letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(audit-v2): platform-wide post-merge hardening across 5 domains

Browse Source 
Five-domain audit (security, routes, DB, integrations, UI/UX) ran after
the cf37d09 merge. Critical + high-impact items landed here; deferred
medium/low items indexed in docs/audit-final-deferred.md (now organised
into a "Audit-final v2" section).

Security:
- Storage proxy tokens now bind to op (`'get'` vs `'put'`). A long-lived
  download URL minted by `presignDownload` for an emailed brochure can no
  longer be replayed against the proxy PUT to overwrite the original
  storage object. `verifyProxyToken` requires `expectedOp` and rejects
  mismatches; legacy tokens missing `op` fail-closed. Regression tests
  added.
- Markdown email merge values are now markdown-escaped (`[`, `]`, `(`,
  `)`, `*`, `_`, `\`, backticks, braces) before substitution into the
  rep-authored body. A malicious value like `[click here](https://evil)`
  stored in `client.fullName` no longer survives `escapeHtml` to render
  as a real `<a href>` in the outbound email. Phishing-via-merge-field
  closed; regression tests added.
- Middleware now performs an Origin/Referer check on
  POST/PUT/PATCH/DELETE to `/api/v1/**`. Defense-in-depth on top of
  better-auth's SameSite=Lax cookie. Webhooks/public/auth/portal routes
  exempt as they don't carry the session cookie.

Routes:
- Template management routes were calling `withPermission('documents',
  'manage', ...)` — but `documents` doesn't have a `manage` action. The
  registry has `document_templates.manage`. Every non-superadmin was
  getting 403'd on the seven template endpoints. Fixed across the
  /admin/templates surface.
- Custom-fields permission resource is hardcoded to `clients` regardless
  of which entity (yacht/company/etc.) the values belong to. Documented
  as deferred (requires per-entity routes).

DB:
- documentSends: every parent FK (client_id, interest_id, berth_id,
  brochure_id, brochure_version_id) now uses ON DELETE SET NULL so the
  audit trail outlasts hard-deletes. The denormalized columns
  (recipient_email, document_kind, body_markdown, from_address) were
  added precisely for this. Migration 0035.
- Polymorphic discriminators on yachts.current_owner_type and
  invoices.billing_entity_type now have CHECK constraints — typos like
  `'clients'` vs `'client'` were silently inserting unreachable rows
  before. Migration 0036.

Integrations:
- Email attachment resolution (`src/lib/email/index.ts`) was importing
  MinIO directly instead of `getStorageBackend()`. Filesystem-backend
  deployments would have broken every email-with-attachment send. Now
  routes through the pluggable abstraction per CLAUDE.md.
- Documenso DOCUMENT_OPENED webhook filter relaxed: v2 may omit
  `readStatus` or send lowercase, so an event that was the SIGNAL of an
  open was being silently dropped. Now treats any recipient on a
  DOCUMENT_OPENED event as opened.

UI/UX:
- Expense detail used to render `receiptFileIds` as opaque UUID badges —
  reps couldn't view the receipt they uploaded. Now renders an image
  thumbnail (via `/api/v1/files/[id]/preview`) plus a Download link for
  PDFs. Closed the "where's my receipt?" loop in the expense flow.
- Expense detail Edit + Archive buttons now `<PermissionGate>` and the
  archive mutation surfaces success/error toasts instead of silent 403s.
- Brochures admin: setDefault/archive/create mutations now have onError
  toasts (only onSuccess existed before).
- Removed broken bulk-upload link in scan/page (route doesn't exist;
  used a raw `<a>` triggering a full reload to a 404).

Test status: 1168/1168 vitest passing. tsc clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
2026-05-05 05:51:39 +02:00
parent d4b3a1338f
commit ade4c9e77d
22 changed files with 577 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/components/admin/brochures-admin-panel.tsx
View File

@@ -123,6 +123,8 @@ function BrochureCard({ brochure, onChange }: { brochure: BrochureRow; onChange:
toast.success('Default brochure updated');
onChange();
},
onError: (e) =>
toast.error(e instanceof Error ? e.message : 'Could not update default brochure'),
});
const archiveMutation = useMutation({
@@ -131,6 +133,7 @@ function BrochureCard({ brochure, onChange }: { brochure: BrochureRow; onChange:
toast.success('Brochure archived');
onChange();
},
onError: (e) => toast.error(e instanceof Error ? e.message : 'Archive failed'),
});
async function handleUpload(file: File) {
@@ -284,6 +287,7 @@ function CreateBrochureDialog({
onCreated();
onOpenChange(false);
},
onError: (e) => toast.error(e instanceof Error ? e.message : 'Could not create brochure'),
});
return (

