Matt
ebdd8408bf
Final pass over the unaddressed AUDIT-2026-05-12 dossiers, taking the
tractable Critical/High items from each:
error-ux-auditor (5 items)
- C2: 17 toast.error(err.message) sites swept to toastError(err, …) so
every user-visible failure carries a copy-paste Reference ID
- C3: apiFetch synthesizes a client-side correlation id when a 5xx
comes back with a non-JSON body (reverse-proxy HTML pages); message
becomes "The server is unreachable. Please try again." with code
UPSTREAM_UNREACHABLE
- C4: checkRateLimit fails OPEN when Redis is unavailable so an outage
no longer 500s login + portal sign-in; logged at warn so monitoring
catches it
- H2: StorageTimeoutError (name='TimeoutError') replaces the plain
Error throw in s3.ts withTimeout — error-classifier hints fire now
- H5: errorResponse() adopted across /api/storage/[token],
/api/public/website-inquiries, and the Documenso webhook body (drops
the "Invalid secret" reconnaissance string)
outbound-webhook-auditor (5 items)
- C1: signature is now HMAC(secret, `${ts}.${body}`) with the
timestamp surfaced as X-Webhook-Timestamp so receivers can reject
replays outside a freshness window
- C3: dead-letter with reason missing_signing_secret when secret is
null (defence-in-depth against DB tampering / future migration
mistakes)
- H2: webhooks queue bumped to maxAttempts=8 with 30 s base
exponential backoff so a 30 s receiver blip during a deploy no
longer dead-letters every in-flight event; per-queue
backoffDelayMs added to QUEUE_CONFIGS
- M1: SSRF denylist gains Oracle Cloud metadata 192.0.0.192
- M2: dispatch-time https:// assertion before fetch, so a bad DB edit
can't slip plaintext through
storage-pathing-auditor (2 items)
- H1: berth-PDF presigned-upload keys now `${portSlug}/berths/…/…`
with portSlug threaded into backend.presignUpload — engages the
filesystem-proxy port-binding `p` token verifier
- H2: presignDownloadUrl auto-derives portSlug from the key's first
segment when callers don't pass it, so all 8 download sites engage
the `p`-token guard without per-site plumbing
search-auditor (1 item)
- H3: removed dead void wantEmail; void wantPhone; pair plus the
unused looksLikeEmail helper — the bucket-reorder it was scaffolded
for was never wired
maintainability-auditor (1 item)
- M2: swept seven abandoned `void <symbol>` markers and their dead
imports across clients/bulk, interests/bulk, admin/email-templates,
admin/website-submissions, alert-rules, and notes.service
Deferred to future work (substantial refactors, schema migrations, or
multi-file UI work):
- error-ux M3-M8 (global-error.tsx, per-route loading.tsx coverage,
ErrorBanner component, /api/ready route, worker DLQ admin surface)
- maintainability C1-C4 (documents/search/notes service splits,
interest-tabs split — multi-hour refactors)
- currency C1-H5 (mixed-currency dashboard aggregation, FX history
table, rounding policy) — wait for second non-USD port
- outbound-webhook C2 (deliveries reaper job), H1 (DNS-rebind TOCTOU
with undici Agent), H3 (circuit-breaker), H5 (presigned-post-policy)
- storage-pathing C2 (orphan reaper), H3-H5 (streaming + content-type
binding)
Tests: 1315/1315 vitest ✅ ; tsc clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
214 lines
7.3 KiB
TypeScript
214 lines
7.3 KiB
TypeScript
'use client';
|
|
|
|
import { useState } from 'react';
|
|
import { useMutation, useQueryClient } from '@tanstack/react-query';
|
|
import { AlertTriangle, Loader2, Mail } from 'lucide-react';
|
|
import { toast } from 'sonner';
|
|
|
|
import {
|
|
Dialog,
|
|
DialogContent,
|
|
DialogDescription,
|
|
DialogFooter,
|
|
DialogHeader,
|
|
DialogTitle,
|
|
} from '@/components/ui/dialog';
|
|
import { Button } from '@/components/ui/button';
|
|
import { Input } from '@/components/ui/input';
|
|
import { Label } from '@/components/ui/label';
|
|
import { WarningCallout } from '@/components/ui/warning-callout';
|
|
import { apiFetch } from '@/lib/api/client';
|
|
import { toastError } from '@/lib/api/toast-error';
|
|
|
|
interface Props {
|
|
open: boolean;
|
|
onOpenChange: (open: boolean) => void;
|
|
clientId: string;
|
|
clientName: string;
|
|
/** Called after successful delete, e.g. to navigate away. */
|
|
onDeleted?: () => void;
|
|
}
|
|
|
|
type Stage = 'intent' | 'confirm';
|
|
|
|
/**
|
|
* Outer wrapper keeps the Dialog mounted (so its close animation runs);
|
|
* the body only mounts when `open` is true and remounts on each
|
|
* open via the `clientId` key. This avoids the open→reset-state
|
|
* useEffect that React Compiler flags — fresh state per open is just
|
|
* the natural mount.
