letsbe
/
monacousa-portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement complete feature & security overhaul (21 items, 3 phases)
Build and Push Docker Images / build-portal (push) Successful in 2m1s Details
Build and Push Docker Images / build-infra (docker/db, monacousa-db) (push) Successful in 1m17s Details
Build and Push Docker Images / build-infra (docker/kong, monacousa-kong) (push) Successful in 24s Details
Build and Push Docker Images / build-infra (docker/migrate, monacousa-migrate) (push) Successful in 1m0s Details 

Phase 1 - Security & Data Integrity:
- Atomic member ID generation via PostgreSQL sequence (018)
- Rate limiting on signup, input sanitization (XSS prevention)
- Onboarding photo upload, document upload validation (magic bytes, MIME, size)
- RLS fix for admin role assignment without self-escalation (019)
- Email notification preferences enforcement
- Audit logging across all admin/board mutation actions
- CSV export for membership, payments, and events reports
- Member approval workflow with email notifications (020)

Phase 2 - Functionality & Monitoring:
- Directory privacy settings (022) with board-level filtering
- Document full-text search with PostgreSQL tsvector/GIN index (023)
- Cron job monitoring dashboard with manual trigger (024)
- Settings audit log tab
- Bulk email broadcast with recipient filtering and personalization (025)

Phase 3 - Feature Completeness:
- Event type filtering on events page
- RSVP deadline control for event organizers (021)

Also includes Kong CORS configuration fix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Matt 2026-02-10 18:03:46 +01:00
parent fa99cda157
commit 5ff9f950a1
47 changed files with 2857 additions and 177 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
package-lock.json generated
View File

@ -8,29 +8,31 @@
"name": "monacousa-portal-2026",
"version": "0.0.1",
"dependencies": {
"@aws-sdk/client-s3": "^3.700.0",
"@aws-sdk/s3-request-presigner": "^3.700.0",
"@aws-sdk/client-s3": "^3.971.0",
"@aws-sdk/s3-request-presigner": "^3.971.0",
"@internationalized/date": "^3.7.0",
"@supabase/ssr": "^0.8.0",
"@supabase/supabase-js": "^2.90.1",
"@sveltejs/adapter-node": "^5.5.1",
"flag-icons": "^7.4.0",
"nodemailer": "^6.9.0"
"libphonenumber-js": "^1.12.8",
"nodemailer": "^6.10.0"
},
"devDependencies": {
"@sveltejs/adapter-auto": "^7.0.0",
"@sveltejs/kit": "^2.49.1",
"@sveltejs/kit": "^2.50.0",
"@sveltejs/vite-plugin-svelte": "^6.2.1",
"@tailwindcss/vite": "^4.1.18",
"bits-ui": "^2.15.4",
"clsx": "^2.1.1",
"lucide-svelte": "^0.562.0",
"svelte": "^5.45.6",
"svelte": "^5.47.0",
"svelte-check": "^4.3.4",
"tailwind-merge": "^3.4.0",
"tailwind-variants": "^3.2.2",
"tailwindcss": "^4.1.18",
"typescript": "^5.9.3",
"vite": "^7.2.6"
"vite": "^7.3.1"
}
},
"node_modules/@aws-crypto/crc32": {
@ -1514,9 +1516,7 @@
"version": "3.10.1",
"resolved": "https://registry.npmjs.org/@internationalized/date/-/date-3.10.1.tgz",
"integrity": "sha512-oJrXtQiAXLvT9clCf1K4kxp3eKsQhIaZqxEyowkBcsvZDdZkbWrVmnGknxs5flTD0VGsxrxKgBCZty1EzoiMzA==",
"dev": true,
"license": "Apache-2.0",
"peer": true,
"dependencies": {
"@swc/helpers": "^0.5.0"
}
@ -2945,9 +2945,7 @@
"version": "0.5.18",
"resolved": "https://registry.npmjs.org/@swc/helpers/-/helpers-0.5.18.tgz",
"integrity": "sha512-TXTnIcNJQEKwThMMqBXsZ4VGAza6bvN4pa41Rkqoio6QBKMvo+5lexeTMScGCIxtzgQJzElcvIltani+adC5PQ==",
"dev": true,
"license": "Apache-2.0",
"peer": true,
"dependencies": {
"tslib": "^2.8.0"
}
@ -3630,6 +3628,12 @@
"node": ">=6"
}
},
"node_modules/libphonenumber-js": {
"version": "1.12.36",
"resolved": "https://registry.npmjs.org/libphonenumber-js/-/libphonenumber-js-1.12.36.tgz",
"integrity": "sha512-woWhKMAVx1fzzUnMCyOzglgSgf6/AFHLASdOBcchYCyvWSGWt12imw3iu2hdI5d4dGZRsNWAmWiz37sDKUPaRQ==",
"license": "MIT"
},
"node_modules/lightningcss": {
"version": "1.30.2",
"resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.30.2.tgz",

8
src/lib/components/layout/Sidebar.svelte
View File

@ -15,7 +15,10 @@
FolderOpen,
DollarSign,
CalendarPlus,
Bell
Bell,
UserCheck,
Timer,
Send
} from 'lucide-svelte';
import type { MemberWithDues } from '$lib/types/database';
@ -49,6 +52,7 @@
const boardNav: NavItem[] = [
{ href: '/board/members', label: 'Members', icon: Users },
{ href: '/board/approvals', label: 'Approvals', icon: UserCheck },
{ href: '/board/dues', label: 'Dues Management', icon: DollarSign },
{ href: '/board/events', label: 'Manage Events', icon: CalendarPlus },
{ href: '/board/documents', label: 'Documents', icon: FileText }
@ -57,6 +61,8 @@
const adminNav: NavItem[] = [
{ href: '/admin/members', label: 'User Management', icon: Shield },
{ href: '/admin/notifications', label: 'Notifications', icon: Bell },
{ href: '/admin/bulk-email', label: 'Bulk Email', icon: Send },
{ href: '/admin/cron-monitoring', label: 'Cron Jobs', icon: Timer },
{ href: '/admin/settings', label: 'Settings', icon: Settings }
];

40
src/lib/server/csv.ts Normal file
View File

@ -0,0 +1,40 @@
/**
* CSV generation utilities for board reports.
*/
/**
* Escape a CSV field value.
* Wraps in quotes if the value contains commas, quotes, or newlines.
*/
export function escapeCSVField(value: unknown): string {
if (value === null || value === undefined) return '';
const str = String(value);
if (str.includes(',') || str.includes('"') || str.includes('\n') || str.includes('\r')) {
return '"' + str.replace(/"/g, '""') + '"';
}
return str;
}
/**
* Convert an array of objects to CSV string.
*/
export function arrayToCSV(
data: Record<string, unknown>[],
columns: { key: string; header: string }[]
): string {
const header = columns.map((c) => escapeCSVField(c.header)).join(',');
const rows = data.map((row) => columns.map((c) => escapeCSVField(row[c.key])).join(','));
return '\ufeff' + header + '\n' + rows.join('\n');
}
/**
* Create a CSV Response with proper headers for browser download.
*/
export function csvResponse(csvContent: string, filename: string): Response {
return new Response(csvContent, {
headers: {
'Content-Type': 'text/csv; charset=utf-8',
'Content-Disposition': `attachment; filename="${filename}"`
}
});
}

59
src/lib/server/dues.ts
View File

@ -5,6 +5,8 @@
import { supabaseAdmin } from './supabase';
import { sendTemplatedEmail } from './email';
import { sendWithPreferenceCheck } from './notification-preferences';
import { logAudit } from './audit';
import type { MemberWithDues } from '$lib/types/database';
// ============================================
@ -245,15 +247,17 @@ export async function sendDuesReminder(
portal_url: `${baseUrl}/payments`
};
// Send email
const result = await sendTemplatedEmail(templateKey, member.email, variables, {
recipientId: member.id,
recipientName: `${member.first_name} ${member.last_name}`,
baseUrl
});
// Send email (respecting notification preferences)
const result = await sendWithPreferenceCheck(member.id, 'dues_reminder', () =>
sendTemplatedEmail(templateKey, member.email, variables, {
recipientId: member.id,
recipientName: `${member.first_name} ${member.last_name}`,
baseUrl
})
);
if (!result.success) {
return { success: false, error: result.error };
return { success: false, error: 'error' in result ? result.error : undefined };
}
// Log the reminder
@ -321,6 +325,19 @@ export async function sendBulkReminders(
}
}
if (result.sent > 0) {
logAudit({
action: 'email.send',
resourceType: 'dues_reminder',
details: {
reminder_type: reminderType,
total_sent: result.sent,
total_errors: result.errors.length,
bulk_operation: true
}
});
}
return result;
}
@ -384,6 +401,18 @@ export async function processGracePeriodExpirations(
});
}
if (processed.length > 0) {
logAudit({
action: 'member.status_change',
resourceType: 'member',
details: {
operation: 'grace_period_expiration',
members_inactivated: processed.length,
member_ids: processed.map(m => m.id)
}
});
}
return { processed: processed.length, members: processed };
}
@ -788,15 +817,17 @@ export async function sendOnboardingReminder(
portal_url: `${baseUrl}/payments`
};
// Send email
const result = await sendTemplatedEmail(reminderType, member.email, variables, {
recipientId: member.id,
recipientName: `${member.first_name} ${member.last_name}`,
baseUrl
});
// Send email (respecting notification preferences)
const result = await sendWithPreferenceCheck(member.id, 'dues_reminder', () =>
sendTemplatedEmail(reminderType, member.email, variables, {
recipientId: member.id,
recipientName: `${member.first_name} ${member.last_name}`,
baseUrl
})
);
if (!result.success) {
return { success: false, error: result.error };
return { success: false, error: 'error' in result ? result.error : undefined };
}
// Log the reminder

14
src/lib/server/email.ts
View File

@ -1,6 +1,7 @@
import nodemailer from 'nodemailer';
import type { Transporter } from 'nodemailer';
import { supabaseAdmin } from './supabase';
import { escapeHtml } from './sanitize';
export interface SmtpConfig {
host: string;
@ -405,19 +406,6 @@ export function wrapInMonacoTemplate(options: {
</html>`;
}
/**
* Escape HTML special characters to prevent XSS in email templates.
* Used to sanitize user-provided content before template substitution.
*/
export function escapeHtml(str: string): string {
return str
.replace(/&/g, '&amp;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&#39;');
}
/**
* Strip HTML tags from a string to create plain text version
*/

17
src/lib/server/event-reminders.ts
View File

@ -5,6 +5,7 @@
import { supabaseAdmin } from './supabase';
import { sendTemplatedEmail } from './email';
import { sendWithPreferenceCheck } from './notification-preferences';
// ============================================
// TYPES
@ -212,15 +213,17 @@ export async function sendEventReminder(
portal_url: `${baseUrl}/events/${reminder.event_id}`
};
// Send email
const result = await sendTemplatedEmail('event_reminder_24hr', reminder.email, variables, {
recipientId: reminder.member_id,
recipientName: `${reminder.first_name} ${reminder.last_name}`,
baseUrl
});
// Send email (respecting notification preferences)
const result = await sendWithPreferenceCheck(reminder.member_id, 'event_reminder', () =>
sendTemplatedEmail('event_reminder_24hr', reminder.email, variables, {
recipientId: reminder.member_id,
recipientName: `${reminder.first_name} ${reminder.last_name}`,
baseUrl
})
);
if (!result.success) {
return { success: false, error: result.error };
return { success: false, error: 'error' in result ? result.error : undefined };
}
// Log the reminder

19
src/lib/server/member-profile.ts
View File

@ -6,6 +6,7 @@
import { uploadAvatar, deleteAvatar, isS3Enabled } from '$lib/server/storage';
import { supabaseAdmin } from '$lib/server/supabase';
import type { SupabaseClient } from '@supabase/supabase-js';
import { sanitizeText } from '$lib/server/sanitize';
// ────────────────────────────────────────────────────────────────
// Types
@ -247,21 +248,27 @@ export async function handleProfileUpdate(
}
}
// Sanitize text fields before storage
const firstName = sanitizeText(data.first_name, 100);
const lastName = sanitizeText(data.last_name, 100);
const phone = data.phone ? sanitizeText(data.phone, 50) : data.phone;
const address = data.address ? sanitizeText(data.address, 500) : data.address;
// Build the update payload
const updatePayload: Record<string, unknown> = {
first_name: data.first_name,
last_name: data.last_name,
first_name: firstName,
last_name: lastName,
nationality: data.nationality || [],
updated_at: new Date().toISOString()
};
// Only include optional fields if provided or if they are required
if (requireAllFields) {
updatePayload.phone = data.phone;
updatePayload.address = data.address;
updatePayload.phone = phone;
updatePayload.address = address;
} else {
updatePayload.phone = data.phone || null;
updatePayload.address = data.address || null;
updatePayload.phone = phone || null;
updatePayload.address = address || null;
}
const client = useAdmin ? supabaseAdmin : options?.supabase;

99
src/lib/server/notification-preferences.ts Normal file
View File

@ -0,0 +1,99 @@
import { supabaseAdmin } from './supabase';
/**
* Notification types that map to user_notification_preferences columns.
* The column names follow the pattern: email_{notification_type}
*/
export type NotificationType =
| 'event_rsvp_confirmation'
| 'event_reminder'
| 'event_updates'
| 'waitlist_promotion'
| 'dues_reminder'
| 'payment_confirmation'
| 'membership_updates'
| 'announcements'
| 'newsletter';
/** Map from notification type to the corresponding column in user_notification_preferences */
const COLUMN_MAP: Record<NotificationType, string> = {
event_rsvp_confirmation: 'email_event_rsvp_confirmation',
event_reminder: 'email_event_reminder',
event_updates: 'email_event_updates',
waitlist_promotion: 'email_waitlist_promotion',
dues_reminder: 'email_dues_reminder',
payment_confirmation: 'email_payment_confirmation',
membership_updates: 'email_membership_updates',
announcements: 'email_announcements',
newsletter: 'email_newsletter'
};
/** Critical notification types that are ALWAYS sent regardless of preferences */
const CRITICAL_TYPES = new Set([
'password_reset',
'account_verification',
'member_approved',
'member_rejected',
'welcome'
]);
/**
* Check if a member has email notifications enabled for a given type.
* Returns true if enabled or if no preference record exists (opt-out model).
* Always returns true for critical notification types.
*/
export async function hasEmailNotificationEnabled(
memberId: string,
notificationType: string
): Promise<boolean> {
// Critical notifications always go through
if (CRITICAL_TYPES.has(notificationType)) {
return true;
}
// Look up the column name for this notification type
const column = COLUMN_MAP[notificationType as NotificationType];
if (!column) {
// Unknown type - default to sending
return true;
}
try {
const { data } = await supabaseAdmin
.from('user_notification_preferences')
.select(column)
.eq('member_id', memberId)
.single();
// If no preference exists, default to enabled (opt-out model)
if (!data) return true;
return (data as Record<string, boolean>)[column] !== false;
} catch {
// On error, default to sending (fail open for notifications)
return true;
}
}
/**
* Send email only if user's notification preferences allow it.
* Wraps any email sending function with a preference check.
*
* @param memberId - The member to check preferences for
* @param notificationType - The type of notification
* @param sendFn - The function to call to send the email
* @returns The result of sendFn, or { success: true, skipped: true } if preferences disabled
*/
export async function sendWithPreferenceCheck<T extends { success: boolean }>(
memberId: string,
notificationType: string,
sendFn: () => Promise<T>
): Promise<T | { success: true; skipped: true }> {
const enabled = await hasEmailNotificationEnabled(memberId, notificationType);
if (!enabled) {
return { success: true, skipped: true };
}
return sendFn();
}