115
src/components/expenses/expense-detail.tsx
View File

@@ -3,17 +3,87 @@
import { useState, useEffect } from 'react';
import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
import { format } from 'date-fns';
import { Loader2, Receipt, Edit, Archive } from 'lucide-react';
import { Archive, Download, Edit, FileText, Loader2, Receipt } from 'lucide-react';
import { Button } from '@/components/ui/button';
import { Badge } from '@/components/ui/badge';
import { Card, CardContent, CardHeader, CardTitle } from '@/components/ui/card';
import { ArchiveConfirmDialog } from '@/components/shared/archive-confirm-dialog';
import { PermissionGate } from '@/components/shared/permission-gate';
import { toast } from 'sonner';
import { apiFetch } from '@/lib/api/client';
import { useMobileChrome } from '@/components/layout/mobile/mobile-layout-provider';
import type { ExpenseRow } from './expense-columns';
import { ExpenseDuplicateBanner } from './expense-duplicate-banner';
/**
* Renders an image thumbnail for previewable receipts (jpeg/png/webp/heic
* via the existing /files/[id]/preview presign), falling back to a "Download"
* link for PDFs and other non-previewable types. Replaces the prior
* impossible-to-use UUID-badge list — reps can finally see the receipt
* they uploaded against the expense.
*/
function ReceiptThumbnail({ fileId }: { fileId: string }) {
const { data, isLoading, isError } = useQuery<{
data: { url: string; mimeType: string } | null;
error?: string;
}>({
queryKey: ['file-preview', fileId],
queryFn: async () => {
try {
const res = await apiFetch<{ data: { url: string; mimeType: string } }>(
`/api/v1/files/${fileId}/preview`,
);
return res;
} catch (e) {
// Non-image files raise ValidationError ("This file type cannot be
// previewed") — fall through to the Download link.
return { data: null, error: e instanceof Error ? e.message : 'preview unavailable' };
}
},
staleTime: 5 * 60 * 1000,
});
if (isLoading) {
return (
<div className="flex h-32 items-center justify-center rounded border bg-muted/40 text-xs text-muted-foreground">
<Loader2 className="mr-2 h-3 w-3 animate-spin" /> Loading preview
</div>
);
}
const url = data?.data?.url;
const mime = data?.data?.mimeType ?? '';
const isImage = mime.startsWith('image/');
return (
<div className="rounded border bg-muted/40 p-2">
{url && isImage ? (
<a href={url} target="_blank" rel="noopener noreferrer">
<img
src={url}
alt="Receipt"
className="h-32 w-full rounded object-cover hover:opacity-90"
/>
</a>
) : (
<div className="flex h-32 items-center justify-center text-muted-foreground">
<FileText className="h-8 w-8" />
</div>
)}
<div className="mt-2 flex items-center justify-between text-xs text-muted-foreground">
<span className="truncate">{mime || (isError ? 'Receipt' : 'File')}</span>
<a
href={`/api/v1/files/${fileId}/download`}
className="inline-flex items-center gap-1 text-primary hover:underline"
>
<Download className="h-3 w-3" /> Download
</a>
</div>
</div>
);
}
const PAYMENT_STATUS_COLORS: Record<string, string> = {
unpaid: 'bg-red-100 text-red-700 border-red-200',
paid: 'bg-green-100 text-green-700 border-green-200',
@@ -48,8 +118,13 @@ export function ExpenseDetail({ expenseId, onEdit, onArchived }: ExpenseDetailPr
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ['expenses'] });
setArchiveOpen(false);
toast.success('Expense archived');
onArchived?.();
},
onError: (e) => {
toast.error(e instanceof Error ? e.message : 'Archive failed');
setArchiveOpen(false);
},
});
if (isLoading) {
@@ -84,20 +159,24 @@ export function ExpenseDetail({ expenseId, onEdit, onArchived }: ExpenseDetailPr
</div>
<div className="flex items-center gap-2">
{onEdit && (
<Button variant="outline" size="sm" onClick={onEdit}>
<Edit className="mr-1.5 h-4 w-4" />
Edit
</Button>
<PermissionGate resource="expenses" action="edit">
<Button variant="outline" size="sm" onClick={onEdit}>
<Edit className="mr-1.5 h-4 w-4" />
Edit
</Button>
</PermissionGate>
)}
<Button
variant="outline"
size="sm"
className="text-destructive"
onClick={() => setArchiveOpen(true)}
>
<Archive className="mr-1.5 h-4 w-4" />
Archive
</Button>
<PermissionGate resource="expenses" action="delete">
<Button
variant="outline"
size="sm"
className="text-destructive"
onClick={() => setArchiveOpen(true)}
>
<Archive className="mr-1.5 h-4 w-4" />
Archive
</Button>
</PermissionGate>
</div>
</div>
@@ -172,11 +251,9 @@ export function ExpenseDetail({ expenseId, onEdit, onArchived }: ExpenseDetailPr
</CardTitle>
</CardHeader>
<CardContent>
<div className="flex flex-wrap gap-2">
{(expense.receiptFileIds as string[]).map((fileId: string) => (
<Badge key={fileId} variant="secondary" className="font-mono text-xs">
{fileId}
</Badge>
<div className="grid grid-cols-1 sm:grid-cols-2 gap-3">
{(expense.receiptFileIds as string[]).map((fileId) => (
<ReceiptThumbnail key={fileId} fileId={fileId} />
))}
</div>
</CardContent>