letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(audit-tier-2-routes): manual NextResponse.json error sweep + admin form banners

Browse Source 
Two final waves of error-surface hygiene closing the audit's MED §12 +
HIGH §15 + HIGH §17 findings:

* 50 route files swept (61 sites): manual NextResponse.json({error,
  status: 4xx|5xx}) early-returns replaced by typed throws +
  errorResponse(err) at the catch.
  - Super-admin gates (13 sites) use new requireSuperAdmin(ctx, action)
    helper from src/lib/api/helpers.ts so denials hit the audit log.
  - Path-param + body validation 400s become ValidationError throws.
  - 404s become NotFoundError or CodedError('NOT_FOUND') for AI
    feature-flag paths.
  - 11 manual 5xx returns now re-throw so error_events captures the
    request-id (the admin error inspector becomes usable from real
    incidents).
  - website-analytics 200-with-error anti-pattern flipped to 409 +
    UMAMI_NOT_CONFIGURED. 502 upstream paths use UMAMI_UPSTREAM_ERROR.
  - 11 sites intentionally preserved: storage/[token] anti-enumeration
    token-failure paths, webhook-secret 401, "Unknown port" 400 in
    public intake.

* 7 admin forms (roles, users, ports, webhooks, custom-fields,
  document-templates, tags) gain a formatErrorBanner() helper from
  src/lib/api/toast-error.ts that builds a multi-line "Error code / Reference ID"
  banner — the rep can copy the request id when reporting a failed
  save.  Banners get whitespace-pre-line so newlines render.

Test status: 1168/1168 vitest, tsc clean.

Refs: docs/audit-comprehensive-2026-05-05.md MED §12 (auditor-F Issue 1)
+ HIGH §15 (auditor-F Issue 2) + HIGH §17 (auditor-H Issue 2).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
2026-05-05 20:36:59 +02:00
parent fc7595faf8
commit d3a6a9beef
58 changed files with 529 additions and 558 deletions
Download Patch File Download Diff File Expand all files Collapse all files