30
src/lib/server/registration.ts
View File

@ -37,7 +37,7 @@ export interface CreateMemberResult {
*
* Handles:
* - Looking up the default/pending membership status and type
* - Generating a sequential MUSA-YYYY-XXXX member ID
* - Member ID auto-generated by database trigger (atomic sequence)
* - Inserting the member record
*
* @param data Core registration data.
@ -50,11 +50,10 @@ export async function createMemberRecord(
options?: {
/** Look up status by name instead of is_default. Defaults to undefined (uses is_default). */
statusName?: string;
/** Whether to generate a MUSA-YYYY-XXXX member ID. Defaults to true. */
/** @deprecated Member ID now auto-generated by database trigger. */
generateMemberId?: boolean;
}
): Promise<CreateMemberResult> {
const generateMemberId = options?.generateMemberId ?? true;
const statusName = options?.statusName;
// Look up the membership status
@ -92,17 +91,8 @@ export async function createMemberRecord(
return { success: false, error: 'System configuration error. Please contact support.' };
}
// Generate member ID if requested
let memberId: string | undefined;
if (generateMemberId) {
const year = new Date().getFullYear();
const { count } = await supabase
.from('members')
.select('*', { count: 'exact', head: true });
const memberNumber = String((count || 0) + 1).padStart(4, '0');
memberId = `MUSA-${year}-${memberNumber}`;
}
// Member ID will be auto-generated by database trigger (generate_member_id)
// See migration 018_atomic_member_id_generation.sql
// Create the member profile
const insertPayload: Record<string, unknown> = {
@ -119,18 +109,20 @@ export async function createMemberRecord(
membership_type_id: typeData.id
};
if (memberId) {
insertPayload.member_id = memberId;
}
// member_id is auto-generated by trigger, no need to set it
const { error: memberError } = await supabase.from('members').insert(insertPayload);
const { error: memberError, data: insertedMember } = await supabase
.from('members')
.insert(insertPayload)
.select('member_id')
.single();
if (memberError) {
console.error('Failed to create member profile:', memberError);
return { success: false, error: 'Failed to create member profile. Please try again or contact support.' };
}
return { success: true, memberId };
return { success: true, memberId: insertedMember?.member_id };
}
/**

61
src/lib/server/sanitize.ts Normal file
View File

@ -0,0 +1,61 @@
/**
* Centralized input sanitization utilities for preventing XSS attacks.
* Used at server-side input boundaries before storing or rendering user content.
*/
/**
* Escape HTML special characters to prevent XSS.
* Use for plain text fields that should never contain HTML.
*/
export function escapeHtml(str: string): string {
return str
.replace(/&/g, '&amp;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&#39;');
}
/**
* Sanitize rich text by stripping dangerous HTML tags while preserving safe formatting.
* Allows: p, br, strong, em, ul, ol, li, h1-h6, a (with href only), blockquote, code, pre
* Strips: script, style, iframe, object, embed, form, input, on* attributes
*/
export function sanitizeRichText(html: string): string {
// Remove script tags and their contents
let cleaned = html.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
// Remove style tags and their contents
cleaned = cleaned.replace(/<style\b[^<]*(?:(?!<\/style>)<[^<]*)*<\/style>/gi, '');
// Remove iframe, object, embed, form, input tags
cleaned = cleaned.replace(/<\/?(?:iframe|object|embed|form|input|textarea|select|button)\b[^>]*>/gi, '');
// Remove all on* event handlers (onclick, onerror, onload, etc.)
cleaned = cleaned.replace(/\s+on\w+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]*)/gi, '');
// Remove javascript: protocol from href/src attributes
cleaned = cleaned.replace(/(href|src|action)\s*=\s*(?:"javascript:[^"]*"|'javascript:[^']*')/gi, '$1=""');
// Remove data: protocol (except data:image for inline images)
cleaned = cleaned.replace(/(href|src|action)\s*=\s*(?:"data:(?!image)[^"]*"|'data:(?!image)[^']*')/gi, '$1=""');
return cleaned;
}
/**
* Sanitize a URL to prevent javascript: and data: protocol injection.
* Returns the URL if safe, or empty string if potentially malicious.
*/
export function sanitizeUrl(url: string): string {
const trimmed = url.trim();
// Block javascript: protocol (case-insensitive, handles whitespace/encoding tricks)
if (/^\s*javascript\s*:/i.test(trimmed)) return '';
// Block data: protocol (except data:image)
if (/^\s*data\s*:(?!image\/)/i.test(trimmed)) return '';
// Block vbscript: protocol
if (/^\s*vbscript\s*:/i.test(trimmed)) return '';
return trimmed;
}
/**
* Sanitize a plain text string for safe storage.
* Trims whitespace and limits length.
*/
export function sanitizeText(str: string, maxLength: number = 10000): string {
return str.trim().substring(0, maxLength);
}

65
src/lib/server/storage.ts
View File

@ -28,6 +28,62 @@ const MAGIC_BYTES: Record<string, { offset: number; bytes: number[] }[]> = {
]
};
/**
* MIME type to expected file extensions mapping.
* Used to validate that file content matches the declared extension.
*/
const MIME_TO_EXTENSIONS: Record<string, string[]> = {
'application/pdf': ['pdf'],
'application/msword': ['doc'],
'application/vnd.openxmlformats-officedocument.wordprocessingml.document': ['docx'],
'application/vnd.ms-excel': ['xls'],
'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet': ['xlsx'],
'application/vnd.ms-powerpoint': ['ppt'],
'application/vnd.openxmlformats-officedocument.presentationml.presentation': ['pptx'],
'text/plain': ['txt', 'text', 'log'],
'text/csv': ['csv'],
'application/json': ['json'],
'image/jpeg': ['jpg', 'jpeg'],
'image/png': ['png'],
'image/webp': ['webp'],
'image/gif': ['gif']
};
/**
* Sanitize a filename to prevent path traversal and other attacks.
* Removes directory separators, null bytes, and other dangerous characters.
*/
export function sanitizeFilename(filename: string): string {
return filename
// Remove null bytes
.replace(/\0/g, '')
// Remove directory separators
.replace(/[\/\\]/g, '_')
// Remove leading dots (hidden files / directory traversal)
.replace(/^\.+/, '')
// Replace non-safe characters
.replace(/[^a-zA-Z0-9._-]/g, '_')
// Collapse multiple underscores
.replace(/_+/g, '_')
// Limit length
.substring(0, 255)
// Ensure not empty
|| 'unnamed_file';
}
/**
* Validate that file extension matches the declared MIME type.
*/
export function validateExtensionMatchesMime(filename: string, mimeType: string): boolean {
const ext = filename.split('.').pop()?.toLowerCase();
if (!ext) return false;
const allowedExtensions = MIME_TO_EXTENSIONS[mimeType];
if (!allowedExtensions) return true; // Unknown MIME type - allow
return allowedExtensions.includes(ext);
}
/**
* Validate that a file's magic bytes match the declared MIME type.
* Returns true if the magic bytes match, or if the type has no known magic byte signature
@ -594,7 +650,7 @@ export async function listFiles(
export function generateUniqueFilename(originalName: string): string {
const timestamp = Date.now();
const randomStr = Math.random().toString(36).substring(2, 8);
const safeName = originalName.replace(/[^a-zA-Z0-9.-]/g, '_').substring(0, 50);
const safeName = sanitizeFilename(originalName).substring(0, 50);
const ext = safeName.split('.').pop() || '';
const nameWithoutExt = safeName.replace(`.${ext}`, '');
return `${timestamp}-${randomStr}-${nameWithoutExt}.${ext}`;
@ -792,6 +848,11 @@ export async function uploadDocument(
};
}
// Validate file extension matches declared MIME type
if (!validateExtensionMatchesMime(file.name, file.type)) {
return { success: false, error: 'File extension does not match file type. Please ensure the file has the correct extension.' };
}
// Validate file size (max 50MB)
const maxSize = 50 * 1024 * 1024;
if (file.size > maxSize) {
@ -801,7 +862,7 @@ export async function uploadDocument(
// Generate unique storage path
const timestamp = Date.now();
const randomStr = Math.random().toString(36).substring(2, 8);
const safeName = file.name.replace(/[^a-zA-Z0-9.-]/g, '_').substring(0, 50);
const safeName = sanitizeFilename(file.name).substring(0, 50);
const path = options?.folder ? `${options.folder}/${timestamp}-${randomStr}-${safeName}` : `${timestamp}-${randomStr}-${safeName}`;
// Convert to ArrayBuffer

3
src/lib/types/database.ts
View File

@ -25,6 +25,7 @@ export type Database = {
member_since: string;
avatar_url: string | null;
notes: string | null;
directory_privacy: { show_email: boolean; show_phone: boolean; show_address: boolean; show_nationality: boolean } | null;
created_at: string;
updated_at: string;
};
@ -44,6 +45,7 @@ export type Database = {
member_since?: string;
avatar_url?: string | null;
notes?: string | null;
directory_privacy?: { show_email: boolean; show_phone: boolean; show_address: boolean; show_nationality: boolean } | null;
created_at?: string;
updated_at?: string;
};
@ -63,6 +65,7 @@ export type Database = {
member_since?: string;
avatar_url?: string | null;
notes?: string | null;
directory_privacy?: { show_email: boolean; show_phone: boolean; show_address: boolean; show_nationality: boolean } | null;
created_at?: string;
updated_at?: string;
};

170
src/routes/(app)/admin/bulk-email/+page.server.ts Normal file
View File

@ -0,0 +1,170 @@
import { fail } from '@sveltejs/kit';
import type { Actions, PageServerLoad } from './$types';
import { supabaseAdmin } from '$lib/server/supabase';
import { sendEmail, wrapInMonacoTemplate } from '$lib/server/email';
import { escapeHtml } from '$lib/server/sanitize';
import { logAudit } from '$lib/server/audit';
export const load: PageServerLoad = async ({ locals }) => {
// Load past bulk emails
const { data: broadcasts } = await supabaseAdmin
.from('bulk_emails')
.select('*')
.order('created_at', { ascending: false })
.limit(20);
// Get recipient counts for filter preview
const { data: members } = await supabaseAdmin
.from('members')
.select('id, role, status')
.not('email', 'is', null);
const recipientCounts = {
all: members?.length || 0,
active: members?.filter((m: any) => m.status === 'active').length || 0,
board: members?.filter((m: any) => m.role === 'board' || m.role === 'admin').length || 0,
admin: members?.filter((m: any) => m.role === 'admin').length || 0
};
return {
broadcasts: broadcasts || [],
recipientCounts
};
};
export const actions: Actions = {
send: async ({ request, locals }) => {
const { member, session } = await locals.safeGetSession();
if (!member || !session) {
return fail(401, { error: 'Not authenticated' });
}
const formData = await request.formData();
const subject = (formData.get('subject') as string)?.trim();
const body = (formData.get('body') as string)?.trim();
const target = (formData.get('target') as string) || 'all';
if (!subject || subject.length < 3) {
return fail(400, { error: 'Subject must be at least 3 characters' });
}
if (!body || body.length < 10) {
return fail(400, { error: 'Email body must be at least 10 characters' });
}
// Build recipient query
let query = supabaseAdmin
.from('members')
.select('id, email, first_name, last_name, role, status');
switch (target) {
case 'active':
query = query.eq('status', 'active');
break;
case 'board':
query = query.in('role', ['board', 'admin']);
break;
case 'admin':
query = query.eq('role', 'admin');
break;
default:
// All members with email
break;
}
const { data: recipients } = await query.not('email', 'is', null);
if (!recipients || recipients.length === 0) {
return fail(400, { error: 'No recipients match the selected filter' });
}
// Create bulk email record
const { data: broadcast, error: createError } = await supabaseAdmin
.from('bulk_emails')
.insert({
subject: escapeHtml(subject),
body,
recipient_filter: { target },
total_recipients: recipients.length,
status: 'sending',
sent_by: session.user.id,
sent_by_name: `${member.first_name} ${member.last_name}`,
sent_at: new Date().toISOString()
})
.select()
.single();
if (createError || !broadcast) {
return fail(500, { error: 'Failed to create broadcast record' });
}
// Send emails in batches
let sentCount = 0;
let failedCount = 0;
// Convert newlines in body to <br> for HTML display
const htmlBody = body.replace(/\n/g, '<br>');
for (const recipient of recipients) {
// Personalize the email content
const personalizedBody = htmlBody
.replace(/\{\{first_name\}\}/g, escapeHtml(recipient.first_name || ''))
.replace(/\{\{last_name\}\}/g, escapeHtml(recipient.last_name || ''))
.replace(/\{\{email\}\}/g, escapeHtml(recipient.email || ''));
const emailContent = `
<p style="margin: 0 0 16px 0; color: #334155; line-height: 1.6;">Hi ${escapeHtml(recipient.first_name || 'Member')},</p>
<div style="color: #334155; line-height: 1.6;">${personalizedBody}</div>
`;
const result = await sendEmail({
to: recipient.email,
subject,
html: wrapInMonacoTemplate({
title: subject,
content: emailContent
}),
recipientId: recipient.id,
recipientName: `${recipient.first_name} ${recipient.last_name}`,
emailType: 'announcement'
});
if (result.success) {
sentCount++;
} else {
failedCount++;
}
}
// Update broadcast record with results
await supabaseAdmin
.from('bulk_emails')
.update({
sent_count: sentCount,
failed_count: failedCount,
status: failedCount === recipients.length ? 'failed' : 'completed',
completed_at: new Date().toISOString()
})
.eq('id', broadcast.id);
// Audit log
logAudit({
action: 'email.send',
resourceType: 'settings',
resourceId: broadcast.id,
userId: session.user.id,
userEmail: member.email,
details: {
subject,
target,
totalRecipients: recipients.length,
sent: sentCount,
failed: failedCount
}
});
return {
success: `Broadcast sent! ${sentCount} delivered, ${failedCount} failed out of ${recipients.length} recipients.`
};
}
};

