letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
cf37d09519bdb86dfc9f59b6ee6906053e28f83e
pn-new-crm/src/app/api/v1/admin/email/sales-config/route.ts
Matt Ciaccio 86372a857f fix(audit): post-review hardening across phases 0-7 
15 of 17 findings from the consolidated audit (3 reviewer agents on
the previously-shipped phase commits). Remaining two are nice-to-have
follow-ups deferred.

Critical (data integrity / security):
- Public berths API: closed-deal junction rows no longer flip a berth
  to "Under Offer" - filter on `interests.outcome IS NULL` so won/
  lost/cancelled don't pollute public-map status. Both list +
  single-mooring routes.
- Recommender heat: cancelled outcomes now count as fall-throughs
  (SQL was `LIKE 'lost%'` which silently dropped them, leaving
  cancelled-only berths stuck in tier A).
- Filesystem presignDownload returns an absolute URL (origin from
  APP_URL) so emailed download links resolve from external mail
  clients.
- Magic-byte verification on the presigned-PUT path: both per-berth
  PDFs and brochures stream the first 5 bytes via the storage backend
  and reject + delete on `%PDF-` mismatch (was only enforced when the
  server saw the buffer; presign-PUT was wide open).
- Replay-protection TTL aligned to the token's own expiry (was a
  fixed 30 min, but send-out tokens live 24 h). Floor 60 s, ceiling
  25 days.
- Brochures unique partial index on (port_id) WHERE is_default=true
  + 0032 migration. Closes the read-then-write race in the create/
  update transactions.

Important:
- Recommender SQL: defense-in-depth `i.port_id = $portId` filter on
  the aggregates CTE.
- berth-pdf service: per-berth pg_advisory_xact_lock around the
  version-number SELECT + insert. Storage key is now UUID-based so
  concurrent uploads can't collide on blob paths. Replaces
  `nextVersionNumber` with the tx-bound variant.
- berth-pdf apply: rejects with ConflictError when parse_results
  contain a mooring-mismatch warning unless the caller passes
  `confirmMooringMismatch: true` (force-reconfirm gate was UI-only).
- Send-out body: HTML-escape brochure filename in the download-link
  fallback (XSS guard).
- parseDecimalWithUnit rejects negative numbers.
- listClients DISTINCT ON for primary contact resolution: bounds
  contact-row count to ~2 per client.

Defensive:
- verifyProxyToken rejects NaN/Infinity expiries via Number.isFinite.
- Replaced sql ANY() with inArray() in interest-berths.

Tests: 1145 -> 1163 passing.

Deferred: bulk-send rate limit (no bulk endpoint today), markdown
italic regex breaking links with asterisks (cosmetic).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 04:07:03 +02:00

75 lines
2.7 KiB
TypeScript
Raw Blame History

import { NextResponse } from 'next/server';
import { withAuth, withPermission } from '@/lib/api/helpers';
import { parseBody } from '@/lib/api/route-helpers';
import { errorResponse } from '@/lib/errors';
import {
getSalesEmailConfig,
getSalesImapConfig,
getSalesContentConfig,
redactSalesConfigForResponse,
updateSalesEmailConfig,
} from '@/lib/services/sales-email-config.service';
import { updateSalesEmailConfigSchema } from '@/lib/validators/sales-email-config';
/**
* GET /api/v1/admin/email/sales-config
*
* Returns the redacted view of the sales-email config. Per §14.10
* reps can't see the decrypted password — the response only carries
* `*PassIsSet` boolean markers via `redactSalesConfigForResponse`.
*
* Today this endpoint is admin-only because it's consumed only by the
* admin UI panel (`src/components/admin/sales-email-config-card.tsx`).
* A future rep-facing surface that needs the from-address or body
* templates can split into a separate `/email/sales-config/preview`
* endpoint scoped to `email.view` — keeping the admin endpoint locked
* to `manage_settings` avoids accidentally widening secret-adjacent
* surfaces (e.g. the SMTP host name itself can be a leak vector).
*/
export const GET = withAuth(
withPermission('admin', 'manage_settings', async (_req, ctx) => {
try {
const [email, imap, content] = await Promise.all([
getSalesEmailConfig(ctx.portId),
getSalesImapConfig(ctx.portId),
getSalesContentConfig(ctx.portId),
]);
const redacted = redactSalesConfigForResponse(email, imap, content);
return NextResponse.json({ data: redacted });
} catch (error) {
return errorResponse(error);
}
}),
);
/**
* PATCH /api/v1/admin/email/sales-config
*
* Per-port admin only. Encrypts SMTP/IMAP passwords via AES-256-GCM before
* storage; the API never returns decrypted secrets (mirror enforcement on
* the GET handler).
*/
export const PATCH = withAuth(
withPermission('admin', 'manage_settings', async (req, ctx) => {
try {
const input = await parseBody(req, updateSalesEmailConfigSchema);
await updateSalesEmailConfig(ctx.portId, input, {
userId: ctx.userId,
portId: ctx.portId,
ipAddress: ctx.ipAddress,
userAgent: ctx.userAgent,
});
// Return the freshly-redacted view so the UI can re-render.
const [email, imap, content] = await Promise.all([
getSalesEmailConfig(ctx.portId),
getSalesImapConfig(ctx.portId),
getSalesContentConfig(ctx.portId),
]);
return NextResponse.json({ data: redactSalesConfigForResponse(email, imap, content) });
} catch (error) {
return errorResponse(error);
}
}),
);
Reference in New Issue View Git Blame Copy Permalink