149
src/app/api/public/berths/[mooringNumber]/route.ts
View File

@@ -5,6 +5,7 @@ import { db } from '@/lib/db';
import { ports } from '@/lib/db/schema/ports';
import { berths, berthMapData } from '@/lib/db/schema/berths';
import { interestBerths, interests } from '@/lib/db/schema/interests';
import { errorResponse } from '@/lib/errors';
import { logger } from '@/lib/logger';
import { toPublicBerth } from '@/lib/services/public-berths';
@@ -32,77 +33,81 @@ export async function GET(
request: Request,
ctx: { params: Promise<{ mooringNumber: string }> },
): Promise<Response> {
const { mooringNumber } = await ctx.params;
const url = new URL(request.url);
const requestedSlug = url.searchParams.get('portSlug') ?? DEFAULT_PUBLIC_PORT_SLUG;
if (!PUBLIC_PORT_SLUGS.has(requestedSlug)) {
return NextResponse.json(
{ error: 'port is not part of the public berths feed', portSlug: requestedSlug },
{ status: 404, headers: { 'cache-control': 'no-store' } },
);
try {
const { mooringNumber } = await ctx.params;
const url = new URL(request.url);
const requestedSlug = url.searchParams.get('portSlug') ?? DEFAULT_PUBLIC_PORT_SLUG;
if (!PUBLIC_PORT_SLUGS.has(requestedSlug)) {
return NextResponse.json(
{ error: 'port is not part of the public berths feed', portSlug: requestedSlug },
{ status: 404, headers: { 'cache-control': 'no-store' } },
);
}
const portSlug = requestedSlug;
// Reject obviously malformed mooring numbers up front so cache poisoning
// / random-URL probing returns 400 rather than 404 (saves a DB hit).
if (!MOORING_PATTERN.test(mooringNumber)) {
return NextResponse.json(
{ error: 'invalid mooring number', mooringNumber },
{ status: 400, headers: { 'cache-control': 'no-store' } },
);
}
const [port] = await db
.select({ id: ports.id })
.from(ports)
.where(eq(ports.slug, portSlug))
.limit(1);
if (!port) {
return NextResponse.json(
{ error: 'port not found', portSlug },
{ status: 404, headers: { 'cache-control': 'no-store' } },
);
}
const [berth] = await db
.select()
.from(berths)
.where(and(eq(berths.portId, port.id), eq(berths.mooringNumber, mooringNumber)))
.limit(1);
if (!berth) {
return NextResponse.json(
{ error: 'berth not found', mooringNumber },
{ status: 404, headers: { 'cache-control': 'no-store' } },
);
}
const [mapData, specificInterestRows] = await Promise.all([
db.select().from(berthMapData).where(eq(berthMapData.berthId, berth.id)).limit(1),
db
.select({ berthId: interestBerths.berthId })
.from(interestBerths)
.innerJoin(interests, eq(interests.id, interestBerths.interestId))
.where(
and(
eq(interestBerths.berthId, berth.id),
eq(interestBerths.isSpecificInterest, true),
isNull(interests.archivedAt),
// Closed deals (won/lost/cancelled) don't promote to "Under
// Offer" - won flows through berths.status='sold' handled in
// derivePublicStatus; lost/cancelled means back on the market.
isNull(interests.outcome),
),
)
.limit(1),
]);
const out = toPublicBerth(berth, mapData[0] ?? null, specificInterestRows.length > 0);
if (out.Status !== 'Available' && out.Status !== 'Under Offer' && out.Status !== 'Sold') {
logger.error({ berthId: berth.id, status: out.Status }, 'Public berth status out of range');
throw new Error('Public berth status out of range');
}
return new Response(JSON.stringify(out), { headers: RESPONSE_HEADERS, status: 200 });
} catch (err) {
return errorResponse(err);
}
const portSlug = requestedSlug;
// Reject obviously malformed mooring numbers up front so cache poisoning
// / random-URL probing returns 400 rather than 404 (saves a DB hit).
if (!MOORING_PATTERN.test(mooringNumber)) {
return NextResponse.json(
{ error: 'invalid mooring number', mooringNumber },
{ status: 400, headers: { 'cache-control': 'no-store' } },
);
}
const [port] = await db
.select({ id: ports.id })
.from(ports)
.where(eq(ports.slug, portSlug))
.limit(1);
if (!port) {
return NextResponse.json(
{ error: 'port not found', portSlug },
{ status: 404, headers: { 'cache-control': 'no-store' } },
);
}
const [berth] = await db
.select()
.from(berths)
.where(and(eq(berths.portId, port.id), eq(berths.mooringNumber, mooringNumber)))
.limit(1);
if (!berth) {
return NextResponse.json(
{ error: 'berth not found', mooringNumber },
{ status: 404, headers: { 'cache-control': 'no-store' } },
);
}
const [mapData, specificInterestRows] = await Promise.all([
db.select().from(berthMapData).where(eq(berthMapData.berthId, berth.id)).limit(1),
db
.select({ berthId: interestBerths.berthId })
.from(interestBerths)
.innerJoin(interests, eq(interests.id, interestBerths.interestId))
.where(
and(
eq(interestBerths.berthId, berth.id),
eq(interestBerths.isSpecificInterest, true),
isNull(interests.archivedAt),
// Closed deals (won/lost/cancelled) don't promote to "Under
// Offer" - won flows through berths.status='sold' handled in
// derivePublicStatus; lost/cancelled means back on the market.
isNull(interests.outcome),
),
)
.limit(1),
]);
const out = toPublicBerth(berth, mapData[0] ?? null, specificInterestRows.length > 0);
if (out.Status !== 'Available' && out.Status !== 'Under Offer' && out.Status !== 'Sold') {
logger.error({ berthId: berth.id, status: out.Status }, 'Public berth status out of range');
return NextResponse.json({ error: 'internal' }, { status: 500 });
}
return new Response(JSON.stringify(out), { headers: RESPONSE_HEADERS, status: 200 });
}