236
src/routes/(app)/admin/bulk-email/+page.svelte Normal file
View File

@ -0,0 +1,236 @@
<script lang="ts">
import { Send, Mail, Users, Shield, CheckCircle, XCircle, Clock, AlertTriangle } from 'lucide-svelte';
import { Input } from '$lib/components/ui/input';
import { Label } from '$lib/components/ui/label';
import { enhance } from '$app/forms';
import { invalidateAll } from '$app/navigation';
let { data, form } = $props();
const { broadcasts, recipientCounts } = data;
let isSending = $state(false);
let selectedTarget = $state('all');
let showConfirm = $state(false);
const targetOptions = [
{ value: 'all', label: 'All Members', count: recipientCounts.all },
{ value: 'active', label: 'Active Members Only', count: recipientCounts.active },
{ value: 'board', label: 'Board & Admins', count: recipientCounts.board },
{ value: 'admin', label: 'Admins Only', count: recipientCounts.admin }
];
const currentRecipientCount = $derived(
targetOptions.find(o => o.value === selectedTarget)?.count || 0
);
function getStatusBadge(status: string) {
switch (status) {
case 'completed':
return { color: 'text-green-600', bg: 'bg-green-50', label: 'Sent' };
case 'failed':
return { color: 'text-red-600', bg: 'bg-red-50', label: 'Failed' };
case 'sending':
return { color: 'text-blue-600', bg: 'bg-blue-50', label: 'Sending' };
default:
return { color: 'text-slate-500', bg: 'bg-slate-50', label: status };
}
}
function formatDate(dateStr: string): string {
return new Date(dateStr).toLocaleDateString('en-US', {
month: 'short',
day: 'numeric',
year: 'numeric',
hour: '2-digit',
minute: '2-digit'
});
}
</script>
<svelte:head>
<title>Bulk Email | Monaco USA</title>
</svelte:head>
<div class="space-y-6">
<div>
<h1 class="text-2xl font-bold text-slate-900">Bulk Email Broadcast</h1>
<p class="text-slate-500">Send announcements and newsletters to members</p>
</div>
{#if form?.error}
<div class="rounded-lg bg-red-50 border border-red-200 p-4 text-sm text-red-600">
<div class="flex items-center gap-2">
<AlertTriangle class="h-4 w-4" />
{form.error}
</div>
</div>
{/if}
{#if form?.success}
<div class="rounded-lg bg-green-50 border border-green-200 p-4 text-sm text-green-600">
<div class="flex items-center gap-2">
<CheckCircle class="h-4 w-4" />
{form.success}
</div>
</div>
{/if}
<!-- Compose Email -->
<div class="glass-card p-6">
<h2 class="mb-4 flex items-center gap-2 text-lg font-semibold text-slate-900">
<Mail class="h-5 w-5 text-monaco-600" />
Compose Broadcast
</h2>
<form
method="POST"
action="?/send"
use:enhance={() => {
isSending = true;
showConfirm = false;
return async ({ update }) => {
await invalidateAll();
await update();
isSending = false;
};
}}
class="space-y-4"
>
<!-- Recipients -->
<div>
<Label for="target">Recipients</Label>
<select
id="target"
name="target"
bind:value={selectedTarget}
class="mt-1 w-full rounded-lg border border-slate-200 bg-white px-3 py-2 text-sm"
>
{#each targetOptions as option}
<option value={option.value}>{option.label} ({option.count})</option>
{/each}
</select>
<p class="mt-1 text-xs text-slate-500">
This will send to <strong>{currentRecipientCount}</strong> recipients.
Email preferences will be respected (members can opt out of announcements).
</p>
</div>
<!-- Subject -->
<div>
<Label for="subject">Subject *</Label>
<Input
type="text"
id="subject"
name="subject"
required
placeholder="e.g., Monaco USA Monthly Newsletter - February 2026"
class="mt-1"
/>
</div>
<!-- Body -->
<div>
<Label for="body">Email Body *</Label>
<textarea
id="body"
name="body"
required
rows="10"
placeholder="Write your email content here. Use variables like first_name and last_name for personalization."
class="mt-1 w-full rounded-lg border border-slate-200 px-3 py-2 text-sm"
></textarea>
<p class="mt-1 text-xs text-slate-500">
Plain text with line breaks. Use {'{{first_name}}'} and {'{{last_name}}'} for personalization.
</p>
</div>
<!-- Send button -->
<div class="flex items-center gap-4 border-t border-slate-200 pt-4">
{#if !showConfirm}
<button
type="button"
onclick={() => (showConfirm = true)}
class="flex items-center gap-2 rounded-lg bg-monaco-600 px-6 py-2 text-sm font-medium text-white hover:bg-monaco-700"
>
<Send class="h-4 w-4" />
Send Broadcast
</button>
{:else}
<div class="flex items-center gap-3 rounded-lg bg-amber-50 border border-amber-200 px-4 py-3">
<AlertTriangle class="h-5 w-5 text-amber-600 shrink-0" />
<p class="text-sm text-amber-700">
Send to <strong>{currentRecipientCount}</strong> recipients? This cannot be undone.
</p>
<button
type="submit"
disabled={isSending}
class="shrink-0 rounded-lg bg-monaco-600 px-4 py-1.5 text-sm font-medium text-white hover:bg-monaco-700 disabled:opacity-50"
>
{isSending ? 'Sending...' : 'Confirm Send'}
</button>
<button
type="button"
onclick={() => (showConfirm = false)}
class="shrink-0 text-sm text-slate-500 hover:text-slate-700"
>
Cancel
</button>
</div>
{/if}
</div>
</form>
</div>
<!-- Broadcast History -->
<div class="glass-card p-6">
<h2 class="mb-4 text-lg font-semibold text-slate-900">Broadcast History</h2>
{#if broadcasts.length === 0}
<div class="py-12 text-center">
<Mail class="mx-auto h-12 w-12 text-slate-300" />
<p class="mt-4 text-slate-500">No broadcasts sent yet.</p>
</div>
{:else}
<div class="overflow-x-auto">
<table class="w-full text-sm">
<thead>
<tr class="border-b border-slate-200 text-left">
<th class="pb-3 pr-4 font-medium text-slate-600">Subject</th>
<th class="pb-3 pr-4 font-medium text-slate-600">Status</th>
<th class="pb-3 pr-4 font-medium text-slate-600">Recipients</th>
<th class="pb-3 pr-4 font-medium text-slate-600">Sent By</th>
<th class="pb-3 font-medium text-slate-600">Date</th>
</tr>
</thead>
<tbody class="divide-y divide-slate-100">
{#each broadcasts as broadcast}
{@const statusBadge = getStatusBadge(broadcast.status)}
<tr class="hover:bg-slate-50">
<td class="py-3 pr-4 font-medium text-slate-900 max-w-xs truncate">
{broadcast.subject}
</td>
<td class="py-3 pr-4">
<span class="inline-flex items-center rounded-full px-2 py-0.5 text-xs font-medium {statusBadge.bg} {statusBadge.color}">
{statusBadge.label}
</span>
</td>
<td class="py-3 pr-4 text-slate-600">
{broadcast.sent_count}/{broadcast.total_recipients}
{#if broadcast.failed_count > 0}
<span class="text-red-500 text-xs">({broadcast.failed_count} failed)</span>
{/if}
</td>
<td class="py-3 pr-4 text-slate-500">
{broadcast.sent_by_name || 'Unknown'}
</td>
<td class="py-3 text-slate-500 whitespace-nowrap">
{broadcast.sent_at ? formatDate(broadcast.sent_at) : formatDate(broadcast.created_at)}
</td>
</tr>
{/each}
</tbody>
</table>
</div>
{/if}
</div>
</div>

143
src/routes/(app)/admin/cron-monitoring/+page.server.ts Normal file
View File

@ -0,0 +1,143 @@
import { fail } from '@sveltejs/kit';
import type { Actions, PageServerLoad } from './$types';
import { supabaseAdmin } from '$lib/server/supabase';
import { env } from '$env/dynamic/private';
export const load: PageServerLoad = async () => {
// Load recent cron execution logs
const { data: logs } = await supabaseAdmin
.from('cron_execution_logs')
.select('*')
.order('started_at', { ascending: false })
.limit(50);
return {
cronLogs: logs || []
};
};
export const actions: Actions = {
runDuesReminders: async ({ url }) => {
const cronSecret = env.CRON_SECRET;
if (!cronSecret) {
return fail(500, { error: 'CRON_SECRET not configured' });
}
// Log the execution start
const { data: logEntry } = await supabaseAdmin
.from('cron_execution_logs')
.insert({
job_name: 'dues-reminders',
status: 'running',
triggered_by: 'admin-manual'
})
.select()
.single();
try {
const baseUrl = url.origin || env.SITE_URL || 'https://monacousa.org';
const response = await fetch(`${baseUrl}/api/cron/dues-reminders`, {
method: 'POST',
headers: {
'Authorization': `Bearer ${cronSecret}`
}
});
const result = await response.json();
// Update log entry
if (logEntry) {
await supabaseAdmin
.from('cron_execution_logs')
.update({
status: response.ok ? 'completed' : 'failed',
completed_at: new Date().toISOString(),
duration_ms: Date.now() - new Date(logEntry.started_at).getTime(),
result,
error_message: response.ok ? null : result.error
})
.eq('id', logEntry.id);
}
if (!response.ok) {
return fail(500, { error: result.error || 'Cron job failed' });
}
return { success: `Dues reminders completed. Sent: ${result.summary?.totalRemindersSent || 0}` };
} catch (error) {
if (logEntry) {
await supabaseAdmin
.from('cron_execution_logs')
.update({
status: 'failed',
completed_at: new Date().toISOString(),
duration_ms: Date.now() - new Date(logEntry.started_at).getTime(),
error_message: error instanceof Error ? error.message : 'Unknown error'
})
.eq('id', logEntry.id);
}
return fail(500, { error: error instanceof Error ? error.message : 'Failed to run cron job' });
}
},
runEventReminders: async ({ url }) => {
const cronSecret = env.CRON_SECRET;
if (!cronSecret) {
return fail(500, { error: 'CRON_SECRET not configured' });
}
const { data: logEntry } = await supabaseAdmin
.from('cron_execution_logs')
.insert({
job_name: 'event-reminders',
status: 'running',
triggered_by: 'admin-manual'
})
.select()
.single();
try {
const baseUrl = url.origin || env.SITE_URL || 'https://monacousa.org';
const response = await fetch(`${baseUrl}/api/cron/event-reminders`, {
method: 'POST',
headers: {
'Authorization': `Bearer ${cronSecret}`
}
});
const result = await response.json();
if (logEntry) {
await supabaseAdmin
.from('cron_execution_logs')
.update({
status: response.ok ? 'completed' : 'failed',
completed_at: new Date().toISOString(),
duration_ms: Date.now() - new Date(logEntry.started_at).getTime(),
result,
error_message: response.ok ? null : result.error
})
.eq('id', logEntry.id);
}
if (!response.ok) {
return fail(500, { error: result.error || 'Cron job failed' });
}
return { success: `Event reminders completed. Sent: ${result.sent || 0}` };
} catch (error) {
if (logEntry) {
await supabaseAdmin
.from('cron_execution_logs')
.update({
status: 'failed',
completed_at: new Date().toISOString(),
duration_ms: Date.now() - new Date(logEntry.started_at).getTime(),
error_message: error instanceof Error ? error.message : 'Unknown error'
})
.eq('id', logEntry.id);
}
return fail(500, { error: error instanceof Error ? error.message : 'Failed to run cron job' });
}
}
};

241
src/routes/(app)/admin/cron-monitoring/+page.svelte Normal file
View File

@ -0,0 +1,241 @@
<script lang="ts">
import { Timer, Play, CheckCircle, XCircle, Clock, RefreshCw, AlertTriangle } from 'lucide-svelte';
import { enhance } from '$app/forms';
import { invalidateAll } from '$app/navigation';
let { data, form } = $props();
const cronLogs = $derived(data.cronLogs);
let runningJob = $state<string | null>(null);
const cronJobs = [
{
id: 'dues-reminders',
name: 'Dues Reminders',
description: 'Send payment reminders to members with upcoming or overdue dues',
schedule: 'Daily at 9:00 AM',
action: '?/runDuesReminders'
},
{
id: 'event-reminders',
name: 'Event Reminders',
description: 'Send reminder emails 24 hours before events',
schedule: 'Hourly',
action: '?/runEventReminders'
}
];
function getStatusBadge(status: string) {
switch (status) {
case 'completed':
return { icon: CheckCircle, color: 'text-green-600', bg: 'bg-green-50', label: 'Completed' };
case 'failed':
return { icon: XCircle, color: 'text-red-600', bg: 'bg-red-50', label: 'Failed' };
case 'running':
return { icon: RefreshCw, color: 'text-blue-600', bg: 'bg-blue-50', label: 'Running' };
default:
return { icon: Clock, color: 'text-slate-500', bg: 'bg-slate-50', label: status };
}
}
function formatDuration(ms: number | null): string {
if (!ms) return '-';
if (ms < 1000) return `${ms}ms`;
if (ms < 60000) return `${(ms / 1000).toFixed(1)}s`;
return `${Math.floor(ms / 60000)}m ${Math.round((ms % 60000) / 1000)}s`;
}
function formatDate(dateStr: string): string {
return new Date(dateStr).toLocaleDateString('en-US', {
month: 'short',
day: 'numeric',
year: 'numeric',
hour: '2-digit',
minute: '2-digit'
});
}
function getLastRun(jobName: string) {
return cronLogs.find((log: any) => log.job_name === jobName);
}
</script>
<svelte:head>
<title>Cron Monitoring | Monaco USA</title>
</svelte:head>
<div class="space-y-6">
<div>
<h1 class="text-2xl font-bold text-slate-900">Cron Job Monitoring</h1>
<p class="text-slate-500">Monitor and manually trigger scheduled tasks</p>
</div>
{#if form?.error}
<div class="rounded-lg bg-red-50 border border-red-200 p-4 text-sm text-red-600">
<div class="flex items-center gap-2">
<AlertTriangle class="h-4 w-4" />
{form.error}
</div>
</div>
{/if}
{#if form?.success}
<div class="rounded-lg bg-green-50 border border-green-200 p-4 text-sm text-green-600">
<div class="flex items-center gap-2">
<CheckCircle class="h-4 w-4" />
{form.success}
</div>
</div>
{/if}
<!-- Cron Jobs -->
<div class="grid gap-4 sm:grid-cols-2">
{#each cronJobs as job}
{@const lastRun = getLastRun(job.id)}
{@const lastStatus = lastRun ? getStatusBadge(lastRun.status) : null}
<div class="glass-card p-6">
<div class="flex items-start justify-between">
<div class="flex items-center gap-3">
<div class="rounded-lg bg-monaco-100 p-2">
<Timer class="h-5 w-5 text-monaco-600" />
</div>
<div>
<h3 class="font-semibold text-slate-900">{job.name}</h3>
<p class="text-sm text-slate-500">{job.description}</p>
</div>
</div>
</div>
<div class="mt-4 space-y-2 text-sm">
<div class="flex items-center justify-between">
<span class="text-slate-500">Schedule:</span>
<span class="font-medium text-slate-700">{job.schedule}</span>
</div>
<div class="flex items-center justify-between">
<span class="text-slate-500">Last Run:</span>
{#if lastRun}
<span class="font-medium text-slate-700">{formatDate(lastRun.started_at)}</span>
{:else}
<span class="text-slate-400">Never</span>
{/if}
</div>
{#if lastStatus}
{@const StatusIcon = lastStatus.icon}
<div class="flex items-center justify-between">
<span class="text-slate-500">Status:</span>
<span class="inline-flex items-center gap-1 rounded-full px-2 py-0.5 text-xs font-medium {lastStatus.bg} {lastStatus.color}">
<StatusIcon class="h-3 w-3" />
{lastStatus.label}
</span>
</div>
{/if}
{#if lastRun?.duration_ms}
<div class="flex items-center justify-between">
<span class="text-slate-500">Duration:</span>
<span class="font-medium text-slate-700">{formatDuration(lastRun.duration_ms)}</span>
</div>
{/if}
</div>
<div class="mt-4 border-t border-slate-100 pt-4">
<form
method="POST"
action={job.action}
use:enhance={() => {
runningJob = job.id;
return async ({ update }) => {
await invalidateAll();
await update();
runningJob = null;
};
}}
>
<button
type="submit"
disabled={runningJob !== null}
class="flex w-full items-center justify-center gap-2 rounded-lg bg-monaco-600 px-4 py-2 text-sm font-medium text-white hover:bg-monaco-700 disabled:opacity-50"
>
{#if runningJob === job.id}
<RefreshCw class="h-4 w-4 animate-spin" />
Running...
{:else}
<Play class="h-4 w-4" />
Run Now
{/if}
</button>
</form>
</div>
</div>
{/each}
</div>
<!-- Execution History -->
<div class="glass-card p-6">
<h2 class="mb-4 text-lg font-semibold text-slate-900">Execution History</h2>
{#if cronLogs.length === 0}
<div class="py-12 text-center">
<Timer class="mx-auto h-12 w-12 text-slate-300" />
<p class="mt-4 text-slate-500">No cron executions recorded yet.</p>
<p class="mt-1 text-sm text-slate-400">Run a job above or wait for scheduled execution.</p>
</div>
{:else}
<div class="overflow-x-auto">
<table class="w-full text-sm">
<thead>
<tr class="border-b border-slate-200 text-left">
<th class="pb-3 pr-4 font-medium text-slate-600">Job</th>
<th class="pb-3 pr-4 font-medium text-slate-600">Status</th>
<th class="pb-3 pr-4 font-medium text-slate-600">Started</th>
<th class="pb-3 pr-4 font-medium text-slate-600">Duration</th>
<th class="pb-3 pr-4 font-medium text-slate-600">Triggered By</th>
<th class="pb-3 font-medium text-slate-600">Details</th>
</tr>
</thead>
<tbody class="divide-y divide-slate-100">
{#each cronLogs as log}
{@const statusBadge = getStatusBadge(log.status)}
{@const BadgeIcon = statusBadge.icon}
<tr class="hover:bg-slate-50">
<td class="py-3 pr-4 font-medium text-slate-900 whitespace-nowrap">
{log.job_name}
</td>
<td class="py-3 pr-4">
<span class="inline-flex items-center gap-1 rounded-full px-2 py-0.5 text-xs font-medium {statusBadge.bg} {statusBadge.color}">
<BadgeIcon class="h-3 w-3" />
{statusBadge.label}
</span>
</td>
<td class="py-3 pr-4 text-slate-500 whitespace-nowrap">
{formatDate(log.started_at)}
</td>
<td class="py-3 pr-4 text-slate-500">
{formatDuration(log.duration_ms)}
</td>
<td class="py-3 pr-4">
<span class="inline-flex items-center rounded-full px-2 py-0.5 text-xs font-medium {log.triggered_by === 'admin-manual' ? 'bg-purple-50 text-purple-700' : 'bg-slate-100 text-slate-600'}">
{log.triggered_by === 'admin-manual' ? 'Manual' : 'Scheduled'}
</span>
</td>
<td class="py-3 text-slate-500">
{#if log.error_message}
<span class="text-red-600 text-xs">{log.error_message}</span>
{:else if log.result?.summary}
<span class="text-xs">
Sent: {log.result.summary.totalRemindersSent || 0},
Errors: {log.result.summary.totalErrors || 0}
</span>
{:else if log.result?.sent !== undefined}
<span class="text-xs">Sent: {log.result.sent}</span>
{:else}
<span class="text-slate-400">-</span>
{/if}
</td>
</tr>
{/each}
</tbody>
</table>
</div>
{/if}
</div>
</div>

