letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
a8607ecc9e406528cccf4f87199c03048d3c36d7
pn-new-crm/src/app/api/v1/admin/email-templates/route.ts
Matt ebdd8408bf fix(audit-wave-11): dossier sweep — error-ux + webhook + storage + search + maintainability 
Final pass over the unaddressed AUDIT-2026-05-12 dossiers, taking the
tractable Critical/High items from each:

error-ux-auditor (5 items)
- C2: 17 toast.error(err.message) sites swept to toastError(err, …) so
  every user-visible failure carries a copy-paste Reference ID
- C3: apiFetch synthesizes a client-side correlation id when a 5xx
  comes back with a non-JSON body (reverse-proxy HTML pages); message
  becomes "The server is unreachable. Please try again." with code
  UPSTREAM_UNREACHABLE
- C4: checkRateLimit fails OPEN when Redis is unavailable so an outage
  no longer 500s login + portal sign-in; logged at warn so monitoring
  catches it
- H2: StorageTimeoutError (name='TimeoutError') replaces the plain
  Error throw in s3.ts withTimeout — error-classifier hints fire now
- H5: errorResponse() adopted across /api/storage/[token],
  /api/public/website-inquiries, and the Documenso webhook body (drops
  the "Invalid secret" reconnaissance string)

outbound-webhook-auditor (5 items)
- C1: signature is now HMAC(secret, `${ts}.${body}`) with the
  timestamp surfaced as X-Webhook-Timestamp so receivers can reject
  replays outside a freshness window
- C3: dead-letter with reason missing_signing_secret when secret is
  null (defence-in-depth against DB tampering / future migration
  mistakes)
- H2: webhooks queue bumped to maxAttempts=8 with 30 s base
  exponential backoff so a 30 s receiver blip during a deploy no
  longer dead-letters every in-flight event; per-queue
  backoffDelayMs added to QUEUE_CONFIGS
- M1: SSRF denylist gains Oracle Cloud metadata 192.0.0.192
- M2: dispatch-time https:// assertion before fetch, so a bad DB edit
  can't slip plaintext through

storage-pathing-auditor (2 items)
- H1: berth-PDF presigned-upload keys now `${portSlug}/berths/…/…`
  with portSlug threaded into backend.presignUpload — engages the
  filesystem-proxy port-binding `p` token verifier
- H2: presignDownloadUrl auto-derives portSlug from the key's first
  segment when callers don't pass it, so all 8 download sites engage
  the `p`-token guard without per-site plumbing

search-auditor (1 item)
- H3: removed dead void wantEmail; void wantPhone; pair plus the
  unused looksLikeEmail helper — the bucket-reorder it was scaffolded
  for was never wired

maintainability-auditor (1 item)
- M2: swept seven abandoned `void <symbol>` markers and their dead
  imports across clients/bulk, interests/bulk, admin/email-templates,
  admin/website-submissions, alert-rules, and notes.service

Deferred to future work (substantial refactors, schema migrations, or
multi-file UI work):
- error-ux M3-M8 (global-error.tsx, per-route loading.tsx coverage,
  ErrorBanner component, /api/ready route, worker DLQ admin surface)
- maintainability C1-C4 (documents/search/notes service splits,
  interest-tabs split — multi-hour refactors)
- currency C1-H5 (mixed-currency dashboard aggregation, FX history
  table, rounding policy) — wait for second non-USD port
- outbound-webhook C2 (deliveries reaper job), H1 (DNS-rebind TOCTOU
  with undici Agent), H3 (circuit-breaker), H5 (presigned-post-policy)
- storage-pathing C2 (orphan reaper), H3-H5 (streaming + content-type
  binding)

Tests: 1315/1315 vitest  ; tsc clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 13:27:32 +02:00

90 lines
2.9 KiB
TypeScript
Raw Blame History

import { NextResponse } from 'next/server';
import { inArray } from 'drizzle-orm';
import { z } from 'zod';
import { withAuth, withPermission } from '@/lib/api/helpers';
import { parseBody } from '@/lib/api/route-helpers';
import { db } from '@/lib/db';
import { systemSettings } from '@/lib/db/schema/system';
import {
TEMPLATE_CATALOG,
TEMPLATE_KEYS,
settingKeyForSubject,
type TemplateKey,
} from '@/lib/email/template-catalog';
import { upsertSetting, deleteSetting } from '@/lib/services/settings.service';
import { errorResponse } from '@/lib/errors';
const upsertSchema = z.object({
key: z.enum(TEMPLATE_KEYS),
subject: z.string().max(300).nullable(),
});
export const GET = withAuth(
withPermission('admin', 'manage_settings', async (_req, ctx) => {
try {
const subjectKeys = TEMPLATE_KEYS.map(settingKeyForSubject);
const rows = await db
.select({
key: systemSettings.key,
value: systemSettings.value,
portId: systemSettings.portId,
})
.from(systemSettings)
.where(inArray(systemSettings.key, subjectKeys));
const byKey = new Map<string, { port?: string; global?: string }>();
for (const r of rows) {
const slot = byKey.get(r.key) ?? {};
if (r.portId === ctx.portId && typeof r.value === 'string') slot.port = r.value;
if (r.portId === null && typeof r.value === 'string') slot.global = r.value;
byKey.set(r.key, slot);
}
const data = TEMPLATE_KEYS.map((key) => {
const meta = TEMPLATE_CATALOG[key];
const settingKey = settingKeyForSubject(key);
const overrides = byKey.get(settingKey) ?? {};
const effective = overrides.port ?? overrides.global ?? meta.defaultSubject;
return {
key,
label: meta.label,
description: meta.description,
mergeTokens: meta.mergeTokens,
defaultSubject: meta.defaultSubject,
subjectOverride: overrides.port ?? null,
effectiveSubject: effective,
};
});
return NextResponse.json({ data });
} catch (error) {
return errorResponse(error);
}
}),
);
export const PUT = withAuth(
withPermission('admin', 'manage_settings', async (req, ctx) => {
try {
const body = await parseBody(req, upsertSchema);
const settingKey = settingKeyForSubject(body.key as TemplateKey);
const meta = {
userId: ctx.userId,
portId: ctx.portId,
ipAddress: ctx.ipAddress,
userAgent: ctx.userAgent,
};
if (body.subject === null || body.subject === '') {
// Clear the override (and only at the per-port level — never touch global).
await deleteSetting(settingKey, ctx.portId, meta);
} else {
await upsertSetting(settingKey, body.subject, ctx.portId, meta);
}
return NextResponse.json({ data: { ok: true } });
} catch (error) {
return errorResponse(error);
}
}),
);
Reference in New Issue View Git Blame Copy Permalink