letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

audit: 33-agent comprehensive audit + critical fixes

Browse Source 
Full team audit run, all reports verbatim in docs/AUDIT-2026-05-12.md
(5900+ lines, 30+ critical findings). Already-fixed this commit:
- permission-overrides PUT: self-target block + RolePermissions allow-list + cross-tenant guard
- /api/auth/resolve-identifier: rate-limit + synthetic miss-email kill enumeration
- admin email-change: rotates account.accountId + revokes sessions
- middleware: token-gated email confirm/cancel routes whitelisted
- NAV_CATALOG: 10 dead-link sweeps to existing /admin/<x> targets

Feature work landing same commit: optional username sign-in
(migration 0054), per-user permission overrides (0055) with three-state
matrix tabbed inside UserForm, user disable button, role + outcome +
stage label normalisation across the platform, admin email-change
with auto-notification template.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt
2026-05-12 16:52:35 +02:00
parent 660553c074
commit 4b9743a594
31 changed files with 7042 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/lib/db/migrations/0054_user_profiles_username.sql Normal file
View File

@@ -0,0 +1,31 @@
-- 0054_user_profiles_username.sql
-- ----------------------------------------------------------------------------
-- Optional username as a sign-in alternative to email. Stored alongside the
-- canonical first/last name on user_profiles so the rest of the auth/profile
-- code keeps a single place to look. The Better-Auth `user` table stays the
-- source of truth for email + password; the username is a thin alias the
-- login form looks up to resolve to the matching email before delegating
-- to better-auth's email/password flow.
--
-- Constraints (enforced application-side AND in SQL):
-- - 2..30 characters
-- - lowercase letters, digits, dot, underscore, hyphen
-- - case-insensitive uniqueness per install (no per-port scoping —
-- reps move between ports and a global username keeps URLs stable)
--
-- The column is nullable; existing users keep email-only sign-in until they
-- pick one.
ALTER TABLE user_profiles
ADD COLUMN IF NOT EXISTS username TEXT;
-- Shape check at the DB level catches anything that slipped past the API
-- (raw SQL inserts in tests, scripts, etc.).
ALTER TABLE user_profiles
ADD CONSTRAINT chk_user_profiles_username_shape
CHECK (username IS NULL OR username ~ '^[a-z0-9._-]{2,30}$');
-- Case-insensitive uniqueness. Partial so multiple NULLs are allowed.
CREATE UNIQUE INDEX IF NOT EXISTS idx_user_profiles_username_unique
ON user_profiles (LOWER(username))
WHERE username IS NOT NULL;