30
src/routes/(app)/admin/members/+page.server.ts
View File

@ -2,6 +2,7 @@ import { fail } from '@sveltejs/kit';
import type { Actions, PageServerLoad } from './$types';
import { supabaseAdmin } from '$lib/server/supabase';
import { sendEmail } from '$lib/server/email';
import { logMemberAction } from '$lib/server/audit';
export const load: PageServerLoad = async ({ locals, url }) => {
const searchQuery = url.searchParams.get('search') || '';
@ -64,6 +65,7 @@ export const load: PageServerLoad = async ({ locals, url }) => {
export const actions: Actions = {
updateRole: async ({ request, locals }) => {
const { session } = await locals.safeGetSession();
const formData = await request.formData();
const memberId = formData.get('member_id') as string;
const newRole = formData.get('role') as string;
@ -76,6 +78,11 @@ export const actions: Actions = {
return fail(400, { error: 'Invalid role' });
}
// Prevent admin from changing their own role (belt-and-suspenders with RLS)
if (session?.user && memberId === session.user.id) {
return fail(403, { error: 'Cannot change your own role' });
}
const { error } = await locals.supabase
.from('members')
.update({ role: newRole, updated_at: new Date().toISOString() })
@ -86,10 +93,19 @@ export const actions: Actions = {
return fail(500, { error: 'Failed to update role' });
}
if (session?.user) {
logMemberAction('role_change',
{ id: session.user.id, email: session.user.email! },
{ id: memberId },
{ new_role: newRole }
);
}
return { success: 'Role updated successfully!' };
},
updateStatus: async ({ request, locals }) => {
const { session } = await locals.safeGetSession();
const formData = await request.formData();
const memberId = formData.get('member_id') as string;
const statusId = formData.get('status_id') as string;
@ -111,6 +127,14 @@ export const actions: Actions = {
return fail(500, { error: 'Failed to update status' });
}
if (session?.user) {
logMemberAction('status_change',
{ id: session.user.id, email: session.user.email! },
{ id: memberId },
{ new_status_id: statusId }
);
}
return { success: 'Status updated successfully!' };
},
@ -174,6 +198,12 @@ export const actions: Actions = {
// Member is already deleted, just log this
}
logMemberAction('delete',
{ id: member.id, email: member.email! },
{ id: memberId },
{ deleted_by_admin: true }
);
return { success: 'Member deleted successfully!' };
},

5
src/routes/(app)/admin/notifications/+page.server.ts
View File

@ -1,6 +1,7 @@
import { fail, redirect } from '@sveltejs/kit';
import type { Actions, PageServerLoad } from './$types';
import { supabaseAdmin } from '$lib/server/supabase';
import { escapeHtml } from '$lib/server/sanitize';
export const load: PageServerLoad = async ({ locals }) => {
const { member } = await locals.safeGetSession();
@ -46,8 +47,8 @@ export const actions: Actions = {
const formData = await request.formData();
const type = formData.get('type') as string;
const title = formData.get('title') as string;
const message = formData.get('message') as string;
const title = escapeHtml(formData.get('title') as string);
const message = escapeHtml(formData.get('message') as string);
const link = (formData.get('link') as string) || null;
const recipientType = formData.get('recipient_type') as string;
const recipientId = formData.get('recipient_id') as string;

13
src/routes/(app)/admin/settings/+page.server.ts
View File

@ -4,6 +4,7 @@ import { testSmtpConnection, sendTemplatedEmail } from '$lib/server/email';
import { testS3Connection, clearS3ClientCache } from '$lib/server/storage';
import { supabaseAdmin } from '$lib/server/supabase';
import * as poste from '$lib/server/poste';
import { logSettingsUpdate, getRecentAuditLogs } from '$lib/server/audit';
export const load: PageServerLoad = async ({ locals }) => {
// Load all configurable data
@ -32,13 +33,17 @@ export const load: PageServerLoad = async ({ locals }) => {
settings[setting.category][setting.setting_key] = setting.setting_value;
}
// Load recent settings audit logs
const { logs: auditLogs } = await getRecentAuditLogs(50, { resourceType: 'settings' });
return {
membershipStatuses: membershipStatuses || [],
membershipTypes: membershipTypes || [],
eventTypes: eventTypes || [],
documentCategories: documentCategories || [],
settings,
emailTemplates: emailTemplates || []
emailTemplates: emailTemplates || [],
auditLogs
};
};
@ -317,6 +322,12 @@ export const actions: Actions = {
clearS3ClientCache();
}
logSettingsUpdate(
{ id: member.id, email: member.email! },
category,
{ changed_settings: settingsToUpdate.map(s => s.key) }
);
return { success: 'Settings updated successfully!' };
} catch (err) {
console.error('Unexpected error updating settings:', err);

85
src/routes/(app)/admin/settings/+page.svelte
View File

@ -22,7 +22,8 @@
Key,
Copy,
Power,
PowerOff
PowerOff,
ClipboardList
} from 'lucide-svelte';
import { Input } from '$lib/components/ui/input';
import { Label } from '$lib/components/ui/label';
@ -30,9 +31,9 @@
import { invalidateAll } from '$app/navigation';
let { data, form } = $props();
const { membershipStatuses, membershipTypes, eventTypes, documentCategories, settings, emailTemplates } = data;
const { membershipStatuses, membershipTypes, eventTypes, documentCategories, settings, emailTemplates, auditLogs } = data;
type Tab = 'membership' | 'dues' | 'events' | 'documents' | 'email' | 'poste' | 'storage' | 'system';
type Tab = 'membership' | 'dues' | 'events' | 'documents' | 'email' | 'poste' | 'storage' | 'system' | 'audit';
let activeTab = $state<Tab>('membership');
let showAddStatusModal = $state(false);
@ -83,7 +84,8 @@
{ id: 'email', label: 'Email', icon: Mail },
{ id: 'poste', label: 'Email Accounts', icon: Inbox },
{ id: 'storage', label: 'Storage', icon: HardDrive },
{ id: 'system', label: 'System', icon: Cog }
{ id: 'system', label: 'System', icon: Cog },
{ id: 'audit', label: 'Audit Log', icon: ClipboardList }
];
// Load mailboxes function
@ -1344,6 +1346,81 @@
</div>
</div>
{/if}
{#if activeTab === 'audit'}
<div class="glass-card space-y-6 p-6">
<div>
<h2 class="flex items-center gap-2 text-lg font-semibold text-slate-900">
<ClipboardList class="h-5 w-5 text-monaco-600" />
Recent Settings Changes
</h2>
<p class="mt-1 text-sm text-slate-500">
Audit trail of recent configuration changes made by administrators.
</p>
</div>
{#if auditLogs && auditLogs.length > 0}
<div class="overflow-x-auto">
<table class="w-full text-sm">
<thead>
<tr class="border-b border-slate-200 text-left">
<th class="pb-3 pr-4 font-medium text-slate-600">Timestamp</th>
<th class="pb-3 pr-4 font-medium text-slate-600">User</th>
<th class="pb-3 pr-4 font-medium text-slate-600">Action</th>
<th class="pb-3 font-medium text-slate-600">Details</th>
</tr>
</thead>
<tbody class="divide-y divide-slate-100">
{#each auditLogs as log}
<tr class="hover:bg-slate-50">
<td class="py-3 pr-4 text-slate-500 whitespace-nowrap">
{new Date(log.created_at).toLocaleDateString('en-US', { month: 'short', day: 'numeric', year: 'numeric' })}
<span class="text-xs text-slate-400 ml-1">
{new Date(log.created_at).toLocaleTimeString('en-US', { hour: '2-digit', minute: '2-digit' })}
</span>
</td>
<td class="py-3 pr-4 text-slate-700">
{log.user_email || 'System'}
</td>
<td class="py-3 pr-4">
<span class="inline-flex items-center rounded-full bg-blue-50 px-2 py-0.5 text-xs font-medium text-blue-700">
{log.action}
</span>
</td>
<td class="py-3 text-slate-600">
{#if log.details}
{#if typeof log.details === 'object'}
{#if log.details.category}
<span class="font-medium">{log.details.category}</span>:
{/if}
{#if log.details.changes}
{#each Object.entries(log.details.changes) as [key, value]}
<span class="ml-1 text-xs">{key}={value}</span>
{/each}
{:else}
<span class="text-xs text-slate-400">{JSON.stringify(log.details).slice(0, 100)}</span>
{/if}
{:else}
{log.details}
{/if}
{:else}
<span class="text-slate-400">-</span>
{/if}
</td>
</tr>
{/each}
</tbody>
</table>
</div>
{:else}
<div class="py-12 text-center">
<ClipboardList class="mx-auto h-12 w-12 text-slate-300" />
<p class="mt-4 text-slate-500">No settings changes recorded yet.</p>
<p class="mt-1 text-sm text-slate-400">Changes to system settings will appear here.</p>
</div>
{/if}
</div>
{/if}
</div>
<!-- Add Status Modal -->

161
src/routes/(app)/board/approvals/+page.server.ts Normal file
View File

@ -0,0 +1,161 @@
import { fail } from '@sveltejs/kit';
import type { Actions, PageServerLoad } from './$types';
import { supabaseAdmin } from '$lib/server/supabase';
import { sendTemplatedEmail } from '$lib/server/email';
import { logMemberAction } from '$lib/server/audit';
export const load: PageServerLoad = async ({ locals }) => {
const { session } = await locals.safeGetSession();
if (!session) return { pendingMembers: [] };
// Get pending status ID
const { data: pendingStatus } = await locals.supabase
.from('membership_statuses')
.select('id')
.eq('name', 'pending')
.single();
if (!pendingStatus) return { pendingMembers: [] };
// Load pending members
const { data: pendingMembers } = await locals.supabase
.from('members')
.select(`
id,
member_id,
first_name,
last_name,
email,
phone,
nationality,
address,
date_of_birth,
created_at
`)
.eq('membership_status_id', pendingStatus.id)
.order('created_at', { ascending: true });
return {
pendingMembers: pendingMembers || []
};
};
export const actions: Actions = {
approve: async ({ request, locals }) => {
const { session } = await locals.safeGetSession();
if (!session) return fail(401, { error: 'Not authenticated' });
const formData = await request.formData();
const memberId = formData.get('member_id') as string;
if (!memberId) return fail(400, { error: 'Missing member ID' });
// Get active status ID
const { data: activeStatus } = await supabaseAdmin
.from('membership_statuses')
.select('id')
.eq('name', 'active')
.single();
if (!activeStatus) return fail(500, { error: 'Active status not found' });
// Update member status to active
const { error } = await supabaseAdmin
.from('members')
.update({
membership_status_id: activeStatus.id,
approved_at: new Date().toISOString(),
approved_by: session.user.id
})
.eq('id', memberId);
if (error) return fail(500, { error: 'Failed to approve member' });
// Get member info for email
const { data: member } = await supabaseAdmin
.from('members')
.select('first_name, email, member_id')
.eq('id', memberId)
.single();
// Send approval email
if (member) {
sendTemplatedEmail('member_approved', member.email, {
first_name: member.first_name,
member_id: member.member_id || ''
}, {
recipientId: memberId,
recipientName: member.first_name
});
}
// Audit log
logMemberAction('status_change',
{ id: session.user.id, email: session.user.email! },
{ id: memberId, email: member?.email },
{ old_status: 'pending', new_status: 'active', action: 'approved' }
);
return { success: true, approved: member?.first_name };
},
reject: async ({ request, locals }) => {
const { session } = await locals.safeGetSession();
if (!session) return fail(401, { error: 'Not authenticated' });
const formData = await request.formData();
const memberId = formData.get('member_id') as string;
const reason = formData.get('reason') as string;
if (!memberId) return fail(400, { error: 'Missing member ID' });
// Get inactive status ID
const { data: inactiveStatus } = await supabaseAdmin
.from('membership_statuses')
.select('id')
.eq('name', 'inactive')
.single();
if (!inactiveStatus) return fail(500, { error: 'Inactive status not found' });
// Update member status
const { error } = await supabaseAdmin
.from('members')
.update({
membership_status_id: inactiveStatus.id,
rejected_at: new Date().toISOString(),
rejected_by: session.user.id,
rejection_reason: reason || null
})
.eq('id', memberId);
if (error) return fail(500, { error: 'Failed to reject member' });
// Get member info for email
const { data: member } = await supabaseAdmin
.from('members')
.select('first_name, email')
.eq('id', memberId)
.single();
// Send rejection email
if (member) {
sendTemplatedEmail('member_rejected', member.email, {
first_name: member.first_name,
reason: reason || ''
}, {
recipientId: memberId,
recipientName: member.first_name
});
}
// Audit log
logMemberAction('status_change',
{ id: session.user.id, email: session.user.email! },
{ id: memberId, email: member?.email },
{ old_status: 'pending', new_status: 'inactive', action: 'rejected', reason }
);
return { success: true, rejected: member?.first_name };
}
};