178
src/app/api/public/berths/route.ts
View File

@@ -5,6 +5,7 @@ import { db } from '@/lib/db';
import { ports } from '@/lib/db/schema/ports';
import { berths, berthMapData } from '@/lib/db/schema/berths';
import { interestBerths, interests } from '@/lib/db/schema/interests';
import { errorResponse } from '@/lib/errors';
import { logger } from '@/lib/logger';
import { toPublicBerth, type PublicBerth } from '@/lib/services/public-berths';
@@ -48,98 +49,99 @@ interface ListResponse {
}
export async function GET(request: Request): Promise<Response> {
const url = new URL(request.url);
const requestedSlug = url.searchParams.get('portSlug') ?? DEFAULT_PUBLIC_PORT_SLUG;
if (!PUBLIC_PORT_SLUGS.has(requestedSlug)) {
return NextResponse.json(
{ error: 'port is not part of the public berths feed', portSlug: requestedSlug },
{ status: 404, headers: { 'cache-control': 'no-store' } },
);
}
const portSlug = requestedSlug;
const [port] = await db
.select({ id: ports.id })
.from(ports)
.where(eq(ports.slug, portSlug))
.limit(1);
if (!port) {
return NextResponse.json(
{ error: 'port not found', portSlug },
{ status: 404, headers: { 'cache-control': 'no-store' } },
);
}
// 1. Active berths for the port (archived would be an explicit field
// once we add one - today we don't have an archived_at on berths,
// so we surface every row except those marked status='sold' on
// request? No: §4.5 says "filters out berths archived in CRM".
// The current schema has no archived flag for berths, so this is
// a no-op today; future archive flag plugs in here.
const berthRows = await db.select().from(berths).where(eq(berths.portId, port.id));
if (berthRows.length === 0) {
return jsonResponse({ list: [], pageInfo: emptyPageInfo() });
}
const berthIds = berthRows.map((b) => b.id);
// 2. Bulk-fetch map_data + the "has specific-interest link" flag.
const [mapRows, specificInterestRows] = await Promise.all([
db.select().from(berthMapData).where(inArray(berthMapData.berthId, berthIds)),
db
.selectDistinct({ berthId: interestBerths.berthId })
.from(interestBerths)
.innerJoin(interests, eq(interests.id, interestBerths.interestId))
.where(
and(
inArray(interestBerths.berthId, berthIds),
eq(interestBerths.isSpecificInterest, true),
isNull(interests.archivedAt),
// Don't promote a berth to "Under Offer" when the only specific-
// interest link is a closed deal. `won` flips happen via
// berths.status='sold' (handled in derivePublicStatus). Lost/
// cancelled outcomes mean the berth is back on the market.
isNull(interests.outcome),
),
),
]);
const mapByBerth = new Map(mapRows.map((m) => [m.berthId, m]));
const specificInterestSet = new Set(specificInterestRows.map((r) => r.berthId));
const list = berthRows.map((b) =>
toPublicBerth(b, mapByBerth.get(b.id) ?? null, specificInterestSet.has(b.id)),
);
// Validate the response enum before returning - any unknown status
// value would hit a 500 (per §14.8) rather than silently shipping
// invalid data downstream.
for (const row of list) {
if (row.Status !== 'Available' && row.Status !== 'Under Offer' && row.Status !== 'Sold') {
// Log just the identifying fields - never the full berth row, which
// includes price + amenity columns that don't belong in error logs.
logger.error(
{ berthId: row.Id, mooringNumber: row['Mooring Number'], status: row.Status },
'Public berth status out of range',
);
try {
const url = new URL(request.url);
const requestedSlug = url.searchParams.get('portSlug') ?? DEFAULT_PUBLIC_PORT_SLUG;
if (!PUBLIC_PORT_SLUGS.has(requestedSlug)) {
return NextResponse.json(
{ error: 'internal', detail: 'berth status enum drift' },
{ status: 500 },
{ error: 'port is not part of the public berths feed', portSlug: requestedSlug },
{ status: 404, headers: { 'cache-control': 'no-store' } },
);
}
}
const portSlug = requestedSlug;
return jsonResponse({
list,
pageInfo: {
totalRows: list.length,
page: 1,
pageSize: list.length,
isFirstPage: true,
isLastPage: true,
},
});
const [port] = await db
.select({ id: ports.id })
.from(ports)
.where(eq(ports.slug, portSlug))
.limit(1);
if (!port) {
return NextResponse.json(
{ error: 'port not found', portSlug },
{ status: 404, headers: { 'cache-control': 'no-store' } },
);
}
// 1. Active berths for the port (archived would be an explicit field
// once we add one - today we don't have an archived_at on berths,
// so we surface every row except those marked status='sold' on
// request? No: §4.5 says "filters out berths archived in CRM".
// The current schema has no archived flag for berths, so this is
// a no-op today; future archive flag plugs in here.
const berthRows = await db.select().from(berths).where(eq(berths.portId, port.id));
if (berthRows.length === 0) {
return jsonResponse({ list: [], pageInfo: emptyPageInfo() });
}
const berthIds = berthRows.map((b) => b.id);
// 2. Bulk-fetch map_data + the "has specific-interest link" flag.
const [mapRows, specificInterestRows] = await Promise.all([
db.select().from(berthMapData).where(inArray(berthMapData.berthId, berthIds)),
db
.selectDistinct({ berthId: interestBerths.berthId })
.from(interestBerths)
.innerJoin(interests, eq(interests.id, interestBerths.interestId))
.where(
and(
inArray(interestBerths.berthId, berthIds),
eq(interestBerths.isSpecificInterest, true),
isNull(interests.archivedAt),
// Don't promote a berth to "Under Offer" when the only specific-
// interest link is a closed deal. `won` flips happen via
// berths.status='sold' (handled in derivePublicStatus). Lost/
// cancelled outcomes mean the berth is back on the market.
isNull(interests.outcome),
),
),
]);
const mapByBerth = new Map(mapRows.map((m) => [m.berthId, m]));
const specificInterestSet = new Set(specificInterestRows.map((r) => r.berthId));
const list = berthRows.map((b) =>
toPublicBerth(b, mapByBerth.get(b.id) ?? null, specificInterestSet.has(b.id)),
);
// Validate the response enum before returning - any unknown status
// value would hit a 500 (per §14.8) rather than silently shipping
// invalid data downstream.
for (const row of list) {
if (row.Status !== 'Available' && row.Status !== 'Under Offer' && row.Status !== 'Sold') {
// Log just the identifying fields - never the full berth row, which
// includes price + amenity columns that don't belong in error logs.
logger.error(
{ berthId: row.Id, mooringNumber: row['Mooring Number'], status: row.Status },
'Public berth status out of range',
);
throw new Error('Public berth status out of range');
}
}
return jsonResponse({
list,
pageInfo: {
totalRows: list.length,
page: 1,
pageSize: list.length,
isFirstPage: true,
isLastPage: true,
},
});
} catch (err) {
return errorResponse(err);
}
}
function jsonResponse(body: ListResponse): Response {

