d3a6a9beef
Two final waves of error-surface hygiene closing the audit's MED §12 +
HIGH §15 + HIGH §17 findings:
* 50 route files swept (61 sites): manual NextResponse.json({error,
status: 4xx|5xx}) early-returns replaced by typed throws +
errorResponse(err) at the catch.
- Super-admin gates (13 sites) use new requireSuperAdmin(ctx, action)
helper from src/lib/api/helpers.ts so denials hit the audit log.
- Path-param + body validation 400s become ValidationError throws.
- 404s become NotFoundError or CodedError('NOT_FOUND') for AI
feature-flag paths.
- 11 manual 5xx returns now re-throw so error_events captures the
request-id (the admin error inspector becomes usable from real
incidents).
- website-analytics 200-with-error anti-pattern flipped to 409 +
UMAMI_NOT_CONFIGURED. 502 upstream paths use UMAMI_UPSTREAM_ERROR.
- 11 sites intentionally preserved: storage/[token] anti-enumeration
token-failure paths, webhook-secret 401, "Unknown port" 400 in
public intake.
* 7 admin forms (roles, users, ports, webhooks, custom-fields,
document-templates, tags) gain a formatErrorBanner() helper from
src/lib/api/toast-error.ts that builds a multi-line "Error code / Reference ID"
banner — the rep can copy the request id when reporting a failed
save. Banners get whitespace-pre-line so newlines render.
Test status: 1168/1168 vitest, tsc clean.
Refs: docs/audit-comprehensive-2026-05-05.md MED §12 (auditor-F Issue 1)
+ HIGH §15 (auditor-F Issue 2) + HIGH §17 (auditor-H Issue 2).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
37 lines
1.1 KiB
TypeScript
37 lines
1.1 KiB
TypeScript
import { NextRequest, NextResponse } from 'next/server';
|
|
import { z } from 'zod';
|
|
|
|
import { enforcePublicRateLimit } from '@/lib/api/route-helpers';
|
|
import { errorResponse, ValidationError } from '@/lib/errors';
|
|
import { resetPassword } from '@/lib/services/portal-auth.service';
|
|
|
|
const bodySchema = z.object({
|
|
token: z.string().min(1),
|
|
password: z.string().min(9),
|
|
});
|
|
|
|
export async function POST(req: NextRequest): Promise<NextResponse> {
|
|
// 10/hour/IP — bounds brute-force against the 32-byte reset token.
|
|
const limited = await enforcePublicRateLimit(req, 'portalToken');
|
|
if (limited) return limited;
|
|
|
|
try {
|
|
let body: unknown;
|
|
try {
|
|
body = await req.json();
|
|
} catch {
|
|
throw new ValidationError('Invalid request body');
|
|
}
|
|
|
|
const parsed = bodySchema.safeParse(body);
|
|
if (!parsed.success) {
|
|
throw new ValidationError(parsed.error.errors[0]?.message ?? 'Invalid input');
|
|
}
|
|
|
|
await resetPassword(parsed.data.token, parsed.data.password);
|
|
return NextResponse.json({ success: true });
|
|
} catch (err) {
|
|
return errorResponse(err);
|
|
}
|
|
}
|