remove redundant changes

src-old/lib/securityValidation.ts

@@ -0,0 +1,92 @@
+import { z } from 'zod';
+import type { SecurityOperation } from '@/types/auth';
+import type { UserRole } from '@/hooks/useUserRole';
+
+/**
+ * Validation schemas for security operations
+ */
+
+export const sessionRevocationSchema = z.object({
+  sessionId: z.string().uuid('Invalid session ID'),
+  requiresConfirmation: z.boolean().default(true),
+});
+
+export const identityOperationSchema = z.object({
+  provider: z.enum(['google', 'discord']),
+  redirectTo: z.string().url().optional(),
+});
+
+export const mfaOperationSchema = z.object({
+  factorId: z.string().uuid('Invalid factor ID').optional(),
+  code: z.string().length(6, 'Code must be 6 digits').regex(/^\d+$/, 'Code must be numeric').optional(),
+});
+
+export const passwordChangeSchema = z.object({
+  currentPassword: z.string().min(1, 'Current password required'),
+  newPassword: z.string()
+    .min(8, 'Must be at least 8 characters')
+    .max(128, 'Must be less than 128 characters')
+    .regex(/[A-Z]/, 'Must contain uppercase letter')
+    .regex(/[a-z]/, 'Must contain lowercase letter')
+    .regex(/[0-9]/, 'Must contain number')
+    .regex(/[^A-Za-z0-9]/, 'Must contain special character'),
+  confirmPassword: z.string(),
+  captchaToken: z.string().min(1, 'CAPTCHA verification required'),
+}).refine(data => data.newPassword === data.confirmPassword, {
+  message: "Passwords don't match",
+  path: ["confirmPassword"]
+});
+
+/**
+ * Determines if an operation requires CAPTCHA verification
+ */
+export function requiresCaptcha(operation: SecurityOperation): boolean {
+  const captchaOperations: SecurityOperation[] = [
+    'password_change',
+    'identity_disconnect',
+    'mfa_unenroll'
+  ];
+  return captchaOperations.includes(operation);
+}
+
+/**
+ * Determines if an operation requires MFA verification for the user's role
+ */
+export function requiresMFA(
+  operation: SecurityOperation,
+  userRoles: UserRole[]
+): boolean {
+  const privilegedRoles: UserRole[] = ['moderator', 'admin', 'superuser'];
+  const hasPrivilegedRole = userRoles.some(role => privilegedRoles.includes(role));
+  
+  if (!hasPrivilegedRole) return false;
+  
+  // MFA required for these operations if user is privileged
+  const mfaOperations: SecurityOperation[] = [
+    'password_change',
+    'session_revoke',
+    'mfa_unenroll'
+  ];
+  
+  return mfaOperations.includes(operation);
+}
+
+/**
+ * Get rate limit parameters for a security operation
+ */
+export function getRateLimitParams(operation: SecurityOperation): {
+  action: string;
+  maxAttempts: number;
+  windowMinutes: number;
+} {
+  const limits: Record<SecurityOperation, { action: string; maxAttempts: number; windowMinutes: number }> = {
+    password_change: { action: 'password_change', maxAttempts: 3, windowMinutes: 60 },
+    identity_disconnect: { action: 'identity_disconnect', maxAttempts: 3, windowMinutes: 60 },
+    identity_connect: { action: 'identity_connect', maxAttempts: 5, windowMinutes: 60 },
+    session_revoke: { action: 'session_revoke', maxAttempts: 10, windowMinutes: 60 },
+    mfa_enroll: { action: 'mfa_enroll', maxAttempts: 3, windowMinutes: 60 },
+    mfa_unenroll: { action: 'mfa_unenroll', maxAttempts: 2, windowMinutes: 1440 }, // Phase 4: 2 per day
+  };
+  
+  return limits[operation] || { action: operation, maxAttempts: 5, windowMinutes: 60 };
+}