6
src/app/api/public/interests/route.ts
View File

@@ -11,7 +11,7 @@ import { ports } from '@/lib/db/schema/ports';
import { yachts, yachtOwnershipHistory } from '@/lib/db/schema/yachts';
import { companies, companyMemberships } from '@/lib/db/schema/companies';
import { createAuditLog } from '@/lib/audit';
import { errorResponse, RateLimitError } from '@/lib/errors';
import { errorResponse, RateLimitError, ValidationError } from '@/lib/errors';
import { checkRateLimit, rateLimiters } from '@/lib/rate-limit';
import { publicInterestSchema } from '@/lib/validators/interests';
import { sendInquiryNotifications } from '@/lib/services/inquiry-notifications.service';
@@ -49,9 +49,7 @@ export async function POST(req: NextRequest) {
// Resolve portId from query param or header (public endpoints need explicit port)
const portId = req.nextUrl.searchParams.get('portId') ?? req.headers.get('X-Port-Id');
if (!portId) {
return NextResponse.json({ error: 'Port context required' }, { status: 400 });
}
if (!portId) throw new ValidationError('Port context required');
// Server-side phone normalization for older website builds that post raw
// international/national strings. Newer builds may pre-fill phoneE164/Country.

3
src/app/api/public/website-inquiries/route.ts
View File

@@ -7,6 +7,7 @@ import { db } from '@/lib/db';
import { ports } from '@/lib/db/schema/ports';
import { websiteSubmissions } from '@/lib/db/schema/website-submissions';
import { env } from '@/lib/env';
import { errorResponse } from '@/lib/errors';
import { logger } from '@/lib/logger';
import { checkRateLimit, rateLimiters } from '@/lib/rate-limit';
@@ -173,5 +174,5 @@ export async function POST(req: NextRequest) {
{ submissionId: parsed.submission_id },
'website-inquiry conflict but row not found on lookup',
);
return NextResponse.json({ error: 'Insert failed' }, { status: 500 });
return errorResponse(new Error('website-inquiry conflict but row not found on lookup'));
}