222
src/routes/(app)/board/approvals/+page.svelte Normal file
View File

@ -0,0 +1,222 @@
<script lang="ts">
import {
UserCheck,
UserX,
Clock,
Mail,
Phone,
MapPin,
Flag,
Calendar
} from 'lucide-svelte';
import { Button } from '$lib/components/ui/button';
import { EmptyState } from '$lib/components/ui';
import CountryFlag from '$lib/components/ui/CountryFlag.svelte';
import { enhance } from '$app/forms';
let { data, form } = $props();
let rejectingId = $state<string | null>(null);
let rejectReason = $state('');
let submitting = $state(false);
const pendingCount = $derived(data.pendingMembers.length);
function formatDate(dateStr: string | null): string {
if (!dateStr) return 'N/A';
return new Date(dateStr).toLocaleDateString('en-US', {
year: 'numeric',
month: 'short',
day: 'numeric'
});
}
</script>
<svelte:head>
<title>Member Approvals | Monaco USA</title>
</svelte:head>
<div class="space-y-6">
<div class="flex flex-col gap-4 sm:flex-row sm:items-center sm:justify-between">
<div>
<div class="flex items-center gap-3">
<h1 class="text-2xl font-bold text-slate-900">Member Approvals</h1>
{#if pendingCount > 0}
<span class="inline-flex items-center rounded-full bg-yellow-100 px-2.5 py-0.5 text-sm font-medium text-yellow-800">
{pendingCount}
</span>
{/if}
</div>
<p class="text-slate-500">Review and approve pending membership applications</p>
</div>
</div>
{#if form?.success && form?.approved}
<div class="rounded-lg border border-green-200 bg-green-50 p-4">
<p class="text-sm font-medium text-green-800">
{form.approved} has been approved and notified by email.
</p>
</div>
{/if}
{#if form?.success && form?.rejected}
<div class="rounded-lg border border-red-200 bg-red-50 p-4">
<p class="text-sm font-medium text-red-800">
{form.rejected}'s application has been rejected.
</p>
</div>
{/if}
{#if form?.error}
<div class="rounded-lg border border-red-200 bg-red-50 p-4">
<p class="text-sm font-medium text-red-800">{form.error}</p>
</div>
{/if}
{#if pendingCount === 0}
<div class="glass-card p-12">
<EmptyState
icon={UserCheck}
title="No pending applications"
description="All membership applications have been reviewed. New applications will appear here."
/>
</div>
{:else}
<div class="space-y-4">
{#each data.pendingMembers as member}
<div class="glass-card p-6">
<div class="flex flex-col gap-4 lg:flex-row lg:items-start lg:justify-between">
<!-- Member Info -->
<div class="flex-1 space-y-3">
<div class="flex items-center gap-3">
<div class="flex h-12 w-12 items-center justify-center rounded-full bg-yellow-100 text-lg font-medium text-yellow-700">
{member.first_name?.[0]}{member.last_name?.[0]}
</div>
<div>
<h3 class="text-lg font-semibold text-slate-900">
{member.first_name} {member.last_name}
</h3>
<p class="text-sm text-slate-500">{member.member_id || 'ID pending'}</p>
</div>
</div>
<div class="grid grid-cols-1 gap-2 sm:grid-cols-2">
<div class="flex items-center gap-2 text-sm text-slate-600">
<Mail class="h-4 w-4 text-slate-400" />
<a href="mailto:{member.email}" class="hover:text-monaco-600">{member.email}</a>
</div>
{#if member.phone}
<div class="flex items-center gap-2 text-sm text-slate-600">
<Phone class="h-4 w-4 text-slate-400" />
{member.phone}
</div>
{/if}
{#if member.nationality && member.nationality.length > 0}
<div class="flex items-center gap-2 text-sm text-slate-600">
<Flag class="h-4 w-4 text-slate-400" />
<div class="flex items-center gap-1">
{#each member.nationality as code}
<CountryFlag {code} size="xs" />
{/each}
</div>
</div>
{/if}
{#if member.address}
<div class="flex items-center gap-2 text-sm text-slate-600">
<MapPin class="h-4 w-4 text-slate-400" />
{member.address}
</div>
{/if}
<div class="flex items-center gap-2 text-sm text-slate-500">
<Calendar class="h-4 w-4 text-slate-400" />
Applied: {formatDate(member.created_at)}
</div>
</div>
</div>
<!-- Actions -->
<div class="flex flex-shrink-0 items-start gap-2">
{#if rejectingId === member.id}
<!-- Reject form with reason -->
<form
method="POST"
action="?/reject"
use:enhance={() => {
submitting = true;
return async ({ update }) => {
submitting = false;
rejectingId = null;
rejectReason = '';
await update();
};
}}
class="flex flex-col gap-2"
>
<input type="hidden" name="member_id" value={member.id} />
<textarea
name="reason"
bind:value={rejectReason}
placeholder="Optional reason for rejection..."
rows="2"
class="w-64 rounded-lg border border-slate-200 px-3 py-2 text-sm focus:border-monaco-500 focus:outline-none focus:ring-1 focus:ring-monaco-500"
></textarea>
<div class="flex gap-2">
<Button
type="submit"
variant="destructive"
size="sm"
disabled={submitting}
>
<UserX class="mr-1 h-4 w-4" />
Confirm Reject
</Button>
<Button
type="button"
variant="outline"
size="sm"
onclick={() => { rejectingId = null; rejectReason = ''; }}
>
Cancel
</Button>
</div>
</form>
{:else}
<form
method="POST"
action="?/approve"
use:enhance={() => {
submitting = true;
return async ({ update }) => {
submitting = false;
await update();
};
}}
>
<input type="hidden" name="member_id" value={member.id} />
<Button
type="submit"
size="sm"
class="bg-green-600 hover:bg-green-700"
disabled={submitting}
>
<UserCheck class="mr-1 h-4 w-4" />
Approve
</Button>
</form>
<Button
variant="outline"
size="sm"
class="border-red-200 text-red-600 hover:bg-red-50"
onclick={() => { rejectingId = member.id; }}
>
<UserX class="mr-1 h-4 w-4" />
Reject
</Button>
{/if}
</div>
</div>
</div>
{/each}
</div>
{/if}
</div>

17
src/routes/(app)/board/documents/+page.server.ts
View File

@ -2,6 +2,7 @@ import { fail } from '@sveltejs/kit';
import type { Actions, PageServerLoad } from './$types';
import { uploadDocument, deleteDocument, getSignedUrl, isS3Enabled, getActiveDocumentUrl } from '$lib/server/storage';
import { supabaseAdmin } from '$lib/server/supabase';
import { logDocumentAction } from '$lib/server/audit';
export const load: PageServerLoad = async ({ locals, url }) => {
const folderId = url.searchParams.get('folder');
@ -282,6 +283,10 @@ export const actions: Actions = {
return fail(400, { error: 'Title is required' });
}
if (title.length > 200) {
return fail(400, { error: 'Title must be 200 characters or less' });
}
// Upload using dual-storage document service (uploads to both S3 and Supabase Storage)
const uploadResult = await uploadDocument(file);
@ -354,6 +359,12 @@ export const actions: Actions = {
return fail(500, { error: 'Failed to delete document' });
}
logDocumentAction('delete',
{ id: member.id, email: member.email! },
{ id: documentId, title: doc?.storage_path || documentId },
{ storage_path: doc?.storage_path }
);
// Delete from ALL storage backends (both S3 and Supabase Storage)
if (doc?.storage_path) {
// Use the storage_path directly
@ -416,6 +427,12 @@ export const actions: Actions = {
return fail(500, { error: 'Failed to update document' });
}
logDocumentAction('visibility_change',
{ id: member.id, email: member.email! },
{ id: documentId },
{ new_visibility: visibility }
);
return { success: 'Visibility updated!' };
},

26
src/routes/(app)/board/events/[id]/edit/+page.server.ts
View File

@ -1,5 +1,7 @@
import { fail, error, redirect } from '@sveltejs/kit';
import type { Actions, PageServerLoad } from './$types';
import { escapeHtml, sanitizeRichText } from '$lib/server/sanitize';
import { logEventAction } from '$lib/server/audit';
export const load: PageServerLoad = async ({ locals, params }) => {
const { member } = await locals.safeGetSession();
@ -42,8 +44,8 @@ export const actions: Actions = {
const formData = await request.formData();
const title = formData.get('title') as string;
const description = formData.get('description') as string;
const title = escapeHtml(formData.get('title') as string);
const description = sanitizeRichText(formData.get('description') as string || '');
const eventTypeId = formData.get('event_type_id') as string;
const startDate = formData.get('start_date') as string;
const startTime = formData.get('start_time') as string;
@ -58,6 +60,9 @@ export const actions: Actions = {
const nonMemberPrice = formData.get('non_member_price') as string;
const visibility = formData.get('visibility') as string;
const status = formData.get('status') as string;
const rsvpDeadlineEnabled = formData.get('rsvp_deadline_enabled') === 'true';
const rsvpDeadlineDate = formData.get('rsvp_deadline_date') as string;
const rsvpDeadlineTime = formData.get('rsvp_deadline_time') as string;
// Validation
if (!title || !startDate || !startTime || !endDate || !endTime) {
@ -90,6 +95,10 @@ export const actions: Actions = {
non_member_price: isPaid && nonMemberPrice ? parseFloat(nonMemberPrice) : 0,
visibility: visibility || 'members',
status: status || 'published',
rsvp_deadline_enabled: rsvpDeadlineEnabled,
rsvp_deadline: rsvpDeadlineEnabled && rsvpDeadlineDate && rsvpDeadlineTime
? `${rsvpDeadlineDate}T${rsvpDeadlineTime}:00`
: null,
updated_at: new Date().toISOString()
})
.eq('id', params.id);
@ -99,6 +108,13 @@ export const actions: Actions = {
return fail(500, { error: 'Failed to update event. Please try again.' });
}
logEventAction(
status === 'cancelled' ? 'cancel' : 'update',
{ id: member.id, email: member.email! },
{ id: params.id, title },
{ status }
);
return { success: 'Event updated successfully!' };
},
@ -119,6 +135,12 @@ export const actions: Actions = {
return fail(500, { error: 'Failed to delete event. Please try again.' });
}
logEventAction('delete',
{ id: member.id, email: member.email! },
{ id: params.id },
{ deleted_by_admin: true }
);
throw redirect(303, '/board/events?deleted=true');
}
};

59
src/routes/(app)/board/events/[id]/edit/+page.svelte
View File

@ -1,5 +1,5 @@
<script lang="ts">
import { ArrowLeft, Save, Trash2, Calendar, MapPin, Users, DollarSign, Eye, X } from 'lucide-svelte';
import { ArrowLeft, Save, Trash2, Calendar, MapPin, Users, DollarSign, Eye, Clock, X } from 'lucide-svelte';
import { Input } from '$lib/components/ui/input';
import { Label } from '$lib/components/ui/label';
import { DatePicker } from '$lib/components/ui';
@ -25,6 +25,15 @@
);
let isPaid = $state(event.is_paid || false);
let rsvpDeadlineEnabled = $state(event.rsvp_deadline_enabled || false);
// Parse RSVP deadline date/time
const rsvpDeadlineJS = event.rsvp_deadline ? new Date(event.rsvp_deadline) : null;
let rsvpDeadlineDate = $state<CalendarDate | undefined>(
rsvpDeadlineJS
? new CalendarDate(rsvpDeadlineJS.getFullYear(), rsvpDeadlineJS.getMonth() + 1, rsvpDeadlineJS.getDate())
: undefined
);
// Format time for input
function formatTimeForInput(date: Date): string {
@ -335,6 +344,54 @@
</div>
</div>
<!-- RSVP Deadline -->
<div class="space-y-4">
<h2 class="flex items-center gap-2 text-lg font-semibold text-slate-900">
<Clock class="h-5 w-5 text-monaco-600" />
RSVP Deadline
</h2>
<label class="flex items-center gap-2">
<input
type="checkbox"
name="rsvp_deadline_enabled"
value="true"
bind:checked={rsvpDeadlineEnabled}
class="rounded border-slate-300"
/>
<span class="text-sm font-medium text-slate-700">Set an RSVP deadline</span>
</label>
{#if rsvpDeadlineEnabled}
<div class="grid gap-4 sm:grid-cols-2">
<div>
<Label>Deadline Date</Label>
<div class="mt-1">
<DatePicker
bind:value={rsvpDeadlineDate}
placeholder="Select deadline date"
name="rsvp_deadline_date"
/>
</div>
</div>
<div>
<Label for="rsvp_deadline_time">Deadline Time</Label>
<Input
type="time"
id="rsvp_deadline_time"
name="rsvp_deadline_time"
value={rsvpDeadlineJS ? formatTimeForInput(rsvpDeadlineJS) : '23:59'}
class="mt-1"
/>
</div>
</div>
<p class="text-xs text-slate-500">
Members will not be able to RSVP after this date and time.
</p>
{/if}
</div>
<!-- Actions -->
<div class="flex flex-col gap-4 border-t border-slate-200 pt-6 sm:flex-row sm:justify-between">
{#if member?.role === 'admin'}

