Matt
ebdd8408bf
Final pass over the unaddressed AUDIT-2026-05-12 dossiers, taking the
tractable Critical/High items from each:
error-ux-auditor (5 items)
- C2: 17 toast.error(err.message) sites swept to toastError(err, …) so
every user-visible failure carries a copy-paste Reference ID
- C3: apiFetch synthesizes a client-side correlation id when a 5xx
comes back with a non-JSON body (reverse-proxy HTML pages); message
becomes "The server is unreachable. Please try again." with code
UPSTREAM_UNREACHABLE
- C4: checkRateLimit fails OPEN when Redis is unavailable so an outage
no longer 500s login + portal sign-in; logged at warn so monitoring
catches it
- H2: StorageTimeoutError (name='TimeoutError') replaces the plain
Error throw in s3.ts withTimeout — error-classifier hints fire now
- H5: errorResponse() adopted across /api/storage/[token],
/api/public/website-inquiries, and the Documenso webhook body (drops
the "Invalid secret" reconnaissance string)
outbound-webhook-auditor (5 items)
- C1: signature is now HMAC(secret, `${ts}.${body}`) with the
timestamp surfaced as X-Webhook-Timestamp so receivers can reject
replays outside a freshness window
- C3: dead-letter with reason missing_signing_secret when secret is
null (defence-in-depth against DB tampering / future migration
mistakes)
- H2: webhooks queue bumped to maxAttempts=8 with 30 s base
exponential backoff so a 30 s receiver blip during a deploy no
longer dead-letters every in-flight event; per-queue
backoffDelayMs added to QUEUE_CONFIGS
- M1: SSRF denylist gains Oracle Cloud metadata 192.0.0.192
- M2: dispatch-time https:// assertion before fetch, so a bad DB edit
can't slip plaintext through
storage-pathing-auditor (2 items)
- H1: berth-PDF presigned-upload keys now `${portSlug}/berths/…/…`
with portSlug threaded into backend.presignUpload — engages the
filesystem-proxy port-binding `p` token verifier
- H2: presignDownloadUrl auto-derives portSlug from the key's first
segment when callers don't pass it, so all 8 download sites engage
the `p`-token guard without per-site plumbing
search-auditor (1 item)
- H3: removed dead void wantEmail; void wantPhone; pair plus the
unused looksLikeEmail helper — the bucket-reorder it was scaffolded
for was never wired
maintainability-auditor (1 item)
- M2: swept seven abandoned `void <symbol>` markers and their dead
imports across clients/bulk, interests/bulk, admin/email-templates,
admin/website-submissions, alert-rules, and notes.service
Deferred to future work (substantial refactors, schema migrations, or
multi-file UI work):
- error-ux M3-M8 (global-error.tsx, per-route loading.tsx coverage,
ErrorBanner component, /api/ready route, worker DLQ admin surface)
- maintainability C1-C4 (documents/search/notes service splits,
interest-tabs split — multi-hour refactors)
- currency C1-H5 (mixed-currency dashboard aggregation, FX history
table, rounding policy) — wait for second non-USD port
- outbound-webhook C2 (deliveries reaper job), H1 (DNS-rebind TOCTOU
with undici Agent), H3 (circuit-breaker), H5 (presigned-post-policy)
- storage-pathing C2 (orphan reaper), H3-H5 (streaming + content-type
binding)
Tests: 1315/1315 vitest ✅ ; tsc clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
131 lines
4.1 KiB
TypeScript
131 lines
4.1 KiB
TypeScript
import { NextResponse } from 'next/server';
|
|
import { z } from 'zod';
|
|
import { eq, and } from 'drizzle-orm';
|
|
|
|
import { withAuth } from '@/lib/api/helpers';
|
|
import { parseBody } from '@/lib/api/route-helpers';
|
|
import { db } from '@/lib/db';
|
|
import { interests } from '@/lib/db/schema/interests';
|
|
import { interestTags } from '@/lib/db/schema/interests';
|
|
import {
|
|
archiveInterest,
|
|
changeInterestStage,
|
|
setInterestTags,
|
|
} from '@/lib/services/interests.service';
|
|
import { PIPELINE_STAGES } from '@/lib/constants';
|
|
import { errorResponse } from '@/lib/errors';
|
|
|
|
/**
|
|
* Synchronous bulk endpoint for the interests list.
