fix(audit-tier-6): validation, perms, ops/infra, per-port webhook secret

Final audit polish — closes the remaining LOW + MED items the previous tiers didn't reach: * Validation hardening: me.preferences uses .strict() + 8KB cap instead of unbounded .passthrough(); files.uploadFile gains magic-byte verification (jpeg/png/gif/webp/pdf/doc/xlsx); OCR scan endpoint enforces 10MB cap + magic-byte check on receipt images; port logoUrl + me.avatarUrl reject javascript:/data: schemes via a shared httpUrl refinement. * Permission gates: document-sends/{brochure,berth-pdf} now require email.send (was withAuth-only); document-sends/{preview,list} on email.view; ai/email-draft on email.send; documents/[id]/send uses send_for_signing (was create); expenses/export/parent-company flips from hard isSuperAdmin to expenses.export for parity; admin/users/options gated on reminders.assign_others (was withAuth). * Envelope hygiene: auth/set-password switches the third {message} variant to errorResponse + {data: {email}}; ai/email-draft wraps jobId in {data: {jobId}}. * UI polish: reports-list.handleDownload surfaces failures via toastError (was console-only). * Ops/infra: pin pnpm@10.33.2 across all three Dockerfiles + packageManager field in package.json; Dockerfile.worker re-orders user creation BEFORE pnpm install so node_modules / .cache dirs are worker-owned (fixes tesseract.js + sharp EACCES at first PDF parse); add Redis-ping HEALTHCHECK to the worker container. * Public health endpoint: returns full env+appUrl payload only when the caller presents X-Intake-Secret, otherwise a minimal {status} so generic uptime monitors still work but anonymous internet doesn't get deployment fingerprints. * Per-port Documenso webhook secret: new system_settings key + listDocumensoWebhookSecrets() helper. The webhook receiver iterates every configured per-port secret with timing-safe comparison + falls back to env, then forwards the resolved portId into handleDocumentExpired so two ports sharing a documensoId cannot cross-mutate. Deferred (handled in dedicated follow-up PRs): * Tier 5.1 — direct service tests for portal-auth / users / email-accounts / document-sends / sales-email-config. MED, large test-writing scope. * The {ok: true} → {data: null} envelope migration across alerts/expenses/admin-ocr-settings/storage routes. Mechanical but needs coordinated client + test updates. * CSP-nonce migration (drop unsafe-inline) — needs middleware-level nonce generation that the Next 15 router has to thread through. * Idempotency-Key header on Documenso createDocument. Requires schema column on documents to persist the key; deferred so it doesn't bundle a migration into this commit. * The 16 better-auth user_id FKs — separate dedicated migration with care (some columns are NOT NULL today and cascade decisions matter). * PermissionGate / Skeleton / EmptyState wraps across 5 admin lists (auditor-H §§36–37) and the residential-clients filter bar. Test status: 1175/1175 vitest, tsc clean. Refs: docs/audit-comprehensive-2026-05-05.md MED §§28,29,30 + LOW §§32–43 + HIGH §9 (Documenso secrets follow-up). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 21:03:31 +02:00
parent 4bab6de8be
commit 83239104e0
22 changed files with 402 additions and 176 deletions
--- a/src/app/api/v1/expenses/export/parent-company/route.ts
+++ b/src/app/api/v1/expenses/export/parent-company/route.ts
@@ -1,26 +1,29 @@
 import { NextResponse } from 'next/server';

-import { requireSuperAdmin, withAuth } from '@/lib/api/helpers';
+import { withAuth, withPermission } from '@/lib/api/helpers';
 import { errorResponse } from '@/lib/errors';
 import { exportParentCompany } from '@/lib/services/expense-export';
 import { listExpensesSchema } from '@/lib/validators/expenses';

-export const POST = withAuth(async (req, ctx) => {
-  try {
-    requireSuperAdmin(ctx, 'expenses.export.parent-company');
+// Gated on `expenses.export` for parity with sibling export routes
+// (auditor-A3 §5). Hard `isSuperAdmin` check used to lock out port
+// admins who held expenses.export = true.
+export const POST = withAuth(
+  withPermission('expenses', 'export', async (req, ctx) => {
+    try {
+      const body = await req.json().catch(() => ({}));
+      const query = listExpensesSchema.parse(body);
+      const pdf = await exportParentCompany(ctx.portId, query);

-    const body = await req.json().catch(() => ({}));
-    const query = listExpensesSchema.parse(body);
-    const pdf = await exportParentCompany(ctx.portId, query);
-
-    return new NextResponse(Buffer.from(pdf), {
-      status: 200,
-      headers: {
-        'Content-Type': 'application/pdf',
-        'Content-Disposition': `attachment; filename="expenses-parent-company-${Date.now()}.pdf"`,
-      },
-    });
-  } catch (error) {
-    return errorResponse(error);
-  }
-});
+      return new NextResponse(Buffer.from(pdf), {
+        status: 200,
+        headers: {
+          'Content-Type': 'application/pdf',
+          'Content-Disposition': `attachment; filename="expenses-parent-company-${Date.now()}.pdf"`,
+        },
+      });
+    } catch (error) {
+      return errorResponse(error);
+    }
+  }),
+);
--- a/src/app/api/v1/expenses/scan-receipt/route.ts
+++ b/src/app/api/v1/expenses/scan-receipt/route.ts
@@ -30,8 +30,22 @@ export const POST = withAuth(
        const formData = await req.formData();
        const file = formData.get('file') as File | null;
        if (!file) throw new ValidationError('A file is required');
+        // Hard 10 MB cap — without this any authenticated rep could grief
+        // their own port's AI budget by sending arbitrarily large images
+        // and burning OCR tokens (auditor-E3 §28).
+        const MAX_OCR_BYTES = 10 * 1024 * 1024;
+        if (file.size > MAX_OCR_BYTES) {
+          throw new ValidationError('Receipt image is too large (10 MB max).');
+        }
        const buffer = Buffer.from(await file.arrayBuffer());
        const mimeType = file.type || 'image/jpeg';
+        // Magic-byte gate so a forged Content-Type doesn't reach the OCR
+        // provider with arbitrary bytes.
+        const { bufferMatchesMime } = await import('@/lib/constants/file-validation');
+        const allowedOcrMimes = ['image/jpeg', 'image/png', 'image/webp'];
+        if (!allowedOcrMimes.includes(mimeType) || !bufferMatchesMime(buffer, mimeType)) {
+          throw new ValidationError('Unsupported receipt image type.');
+        }

        const config = await getResolvedOcrConfig(ctx.portId);
        // Tesseract.js (in-browser) is the default. The server only invokes