23
src/routes/(app)/board/members/+page.server.ts
View File

@ -5,10 +5,14 @@ export const load: PageServerLoad = async ({ locals, url }) => {
const statusFilter = url.searchParams.get('status') || 'all';
const roleFilter = url.searchParams.get('role') || 'all';
// Get current member's role for privacy filtering
const { member } = await locals.safeGetSession();
const isPrivileged = member?.role === 'admin' || member?.role === 'board';
// Build the query - select only needed columns to avoid exposing sensitive fields
let query = locals.supabase
.from('members_with_dues')
.select('id, member_id, first_name, last_name, email, phone, role, status_name, type_name, avatar_url, created_at, nationality, address')
.select('id, member_id, first_name, last_name, email, phone, role, status_name, type_name, avatar_url, created_at, nationality, address, directory_privacy')
.order('last_name', { ascending: true });
// Apply filters
@ -49,8 +53,23 @@ export const load: PageServerLoad = async ({ locals, url }) => {
inactive: members?.filter((m: any) => m.status_name === 'inactive').length || 0
};
// Apply directory privacy settings (admins/board see everything)
const privacyFilteredMembers = isPrivileged
? filteredMembers
: filteredMembers.map((m: any) => {
const privacy = m.directory_privacy || { show_email: true, show_phone: true, show_address: false, show_nationality: true };
return {
...m,
email: privacy.show_email ? m.email : null,
phone: privacy.show_phone ? m.phone : null,
address: privacy.show_address ? m.address : null,
nationality: privacy.show_nationality ? m.nationality : null,
directory_privacy: undefined
};
});
return {
members: filteredMembers,
members: privacyFilteredMembers,
statuses: statuses || [],
stats,
filters: {

14
src/routes/(app)/board/reports/+page.server.ts
View File

@ -1,4 +1,4 @@
import type { PageServerLoad, Actions } from './$types';
import type { PageServerLoad } from './$types';
export const load: PageServerLoad = async ({ locals, url }) => {
const reportType = url.searchParams.get('type') || 'membership';
@ -128,14 +128,4 @@ export const load: PageServerLoad = async ({ locals, url }) => {
};
};
export const actions: Actions = {
exportCsv: async ({ request, locals }) => {
const formData = await request.formData();
const reportType = formData.get('report_type') as string;
const year = parseInt(formData.get('year') as string);
// Data will be generated client-side for CSV export
// This action is a placeholder for server-side export if needed
return { success: true };
}
};
// CSV export is handled by the GET endpoint at /board/reports/export/[type]

40
src/routes/(app)/board/reports/+page.svelte
View File

@ -47,42 +47,10 @@
});
}
function exportToCsv(reportType: string) {
let csvContent = '';
let filename = '';
switch (reportType) {
case 'membership':
csvContent = 'Member ID,First Name,Last Name,Email,Status,Role,Dues Status,Member Since\n';
for (const member of members) {
csvContent += `"${member.member_id}","${member.first_name}","${member.last_name}","${member.email}","${member.status_display_name || ''}","${member.role}","${member.dues_status}","${member.member_since}"\n`;
}
filename = `membership-report-${year}.csv`;
break;
case 'dues':
csvContent = 'Date,Member,Amount,Method,Reference\n';
for (const payment of payments) {
csvContent += `"${payment.payment_date}","${payment.member?.first_name} ${payment.member?.last_name}","${payment.amount}","${payment.payment_method}","${payment.reference || ''}"\n`;
}
filename = `dues-report-${year}.csv`;
break;
case 'events':
csvContent = 'Date,Event,Type,Attendees,Max Capacity,Waitlist\n';
for (const event of events) {
csvContent += `"${event.start_datetime}","${event.title}","${event.event_type_name || 'General'}","${event.total_attendees}","${event.max_attendees || 'Unlimited'}","${event.waitlist_count}"\n`;
}
filename = `events-report-${year}.csv`;
break;
}
// Create and download
const blob = new Blob([csvContent], { type: 'text/csv;charset=utf-8;' });
const link = document.createElement('a');
link.href = URL.createObjectURL(blob);
link.download = filename;
link.click();
function exportToCsv(type: string) {
// Map report tab IDs to export endpoint types
const exportType = type === 'dues' ? 'payments' : type;
window.location.href = `/board/reports/export/${exportType}?year=${year}`;
}
const reportTabs = [

139
src/routes/(app)/board/reports/export/[type]/+server.ts Normal file
View File

@ -0,0 +1,139 @@
import { error } from '@sveltejs/kit';
import type { RequestHandler } from './$types';
import { supabaseAdmin } from '$lib/server/supabase';
import { arrayToCSV, csvResponse } from '$lib/server/csv';
export const GET: RequestHandler = async ({ params, locals, url }) => {
const { member } = await locals.safeGetSession();
if (!member || (member.role !== 'board' && member.role !== 'admin')) {
throw error(403, 'Unauthorized');
}
const reportType = params.type;
const year = parseInt(url.searchParams.get('year') || new Date().getFullYear().toString());
const today = new Date().toISOString().split('T')[0];
switch (reportType) {
case 'membership':
return await exportMembership();
case 'payments':
return await exportPayments(year);
case 'events':
return await exportEvents(year);
default:
throw error(400, 'Invalid report type');
}
async function exportMembership(): Promise<Response> {
const { data: members } = await supabaseAdmin
.from('members_with_dues')
.select('*')
.order('last_name', { ascending: true });
const rows = (members || []).map((m: any) => ({
member_id: m.member_id,
first_name: m.first_name,
last_name: m.last_name,
email: m.email,
phone: m.phone || '',
status: m.status_display_name || '',
member_type: m.membership_type_name || '',
role: m.role,
dues_status: m.dues_status,
member_since: m.member_since || ''
}));
const csv = arrayToCSV(rows, [
{ key: 'member_id', header: 'Member ID' },
{ key: 'first_name', header: 'First Name' },
{ key: 'last_name', header: 'Last Name' },
{ key: 'email', header: 'Email' },
{ key: 'phone', header: 'Phone' },
{ key: 'status', header: 'Status' },
{ key: 'member_type', header: 'Member Type' },
{ key: 'role', header: 'Role' },
{ key: 'dues_status', header: 'Dues Status' },
{ key: 'member_since', header: 'Member Since' }
]);
return csvResponse(csv, `membership-report-${today}.csv`);
}
async function exportPayments(yr: number): Promise<Response> {
const startOfYear = `${yr}-01-01`;
const endOfYear = `${yr}-12-31`;
const { data: payments } = await supabaseAdmin
.from('dues_payments')
.select(`
*,
member:members(first_name, last_name, email, member_id)
`)
.gte('payment_date', startOfYear)
.lte('payment_date', endOfYear)
.order('payment_date', { ascending: false });
const rows = (payments || []).map((p: any) => ({
payment_date: p.payment_date,
member_id: p.member?.member_id || '',
member_name: p.member ? `${p.member.first_name} ${p.member.last_name}` : '',
email: p.member?.email || '',
amount: p.amount,
payment_method: p.payment_method || '',
status: p.status || 'completed',
reference: p.reference || '',
notes: p.notes || ''
}));
const csv = arrayToCSV(rows, [
{ key: 'payment_date', header: 'Payment Date' },
{ key: 'member_id', header: 'Member ID' },
{ key: 'member_name', header: 'Member Name' },
{ key: 'email', header: 'Email' },
{ key: 'amount', header: 'Amount' },
{ key: 'payment_method', header: 'Method' },
{ key: 'status', header: 'Status' },
{ key: 'reference', header: 'Reference' },
{ key: 'notes', header: 'Notes' }
]);
return csvResponse(csv, `payments-report-${yr}.csv`);
}
async function exportEvents(yr: number): Promise<Response> {
const startOfYear = `${yr}-01-01T00:00:00`;
const endOfYear = `${yr}-12-31T23:59:59`;
const { data: events } = await supabaseAdmin
.from('events_with_counts')
.select('*')
.gte('start_datetime', startOfYear)
.lte('start_datetime', endOfYear)
.order('start_datetime', { ascending: false });
const rows = (events || []).map((e: any) => ({
date: e.start_datetime ? new Date(e.start_datetime).toLocaleDateString('en-US') : '',
title: e.title,
type: e.event_type_name || 'General',
location: e.location || '',
rsvp_count: e.total_attendees || 0,
max_capacity: e.max_attendees || 'Unlimited',
waitlist: e.waitlist_count || 0,
status: e.status || ''
}));
const csv = arrayToCSV(rows, [
{ key: 'date', header: 'Date' },
{ key: 'title', header: 'Title' },
{ key: 'type', header: 'Type' },
{ key: 'location', header: 'Location' },
{ key: 'rsvp_count', header: 'RSVP Count' },
{ key: 'max_capacity', header: 'Max Capacity' },
{ key: 'waitlist', header: 'Waitlist' },
{ key: 'status', header: 'Status' }
]);
return csvResponse(csv, `events-report-${yr}.csv`);
}
};

19
src/routes/(app)/documents/+page.server.ts
View File

@ -2,19 +2,29 @@ import type { PageServerLoad } from './$types';
import { isS3Enabled } from '$lib/server/storage';
import { getVisibleLevels } from '$lib/server/visibility';
export const load: PageServerLoad = async ({ locals, parent }) => {
export const load: PageServerLoad = async ({ locals, parent, url }) => {
const { member } = await parent();
const searchQuery = url.searchParams.get('q') || '';
// Get visible visibility levels
const visibleLevels = getVisibleLevels(member?.role);
// Fetch documents with all URL columns
const { data: documents } = await locals.supabase
// Build query
let query = locals.supabase
.from('documents')
.select('*')
.in('visibility', visibleLevels)
.order('created_at', { ascending: false });
// Apply server-side search if query provided
if (searchQuery.trim()) {
// Use ilike for simple substring search (works without tsvector)
// Also try full-text search via textSearch if available
query = query.or(`title.ilike.%${searchQuery}%,description.ilike.%${searchQuery}%,file_name.ilike.%${searchQuery}%`);
}
const { data: documents } = await query;
// Fetch categories
const { data: categories } = await locals.supabase
.from('document_categories')
@ -34,7 +44,8 @@ export const load: PageServerLoad = async ({ locals, parent }) => {
return {
documents: documentsWithActiveUrl,
categories: categories || []
categories: categories || [],
searchQuery
};
};

35
src/routes/(app)/documents/+page.svelte
View File

@ -11,23 +11,36 @@
List
} from 'lucide-svelte';
import { Input } from '$lib/components/ui/input';
import { goto } from '$app/navigation';
import { page } from '$app/stores';
let { data } = $props();
const { documents, categories } = data;
let searchQuery = $state('');
let searchQuery = $state(data.searchQuery || '');
let selectedCategory = $state<string | null>(null);
let viewMode = $state<'grid' | 'list'>('grid');
// Filter documents
// Debounce server-side search
let searchTimeout: ReturnType<typeof setTimeout>;
function handleSearch(value: string) {
clearTimeout(searchTimeout);
searchTimeout = setTimeout(() => {
const params = new URLSearchParams($page.url.searchParams);
if (value.trim()) {
params.set('q', value.trim());
} else {
params.delete('q');
}
goto(`?${params.toString()}`, { replaceState: true, keepFocus: true });
}, 400);
}
// Filter documents (category is still client-side for instant feedback)
const filteredDocuments = $derived(
(documents || []).filter((doc: any) => {
const matchesSearch =
!searchQuery ||
doc.title.toLowerCase().includes(searchQuery.toLowerCase()) ||
doc.description?.toLowerCase().includes(searchQuery.toLowerCase());
const matchesCategory = !selectedCategory || doc.category_id === selectedCategory;
return matchesSearch && matchesCategory;
return matchesCategory;
})
);
@ -99,8 +112,12 @@
<Search class="absolute left-3 top-1/2 h-4 w-4 -translate-y-1/2 text-slate-400" />
<Input
type="search"
placeholder="Search documents..."
bind:value={searchQuery}
placeholder="Search documents by title, description, or filename..."
value={searchQuery}
oninput={(e) => {
searchQuery = e.currentTarget.value;
handleSearch(e.currentTarget.value);
}}
class="h-10 w-full pl-9"
/>
</div>

23
src/routes/(app)/events/+page.server.ts
View File

@ -7,16 +7,23 @@ export const load: PageServerLoad = async ({ locals, parent }) => {
// Get visible events based on user role
const visibleLevels = getVisibleLevels(member?.role);
const { data: events } = await locals.supabase
.from('events_with_counts')
.select('*')
.in('visibility', visibleLevels)
.eq('status', 'published')
.gte('start_datetime', new Date().toISOString())
.order('start_datetime', { ascending: true });
const [eventsResult, eventTypesResult] = await Promise.all([
locals.supabase
.from('events_with_counts')
.select('*')
.in('visibility', visibleLevels)
.eq('status', 'published')
.gte('start_datetime', new Date().toISOString())
.order('start_datetime', { ascending: true }),
locals.supabase
.from('event_types')
.select('id, name, color')
.order('name', { ascending: true })
]);
return {
events: events || []
events: eventsResult.data || [],
eventTypes: eventTypesResult.data || []
};
};

76
src/routes/(app)/events/+page.svelte
View File

@ -1,13 +1,36 @@
<script lang="ts">
import { Calendar, MapPin, Users, Clock, Grid, List, ChevronLeft, ChevronRight } from 'lucide-svelte';
import { Calendar, MapPin, Users, Clock, Grid, List, ChevronLeft, ChevronRight, Filter } from 'lucide-svelte';
import { Button } from '$lib/components/ui/button';
import type { EventWithCounts } from '$lib/types/database';
let { data } = $props();
const { events, member } = data;
const { events, member, eventTypes } = data;
let viewMode = $state<'list' | 'calendar'>('list');
let currentMonth = $state(new Date());
let selectedTypeIds = $state<Set<string>>(new Set());
let showFilters = $state(false);
// Filter events by selected types
const filteredEvents = $derived(
selectedTypeIds.size === 0
? events
: (events || []).filter((e: EventWithCounts) => selectedTypeIds.has(e.event_type_id))
);
function toggleTypeFilter(typeId: string) {
const next = new Set(selectedTypeIds);
if (next.has(typeId)) {
next.delete(typeId);
} else {
next.add(typeId);
}
selectedTypeIds = next;
}
function clearFilters() {
selectedTypeIds = new Set();
}
// Format date and time
function formatDateTime(dateStr: string): { date: string; time: string; weekday: string } {
@ -67,7 +90,7 @@
return groups;
}
const groupedEvents = $derived(groupEventsByDate(events || []));
const groupedEvents = $derived(groupEventsByDate(filteredEvents || []));
// Calendar helpers
function getDaysInMonth(date: Date) {
@ -93,7 +116,7 @@
function getEventsForDate(date: Date | null) {
if (!date) return [];
const dateStr = date.toDateString();
return (events || []).filter((e) => new Date(e.start_datetime).toDateString() === dateStr);
return (filteredEvents || []).filter((e: EventWithCounts) => new Date(e.start_datetime).toDateString() === dateStr);
}
function prevMonth() {
@ -123,6 +146,18 @@
</div>
<div class="flex items-center gap-2">
{#if eventTypes.length > 0}
<button
onclick={() => (showFilters = !showFilters)}
class="flex items-center gap-1.5 rounded-lg border border-slate-200 bg-white px-3 py-2 text-sm font-medium transition-colors hover:bg-slate-50 {selectedTypeIds.size > 0 ? 'border-monaco-300 text-monaco-700' : 'text-slate-600'}"
>
<Filter class="h-4 w-4" />
Filter
{#if selectedTypeIds.size > 0}
<span class="rounded-full bg-monaco-100 px-1.5 py-0.5 text-xs font-bold text-monaco-700">{selectedTypeIds.size}</span>
{/if}
</button>
{/if}
<div class="flex rounded-lg border border-slate-200 bg-white p-1">
<button
onclick={() => (viewMode = 'list')}
@ -148,6 +183,39 @@
</div>
</div>
<!-- Event Type Filters -->
{#if showFilters && eventTypes.length > 0}
<div class="glass-card flex flex-wrap items-center gap-2 p-4">
<span class="text-sm font-medium text-slate-600">Event Type:</span>
{#each eventTypes as type}
<button
onclick={() => toggleTypeFilter(type.id)}
class="flex items-center gap-1.5 rounded-full border px-3 py-1 text-sm font-medium transition-colors {selectedTypeIds.has(type.id)
? 'border-transparent text-white'
: 'border-slate-200 bg-white text-slate-600 hover:bg-slate-50'}"
style={selectedTypeIds.has(type.id) ? `background-color: ${type.color || '#6b7280'}` : ''}
>
<span
class="h-2 w-2 rounded-full"
style="background-color: {type.color || '#6b7280'}"
></span>
{type.name}
</button>
{/each}
{#if selectedTypeIds.size > 0}
<button
onclick={clearFilters}
class="ml-2 text-sm text-slate-500 hover:text-slate-700"
>
Clear all
</button>
{/if}
<span class="ml-auto text-sm text-slate-500">
{filteredEvents.length} event{filteredEvents.length !== 1 ? 's' : ''}
</span>
</div>
{/if}
{#if viewMode === 'list'}
<!-- List View -->
<div class="space-y-6">