|
|
*
|
|
* Per-row loop is fine for the page-size cap (100 rows max). Larger jobs
|
|
* (CSV imports, port-wide migrations) belong on the BullMQ `bulk` queue —
|
|
* see src/lib/queue/workers/bulk.ts. The synchronous path gives the user
|
|
* instant feedback and a per-row failure list, which the queue can't.
|
|
*/
|
|
|
|
const bulkSchema = z.discriminatedUnion('action', [
|
|
z.object({
|
|
action: z.literal('change_stage'),
|
|
ids: z.array(z.string().min(1)).min(1).max(100),
|
|
pipelineStage: z.enum(PIPELINE_STAGES),
|
|
}),
|
|
z.object({
|
|
action: z.literal('add_tag'),
|
|
ids: z.array(z.string().min(1)).min(1).max(100),
|
|
tagId: z.string().min(1),
|
|
}),
|
|
z.object({
|
|
action: z.literal('remove_tag'),
|
|
ids: z.array(z.string().min(1)).min(1).max(100),
|
|
tagId: z.string().min(1),
|
|
}),
|
|
z.object({
|
|
action: z.literal('archive'),
|
|
ids: z.array(z.string().min(1)).min(1).max(100),
|
|
}),
|
|
]);
|
|
|
|
interface RowResult {
|
|
id: string;
|
|
ok: boolean;
|
|
error?: string;
|
|
}
|
|
|
|
const PERMISSION_BY_ACTION: Record<
|
|
z.infer<typeof bulkSchema>['action'],
|
|
{ resource: 'interests'; action: 'change_stage' | 'edit' | 'delete' }
|
|
> = {
|
|
change_stage: { resource: 'interests', action: 'change_stage' },
|
|
add_tag: { resource: 'interests', action: 'edit' },
|
|
remove_tag: { resource: 'interests', action: 'edit' },
|
|
archive: { resource: 'interests', action: 'delete' },
|
|
};
|
|
|
|
export const POST = withAuth(async (req, ctx) => {
|
|
let body: z.infer<typeof bulkSchema>;
|
|
try {
|
|
body = await parseBody(req, bulkSchema);
|
|
} catch (error) {
|
|
return errorResponse(error);
|
|
}
|
|
|
|
// Per-action permission check (mirrors the per-row endpoints).
|
|
const perm = PERMISSION_BY_ACTION[body.action];
|
|
const allowed = ctx.isSuperAdmin ? true : !!ctx.permissions?.[perm.resource]?.[perm.action];
|
|
if (!allowed) {
|
|
return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
|
|
}
|
|
|
|
const meta = {
|
|
userId: ctx.userId,
|
|
portId: ctx.portId,
|
|
ipAddress: ctx.ipAddress,
|
|
userAgent: ctx.userAgent,
|
|
};
|
|
|
|
const results: RowResult[] = [];
|
|
|
|
for (const id of body.ids) {
|
|
try {
|
|
if (body.action === 'change_stage') {
|
|
await changeInterestStage(id, ctx.portId, { pipelineStage: body.pipelineStage }, meta);
|
|
} else if (body.action === 'archive') {
|
|
await archiveInterest(id, ctx.portId, meta);
|
|
} else if (body.action === 'add_tag' || body.action === 'remove_tag') {
|
|
// Tenant gate: load the existing interest tag set, mutate, save.
|
|
const interest = await db.query.interests.findFirst({
|
|
where: and(eq(interests.id, id), eq(interests.portId, ctx.portId)),
|
|
});
|
|
if (!interest) {
|
|
results.push({ id, ok: false, error: 'Interest not found' });
|
|
continue;
|
|
}
|
|
const existingTags = await db
|
|
.select({ tagId: interestTags.tagId })
|
|
.from(interestTags)
|
|
.where(eq(interestTags.interestId, id));
|
|
const current = new Set(existingTags.map((t) => t.tagId));
|
|
if (body.action === 'add_tag') current.add(body.tagId);
|
|
else current.delete(body.tagId);
|
|
await setInterestTags(id, ctx.portId, Array.from(current), meta);
|
|
}
|
|
results.push({ id, ok: true });
|
|
} catch (err) {
|
|
results.push({
|
|
id,
|
|
ok: false,
|
|
error: err instanceof Error ? err.message : 'unknown error',
|
|
});
|
|
}
|
|
}
|
|
|
|
const summary = {
|
|
total: results.length,
|
|
succeeded: results.filter((r) => r.ok).length,
|
|
failed: results.filter((r) => !r.ok).length,
|
|
};
|
|
|
|
return NextResponse.json({ data: { results, summary } });
|
|
});
|