|
|
*/
|
|
export function HardDeleteDialog(props: Props) {
|
|
return (
|
|
<Dialog open={props.open} onOpenChange={props.onOpenChange}>
|
|
<DialogContent className="sm:max-w-md">
|
|
{props.open && <HardDeleteDialogBody key={props.clientId} {...props} />}
|
|
</DialogContent>
|
|
</Dialog>
|
|
);
|
|
}
|
|
|
|
function HardDeleteDialogBody({ onOpenChange, clientId, clientName, onDeleted }: Props) {
|
|
const qc = useQueryClient();
|
|
const [stage, setStage] = useState<Stage>('intent');
|
|
const [code, setCode] = useState('');
|
|
const [typedName, setTypedName] = useState('');
|
|
const [maskedEmail, setMaskedEmail] = useState<string | null>(null);
|
|
|
|
const requestCode = useMutation({
|
|
mutationFn: () =>
|
|
apiFetch<{ data: { sentToMaskedEmail: string } }>(
|
|
`/api/v1/clients/${clientId}/hard-delete-request`,
|
|
{ method: 'POST' },
|
|
),
|
|
onSuccess: (res) => {
|
|
setMaskedEmail(res.data.sentToMaskedEmail);
|
|
setStage('confirm');
|
|
toast.success(`Code sent to ${res.data.sentToMaskedEmail}`);
|
|
},
|
|
onError: (err: unknown) => {
|
|
toastError(err, 'Failed to send code');
|
|
},
|
|
});
|
|
|
|
const hardDelete = useMutation({
|
|
mutationFn: () =>
|
|
apiFetch<{ data: { deletedClientId: string } }>(`/api/v1/clients/${clientId}/hard-delete`, {
|
|
method: 'POST',
|
|
body: { code, typedName },
|
|
}),
|
|
onSuccess: () => {
|
|
toast.success(`${clientName} permanently deleted.`);
|
|
qc.invalidateQueries({ queryKey: ['clients'] });
|
|
onOpenChange(false);
|
|
onDeleted?.();
|
|
},
|
|
onError: (err: unknown) => {
|
|
toastError(err, 'Delete failed');
|
|
},
|
|
});
|
|
|
|
const nameMatches = typedName.trim().toLowerCase() === clientName.trim().toLowerCase();
|
|
const codeValid = /^\d{4}$/.test(code.trim());
|
|
|
|
return (
|
|
<>
|
|
<DialogHeader>
|
|
<DialogTitle className="flex items-center gap-2 text-destructive">
|
|
<AlertTriangle className="h-5 w-5" aria-hidden />
|
|
Permanently delete {clientName}
|
|
</DialogTitle>
|
|
<DialogDescription>
|
|
This permanently removes the client record and detaches all related history (signed
|
|
documents, emails, files). It cannot be undone.
|
|
</DialogDescription>
|
|
</DialogHeader>
|
|
|
|
{stage === 'intent' ? (
|
|
<div className="space-y-3 text-sm">
|
|
<p className="text-muted-foreground">
|
|
Permanent deletion is reserved for archived clients only. We’ll email a 4-digit
|
|
confirmation code to your account address. The code expires in 10 minutes.