37
src/routes/(app)/events/[id]/+page.server.ts
View File

@ -1,6 +1,7 @@
import { fail, error } from '@sveltejs/kit';
import type { Actions, PageServerLoad } from './$types';
import { sendTemplatedEmail } from '$lib/server/email';
import { sendWithPreferenceCheck } from '$lib/server/notification-preferences';
import { getVisibleLevels } from '$lib/server/visibility';
export const load: PageServerLoad = async ({ locals, params, parent }) => {
@ -63,6 +64,14 @@ export const actions: Actions = {
return fail(404, { error: 'Event not found' });
}
// Check RSVP deadline
if (event.rsvp_deadline_enabled && event.rsvp_deadline) {
const deadline = new Date(event.rsvp_deadline);
if (new Date() > deadline) {
return fail(400, { error: 'The RSVP deadline for this event has passed.' });
}
}
// Server-side guest count validation
if (event.max_guests_per_member !== null && guestCount > event.max_guests_per_member) {
return fail(400, {
@ -284,19 +293,21 @@ async function promoteFromWaitlist(
})
: 'TBD';
await sendTemplatedEmail(
'waitlist_promotion',
member.email,
{
first_name: member.first_name,
event_title: event.title || 'Event',
event_date: eventDate,
event_location: event.location || 'TBD'
},
{
recipientId: waitlisted.member_id,
recipientName: `${member.first_name} ${member.last_name}`
}
await sendWithPreferenceCheck(waitlisted.member_id, 'waitlist_promotion', () =>
sendTemplatedEmail(
'waitlist_promotion',
member.email,
{
first_name: member.first_name,
event_title: event.title || 'Event',
event_date: eventDate,
event_location: event.location || 'TBD'
},
{
recipientId: waitlisted.member_id,
recipientName: `${member.first_name} ${member.last_name}`
}
)
);
console.log(`Promoted member ${waitlisted.member_id} from waitlist for event ${eventId} and sent notification`);

34
src/routes/(app)/events/[id]/+page.svelte
View File

@ -58,6 +58,27 @@
// Check if event is in the past
const isPast = new Date(event?.end_datetime || '') < new Date();
// Check if RSVP deadline has passed
const isRsvpClosed = $derived(
event?.rsvp_deadline_enabled && event?.rsvp_deadline
? new Date() > new Date(event.rsvp_deadline)
: false
);
// Format RSVP deadline for display
const rsvpDeadlineDisplay = $derived(
event?.rsvp_deadline
? new Date(event.rsvp_deadline).toLocaleDateString('en-US', {
month: 'short',
day: 'numeric',
year: 'numeric',
hour: 'numeric',
minute: '2-digit',
hour12: true
})
: null
);
// Get type color
function getTypeColor(color: string | null): string {
return color || '#6b7280';
@ -224,8 +245,21 @@
</div>
{/if}
{#if event.rsvp_deadline_enabled && rsvpDeadlineDisplay}
<p class="mb-3 text-xs text-slate-500">
RSVP deadline: {rsvpDeadlineDisplay}
</p>
{/if}
{#if isPast}
<p class="text-slate-500">This event has already ended.</p>
{:else if isRsvpClosed}
<div class="rounded-lg bg-amber-50 border border-amber-200 p-4">
<p class="font-medium text-amber-700">RSVPs are closed</p>
<p class="mt-1 text-sm text-amber-600">
The RSVP deadline was {rsvpDeadlineDisplay}.
</p>
</div>
{:else if rsvp}
<!-- Existing RSVP -->
<div

42
src/routes/(app)/settings/+page.server.ts
View File

@ -36,8 +36,21 @@ export const load: PageServerLoad = async ({ parent, locals }) => {
}
}
// Load directory privacy settings
const { data: privacyData } = await locals.supabase
.from('members')
.select('directory_privacy')
.eq('id', member.id)
.single();
return {
member,
directoryPrivacy: privacyData?.directory_privacy || {
show_email: true,
show_phone: true,
show_address: false,
show_nationality: true
},
notificationPrefs: notificationPrefs || {
email_event_rsvp_confirmation: true,
email_event_reminder: true,
@ -366,5 +379,34 @@ export const actions: Actions = {
}
return { success: 'Monaco USA email password updated successfully!' };
},
updateDirectoryPrivacy: async ({ request, locals }) => {
const { member } = await locals.safeGetSession();
if (!member) {
return fail(401, { error: 'Not authenticated' });
}
const formData = await request.formData();
const directoryPrivacy = {
show_email: formData.get('show_email') === 'on',
show_phone: formData.get('show_phone') === 'on',
show_address: formData.get('show_address') === 'on',
show_nationality: formData.get('show_nationality') === 'on'
};
const { error } = await locals.supabase
.from('members')
.update({ directory_privacy: directoryPrivacy })
.eq('id', member.id);
if (error) {
console.error('Failed to update directory privacy:', error);
return fail(500, { error: 'Failed to update privacy settings' });
}
return { success: 'Directory privacy settings saved!' };
}
};

95
src/routes/(app)/settings/+page.svelte
View File

@ -867,6 +867,101 @@
</button>
</div>
</form>
<!-- Directory Privacy -->
<form
method="POST"
action="?/updateDirectoryPrivacy"
use:enhance={() => {
isSubmitting = true;
return async ({ update }) => {
await invalidateAll();
await update();
isSubmitting = false;
};
}}
class="mt-6"
>
<div class="glass-card p-6">
<div class="mb-4 flex items-center gap-3">
<div class="flex h-10 w-10 items-center justify-center rounded-lg bg-slate-100">
<Eye class="h-5 w-5 text-slate-600" />
</div>
<div>
<h2 class="text-lg font-semibold text-slate-900">Directory Privacy</h2>
<p class="text-sm text-slate-500">Control what other members can see in the directory</p>
</div>
</div>
<div class="space-y-3">
<label class="flex items-center justify-between rounded-lg border border-slate-200 p-4">
<div>
<p class="font-medium text-slate-900">Email Address</p>
<p class="text-sm text-slate-500">Show your email in the member directory</p>
</div>
<input
type="checkbox"
name="show_email"
checked={data.directoryPrivacy?.show_email !== false}
class="h-4 w-4 rounded border-slate-300 text-monaco-600"
/>
</label>
<label class="flex items-center justify-between rounded-lg border border-slate-200 p-4">
<div>
<p class="font-medium text-slate-900">Phone Number</p>
<p class="text-sm text-slate-500">Show your phone number in the member directory</p>
</div>
<input
type="checkbox"
name="show_phone"
checked={data.directoryPrivacy?.show_phone !== false}
class="h-4 w-4 rounded border-slate-300 text-monaco-600"
/>
</label>
<label class="flex items-center justify-between rounded-lg border border-slate-200 p-4">
<div>
<p class="font-medium text-slate-900">Address</p>
<p class="text-sm text-slate-500">Show your address in the member directory</p>
</div>
<input
type="checkbox"
name="show_address"
checked={data.directoryPrivacy?.show_address === true}
class="h-4 w-4 rounded border-slate-300 text-monaco-600"
/>
</label>
<label class="flex items-center justify-between rounded-lg border border-slate-200 p-4">
<div>
<p class="font-medium text-slate-900">Nationality</p>
<p class="text-sm text-slate-500">Show your nationality flags in the member directory</p>
</div>
<input
type="checkbox"
name="show_nationality"
checked={data.directoryPrivacy?.show_nationality !== false}
class="h-4 w-4 rounded border-slate-300 text-monaco-600"
/>
</label>
</div>
<p class="mt-3 text-xs text-slate-400">
Board members and admins can always see all fields regardless of these settings.
</p>
<div class="mt-4 flex justify-end">
<button
type="submit"
disabled={isSubmitting}
class="rounded-lg bg-monaco-600 px-6 py-2 text-sm font-medium text-white hover:bg-monaco-700 disabled:opacity-50"
>
{isSubmitting ? 'Saving...' : 'Save Privacy Settings'}
</button>
</div>
</div>
</form>
{/if}
<!-- Account Tab -->

39
src/routes/join/+page.server.ts
View File

@ -1,6 +1,7 @@
import { fail, redirect } from '@sveltejs/kit';
import type { Actions, PageServerLoad } from './$types';
import { createMemberRecord, cleanupAuthUser, sendWelcomeEmail } from '$lib/server/registration';
import { checkRateLimit } from '$lib/server/rate-limit';
export const load: PageServerLoad = async ({ locals, url }) => {
const { session } = await locals.safeGetSession();
@ -134,6 +135,17 @@ export const actions: Actions = {
return fail(400, { error: 'You must accept the terms and conditions', step: 2 });
}
// Rate limit signup attempts by email
const rateLimitKey = `signup:${email}`;
const rateCheck = checkRateLimit(rateLimitKey, 3, 15 * 60 * 1000); // 3 attempts per 15 min
if (!rateCheck.allowed) {
const retryMinutes = Math.ceil((rateCheck.retryAfterMs || 0) / 60000);
return fail(429, {
error: `Too many signup attempts. Please try again in ${retryMinutes} minute${retryMinutes !== 1 ? 's' : ''}.`,
step: 2
});
}
// Create Supabase auth user
const { data: authData, error: authError } = await locals.supabase.auth.signUp({
email,
@ -212,14 +224,27 @@ export const actions: Actions = {
return fail(401, { error: 'Not authenticated', step: 3 });
}
// For now, just proceed to next step
// Avatar upload can be handled via the profile page later
// or we can add proper file handling here
const formData = await request.formData();
const photoFile = formData.get('photo') as File | null;
return {
success: true,
step: 3
};
// Photo is optional during onboarding - allow skipping
if (!photoFile || photoFile.size === 0) {
return { success: true, step: 3 };
}
// Use the shared avatar upload handler (admin mode to bypass RLS)
const { handleAvatarUpload } = await import('$lib/server/member-profile');
const result = await handleAvatarUpload(
{ id: session.user.id },
photoFile,
{ useAdmin: true }
);
if (!result.success) {
return fail(400, { error: result.error || 'Failed to upload photo', step: 3 });
}
return { success: true, step: 3 };
},
complete: async ({ locals }) => {

280
supabase/docker/kong.yml
View File

@ -36,6 +36,34 @@ services:
preserve_host: false
plugins:
- name: cors
config:
origins:
- https://portal.monacousa.org
- https://monacousa.org
- http://localhost:7453
- http://localhost:3000
methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
headers:
- Accept
- Accept-Version
- Authorization
- Content-Length
- Content-Type
- Date
- X-Auth-Token
- apikey
- x-client-info
exposed_headers:
- Content-Length
- Content-Range
credentials: true
max_age: 3600
## Auth Service (GoTrue)
- name: auth-v1-open
@ -47,6 +75,34 @@ services:
- /auth/v1/verify
plugins:
- name: cors
config:
origins:
- https://portal.monacousa.org
- https://monacousa.org
- http://localhost:7453
- http://localhost:3000
methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
headers:
- Accept
- Accept-Version
- Authorization
- Content-Length
- Content-Type
- Date
- X-Auth-Token
- apikey
- x-client-info
exposed_headers:
- Content-Length
- Content-Range
credentials: true
max_age: 3600
- name: auth-v1-open-callback
url: http://auth:9999/callback
@ -57,6 +113,34 @@ services:
- /auth/v1/callback
plugins:
- name: cors
config:
origins:
- https://portal.monacousa.org
- https://monacousa.org
- http://localhost:7453
- http://localhost:3000
methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
headers:
- Accept
- Accept-Version
- Authorization
- Content-Length
- Content-Type
- Date
- X-Auth-Token
- apikey
- x-client-info
exposed_headers:
- Content-Length
- Content-Range
credentials: true
max_age: 3600
- name: auth-v1-open-authorize
url: http://auth:9999/authorize
@ -67,6 +151,34 @@ services:
- /auth/v1/authorize
plugins:
- name: cors
config:
origins:
- https://portal.monacousa.org
- https://monacousa.org
- http://localhost:7453
- http://localhost:3000
methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
headers:
- Accept
- Accept-Version
- Authorization
- Content-Length
- Content-Type
- Date
- X-Auth-Token
- apikey
- x-client-info
exposed_headers:
- Content-Length
- Content-Range
credentials: true
max_age: 3600
- name: auth-v1
url: http://auth:9999/
@ -77,6 +189,34 @@ services:
- /auth/v1/
plugins:
- name: cors
config:
origins:
- https://portal.monacousa.org
- https://monacousa.org
- http://localhost:7453
- http://localhost:3000
methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
headers:
- Accept
- Accept-Version
- Authorization
- Content-Length
- Content-Type
- Date
- X-Auth-Token
- apikey
- x-client-info
exposed_headers:
- Content-Length
- Content-Range
credentials: true
max_age: 3600
- name: key-auth
config:
hide_credentials: false
@ -97,6 +237,34 @@ services:
- /rest/v1/
plugins:
- name: cors
config:
origins:
- https://portal.monacousa.org
- https://monacousa.org
- http://localhost:7453
- http://localhost:3000
methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
headers:
- Accept
- Accept-Version
- Authorization
- Content-Length
- Content-Type
- Date
- X-Auth-Token
- apikey
- x-client-info
exposed_headers:
- Content-Length
- Content-Range
credentials: true
max_age: 3600
- name: key-auth
config:
hide_credentials: false
@ -117,6 +285,34 @@ services:
- /realtime/v1/websocket
plugins:
- name: cors
config:
origins:
- https://portal.monacousa.org
- https://monacousa.org
- http://localhost:7453
- http://localhost:3000
methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
headers:
- Accept
- Accept-Version
- Authorization
- Content-Length
- Content-Type
- Date
- X-Auth-Token
- apikey
- x-client-info
exposed_headers:
- Content-Length
- Content-Range
credentials: true
max_age: 3600
- name: key-auth
config:
hide_credentials: false
@ -136,6 +332,34 @@ services:
- /realtime/v1/
plugins:
- name: cors
config:
origins:
- https://portal.monacousa.org
- https://monacousa.org
- http://localhost:7453
- http://localhost:3000
methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
headers:
- Accept
- Accept-Version
- Authorization
- Content-Length
- Content-Type
- Date
- X-Auth-Token
- apikey
- x-client-info
exposed_headers:
- Content-Length
- Content-Range
credentials: true
max_age: 3600
- name: key-auth
config:
hide_credentials: false
@ -156,6 +380,34 @@ services:
- /storage/v1/object/public
plugins:
- name: cors
config:
origins:
- https://portal.monacousa.org
- https://monacousa.org
- http://localhost:7453
- http://localhost:3000
methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
headers:
- Accept
- Accept-Version
- Authorization
- Content-Length
- Content-Type
- Date
- X-Auth-Token
- apikey
- x-client-info
exposed_headers:
- Content-Length
- Content-Range
credentials: true
max_age: 3600
## Storage Service - All other operations (auth required)
- name: storage-v1
@ -167,6 +419,34 @@ services:
- /storage/v1/
plugins:
- name: cors
config:
origins:
- https://portal.monacousa.org
- https://monacousa.org
- http://localhost:7453
- http://localhost:3000
methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
headers:
- Accept
- Accept-Version
- Authorization
- Content-Length
- Content-Type
- Date
- X-Auth-Token
- apikey
- x-client-info
exposed_headers:
- Content-Length
- Content-Range
credentials: true
max_age: 3600
- name: key-auth
config:
hide_credentials: false

66
supabase/migrations/018_atomic_member_id_generation.sql Normal file
View File

@ -0,0 +1,66 @@
-- Fix Race Condition in Member ID Generation
-- ============================================
-- Problem: Current implementation uses MAX() or COUNT() which allows duplicate IDs
-- if two registrations happen simultaneously.
--
-- Solution: Use PostgreSQL sequence for atomic ID generation.
-- Step 1: Create sequence for member IDs
-- Find the highest existing member number to set starting point
DO $$
DECLARE
max_num INTEGER;
BEGIN
-- Extract numeric part from existing member_ids (handles both MUSA-XXXX and MUSA-YYYY-XXXX formats)
SELECT COALESCE(
MAX(
CAST(
SUBSTRING(
member_id FROM '[0-9]+$' -- Get trailing digits
) AS INTEGER
)
),
0
) INTO max_num
FROM public.members;
-- Create sequence starting from next available number
EXECUTE format('CREATE SEQUENCE IF NOT EXISTS member_id_seq START WITH %s', max_num + 1);
END $$;
-- Step 2: Replace trigger function to use sequence
CREATE OR REPLACE FUNCTION generate_member_id()
RETURNS TRIGGER AS $$
DECLARE
next_num INTEGER;
current_year TEXT;
BEGIN
-- Only generate if member_id is not already set
IF NEW.member_id IS NOT NULL THEN
RETURN NEW;
END IF;
-- Get next number from sequence (atomic operation)
next_num := NEXTVAL('member_id_seq');
current_year := EXTRACT(YEAR FROM CURRENT_DATE)::TEXT;
-- Format: MUSA-YYYY-XXXX (matches application format)
NEW.member_id := 'MUSA-' || current_year || '-' || LPAD(next_num::TEXT, 4, '0');
RETURN NEW;
END;
$$ LANGUAGE plpgsql;
-- Step 3: Ensure trigger exists (should already exist from 001_initial_schema.sql)
DROP TRIGGER IF EXISTS set_member_id ON public.members;
CREATE TRIGGER set_member_id
BEFORE INSERT ON public.members
FOR EACH ROW
WHEN (NEW.member_id IS NULL)
EXECUTE FUNCTION generate_member_id();
-- Step 4: Add index on member_id for faster lookups (if not exists)
CREATE INDEX IF NOT EXISTS idx_members_member_id ON public.members(member_id);
COMMENT ON SEQUENCE member_id_seq IS 'Atomic sequence for generating unique member IDs. Used by generate_member_id() trigger.';
COMMENT ON FUNCTION generate_member_id() IS 'Atomically generates member IDs using NEXTVAL(member_id_seq) to prevent race conditions.';

42
supabase/migrations/019_fix_admin_role_assignment.sql Normal file
View File

@ -0,0 +1,42 @@
-- Fix admin role assignment broken by migration 017
-- ============================================
-- Problem: Migration 017's WITH CHECK prevents admins from updating other members' roles
-- because the only UPDATE policy on members requires auth.uid() = id.
-- Solution: Replace the overly restrictive policy with a properly scoped one,
-- and add a separate policy for admins to update any member.
-- Drop the problematic policy from 017 if it exists
DROP POLICY IF EXISTS "Users can update own profile" ON public.members;
-- Also drop by the name used in 017 re-creation (same name, just being safe)
DROP POLICY IF EXISTS "Members can update own non-role fields" ON public.members;
-- Allow members to update their own non-role fields (profile info)
CREATE POLICY "Members can update own profile"
ON public.members
FOR UPDATE
TO authenticated
USING (auth.uid() = id)
WITH CHECK (
auth.uid() = id
AND role = (SELECT role FROM public.members WHERE id = auth.uid())
);
-- Allow admins to update any member (including role changes) EXCEPT their own role
CREATE POLICY "Admins can update other members"
ON public.members
FOR UPDATE
TO authenticated
USING (
EXISTS (
SELECT 1 FROM public.members
WHERE id = auth.uid() AND role = 'admin'
)
)
WITH CHECK (
-- Admins can change any field on other members
(id != auth.uid())
OR
-- On their own record, admins can update non-role fields (role must stay the same)
(id = auth.uid() AND role = (SELECT role FROM public.members WHERE id = auth.uid()))
);

33
supabase/migrations/020_approval_email_templates.sql Normal file
View File

@ -0,0 +1,33 @@
-- Member approval workflow enhancements
-- ============================================
-- Add approval tracking columns to members table
ALTER TABLE public.members ADD COLUMN IF NOT EXISTS approved_at TIMESTAMPTZ;
ALTER TABLE public.members ADD COLUMN IF NOT EXISTS approved_by UUID REFERENCES auth.users(id);
ALTER TABLE public.members ADD COLUMN IF NOT EXISTS rejected_at TIMESTAMPTZ;
ALTER TABLE public.members ADD COLUMN IF NOT EXISTS rejected_by UUID REFERENCES auth.users(id);
ALTER TABLE public.members ADD COLUMN IF NOT EXISTS rejection_reason TEXT;
-- Add approval email templates
INSERT INTO public.email_templates (template_key, template_name, category, subject, body_html, body_text, is_active)
VALUES
('member_approved', 'Member Approved', 'membership', 'Welcome to Monaco USA - Membership Approved!',
'<h2 style="color: #22c55e; text-align: center;">Membership Approved!</h2>
<p style="color: #334155; line-height: 1.6;">Dear {{first_name}},</p>
<p style="color: #334155; line-height: 1.6;">We are pleased to inform you that your membership application to Monaco USA has been <strong>approved</strong>!</p>
<p style="color: #334155; line-height: 1.6;">Your member ID is: <strong>{{member_id}}</strong></p>
<p style="color: #334155; line-height: 1.6;">You now have full access to the member portal, including events, documents, and the member directory.</p>
<div style="text-align: center; margin: 24px 0;">
<a href="{{site_url}}/dashboard" style="background: #CE1126; color: white; padding: 12px 24px; border-radius: 8px; text-decoration: none; font-weight: bold;">Visit Your Dashboard</a>
</div>',
'Dear {{first_name}}, Your membership to Monaco USA has been approved! Your member ID is {{member_id}}.',
true),
('member_rejected', 'Member Rejected', 'membership', 'Monaco USA - Membership Application Update',
'<h2 style="color: #ef4444; text-align: center;">Application Update</h2>
<p style="color: #334155; line-height: 1.6;">Dear {{first_name}},</p>
<p style="color: #334155; line-height: 1.6;">Thank you for your interest in Monaco USA. After careful review, we regret to inform you that your membership application was not approved at this time.</p>
<p style="color: #334155; line-height: 1.6;">{{reason}}</p>
<p style="color: #334155; line-height: 1.6;">If you have questions, please contact us at info@monacousa.org.</p>',
'Dear {{first_name}}, Thank you for your interest in Monaco USA. After review, your membership application was not approved at this time.',
true)
ON CONFLICT (template_key) DO NOTHING;

9
supabase/migrations/021_rsvp_deadlines.sql Normal file
View File

@ -0,0 +1,9 @@
-- RSVP Deadline Control
-- ============================================
-- Allows event organizers to set an RSVP cutoff date/time.
ALTER TABLE public.events ADD COLUMN IF NOT EXISTS rsvp_deadline TIMESTAMPTZ;
ALTER TABLE public.events ADD COLUMN IF NOT EXISTS rsvp_deadline_enabled BOOLEAN DEFAULT FALSE;
COMMENT ON COLUMN public.events.rsvp_deadline IS 'Optional RSVP cutoff date/time. RSVPs are blocked after this time.';
COMMENT ON COLUMN public.events.rsvp_deadline_enabled IS 'Whether the RSVP deadline is enforced for this event.';

14
supabase/migrations/022_directory_privacy.sql Normal file
View File

@ -0,0 +1,14 @@
-- Migration 022: Directory Privacy Settings
-- Adds privacy controls for member directory visibility
-- Add directory_privacy JSONB column to members table
ALTER TABLE public.members
ADD COLUMN IF NOT EXISTS directory_privacy JSONB DEFAULT '{
"show_email": true,
"show_phone": true,
"show_address": false,
"show_nationality": true
}'::jsonb;
-- Add comment
COMMENT ON COLUMN public.members.directory_privacy IS 'Controls which fields are visible in the member directory. Admins always see all fields.';

38
supabase/migrations/023_document_search.sql Normal file
View File

@ -0,0 +1,38 @@
-- Migration 023: Document Full-Text Search
-- Adds tsvector column and GIN index for fast document searching
-- Add search vector column
ALTER TABLE public.documents
ADD COLUMN IF NOT EXISTS search_vector tsvector;
-- Populate existing documents
UPDATE public.documents
SET search_vector = to_tsvector('english',
coalesce(title, '') || ' ' ||
coalesce(description, '') || ' ' ||
coalesce(file_name, '')
);
-- Create GIN index for fast full-text search
CREATE INDEX IF NOT EXISTS idx_documents_search
ON public.documents USING GIN (search_vector);
-- Create trigger to keep search_vector updated
CREATE OR REPLACE FUNCTION update_document_search_vector()
RETURNS TRIGGER AS $$
BEGIN
NEW.search_vector := to_tsvector('english',
coalesce(NEW.title, '') || ' ' ||
coalesce(NEW.description, '') || ' ' ||
coalesce(NEW.file_name, '')
);
RETURN NEW;
END;
$$ LANGUAGE plpgsql;
DROP TRIGGER IF EXISTS trg_update_document_search ON public.documents;
CREATE TRIGGER trg_update_document_search
BEFORE INSERT OR UPDATE OF title, description, file_name
ON public.documents
FOR EACH ROW
EXECUTE FUNCTION update_document_search_vector();

45
supabase/migrations/024_cron_execution_logs.sql Normal file
View File

@ -0,0 +1,45 @@
-- Migration 024: Cron Execution Logs
-- Tracks cron job execution history for monitoring
CREATE TABLE IF NOT EXISTS public.cron_execution_logs (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
job_name TEXT NOT NULL,
status TEXT NOT NULL DEFAULT 'running' CHECK (status IN ('running', 'completed', 'failed')),
started_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
completed_at TIMESTAMPTZ,
duration_ms INTEGER,
result JSONB,
error_message TEXT,
triggered_by TEXT DEFAULT 'cron'
);
-- Index for quick lookups
CREATE INDEX IF NOT EXISTS idx_cron_logs_job_name ON public.cron_execution_logs (job_name, started_at DESC);
CREATE INDEX IF NOT EXISTS idx_cron_logs_started ON public.cron_execution_logs (started_at DESC);
-- Enable RLS
ALTER TABLE public.cron_execution_logs ENABLE ROW LEVEL SECURITY;
-- Only admins can read cron logs
CREATE POLICY "Admins can read cron logs"
ON public.cron_execution_logs
FOR SELECT
TO authenticated
USING (
EXISTS (
SELECT 1 FROM public.members
WHERE members.user_id = auth.uid()
AND members.role = 'admin'
)
);
-- Service role can insert/update (for cron endpoints)
CREATE POLICY "Service role can manage cron logs"
ON public.cron_execution_logs
FOR ALL
TO service_role
USING (true)
WITH CHECK (true);
-- Auto-cleanup: keep only 90 days of logs
COMMENT ON TABLE public.cron_execution_logs IS 'Tracks cron job execution history. Entries older than 90 days should be periodically purged.';

44
supabase/migrations/025_bulk_emails.sql Normal file
View File

@ -0,0 +1,44 @@
-- Migration 025: Bulk Email Broadcasts
-- Tracks bulk email campaigns sent to members
CREATE TABLE IF NOT EXISTS public.bulk_emails (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
subject TEXT NOT NULL,
body TEXT NOT NULL,
recipient_filter JSONB DEFAULT '{"target": "all"}'::jsonb,
total_recipients INTEGER DEFAULT 0,
sent_count INTEGER DEFAULT 0,
failed_count INTEGER DEFAULT 0,
status TEXT NOT NULL DEFAULT 'draft' CHECK (status IN ('draft', 'sending', 'completed', 'failed')),
sent_by UUID REFERENCES auth.users(id),
sent_by_name TEXT,
created_at TIMESTAMPTZ DEFAULT NOW(),
sent_at TIMESTAMPTZ,
completed_at TIMESTAMPTZ
);
-- Index for listing
CREATE INDEX IF NOT EXISTS idx_bulk_emails_created ON public.bulk_emails (created_at DESC);
-- Enable RLS
ALTER TABLE public.bulk_emails ENABLE ROW LEVEL SECURITY;
-- Only admins can manage bulk emails
CREATE POLICY "Admins can manage bulk emails"
ON public.bulk_emails
FOR ALL
TO authenticated
USING (
EXISTS (
SELECT 1 FROM public.members
WHERE members.user_id = auth.uid()
AND members.role = 'admin'
)
);
CREATE POLICY "Service role full access to bulk emails"
ON public.bulk_emails
FOR ALL
TO service_role
USING (true)
WITH CHECK (true);