|
|
</p>
|
|
<WarningCallout title="What gets deleted">
|
|
<ul className="mt-1.5 list-disc pl-5 text-xs space-y-0.5">
|
|
<li>Client record + addresses, contacts, notes, tags</li>
|
|
<li>Portal user account + GDPR consent records</li>
|
|
<li>All pipeline interests + reservations for this client</li>
|
|
</ul>
|
|
<p className="font-medium mt-2">What is preserved</p>
|
|
<ul className="mt-1.5 list-disc pl-5 text-xs space-y-0.5">
|
|
<li>Signed documents (detached from client, kept for legal history)</li>
|
|
<li>Email threads, files, reminders (detached)</li>
|
|
<li>Audit log entries</li>
|
|
</ul>
|
|
</WarningCallout>
|
|
</div>
|
|
) : (
|
|
<div className="space-y-3">
|
|
<div className="flex items-start gap-2 rounded-md border border-blue-300 bg-blue-50 p-3 text-xs text-blue-900">
|
|
<Mail className="h-4 w-4 shrink-0 mt-0.5" aria-hidden />
|
|
<div className="flex-1">
|
|
<div>
|
|
Code sent to <span className="font-mono">{maskedEmail}</span>. It expires in 10
|
|
minutes.
|
|
</div>
|
|
<button
|
|
type="button"
|
|
onClick={() => {
|
|
setCode('');
|
|
requestCode.mutate();
|
|
}}
|
|
disabled={requestCode.isPending}
|
|
className="mt-1 text-blue-700 underline-offset-2 hover:underline disabled:opacity-60"
|
|
>
|
|
{requestCode.isPending ? 'Sending…' : 'Send a new code'}
|
|
</button>
|
|
</div>
|
|
</div>
|
|
<div className="space-y-1.5">
|
|
<Label htmlFor="hd-code">4-digit code from email</Label>
|
|
<Input
|
|
id="hd-code"
|
|
inputMode="numeric"
|
|
maxLength={4}
|
|
value={code}
|
|
onChange={(e) => setCode(e.target.value.replace(/\D/g, ''))}
|
|
placeholder="0000"
|
|
className="font-mono tracking-[0.4em] text-center text-lg"
|
|
autoComplete="off"
|
|
/>
|
|
</div>
|
|
<div className="space-y-1.5">
|
|
<Label htmlFor="hd-name">
|
|
Type <span className="font-semibold">{clientName}</span> to confirm
|
|
</Label>
|
|
<Input
|
|
id="hd-name"
|
|
value={typedName}
|
|
onChange={(e) => setTypedName(e.target.value)}
|
|
placeholder={clientName}
|
|
autoComplete="off"
|
|
/>
|
|
</div>
|
|
</div>
|
|
)}
|
|
|
|
<DialogFooter>
|
|
<Button variant="outline" onClick={() => onOpenChange(false)}>
|
|
Cancel
|
|
</Button>
|
|
{stage === 'intent' ? (
|
|
<Button
|
|
variant="destructive"
|
|
onClick={() => requestCode.mutate()}
|
|
disabled={requestCode.isPending}
|
|
>
|
|
{requestCode.isPending ? (
|
|
<>
|
|
<Loader2 className="h-4 w-4 animate-spin mr-1.5" aria-hidden /> Sending…
|
|
</>
|
|
) : (
|
|
'Send confirmation code'
|
|
)}
|
|
</Button>
|
|
) : (
|
|
<Button
|
|
variant="destructive"
|
|
onClick={() => hardDelete.mutate()}
|
|
disabled={!codeValid || !nameMatches || hardDelete.isPending}
|
|
>
|
|
{hardDelete.isPending ? (
|
|
<>
|
|
<Loader2 className="h-4 w-4 animate-spin mr-1.5" aria-hidden /> Deleting…
|
|
</>
|
|
) : (
|
|
'Permanently delete'
|
|
)}
|
|
</Button>
|
|
)}
|
|
</DialogFooter>
|
|
</>
|
|
);
|
|
}
|