Matt
ebdd8408bf
Final pass over the unaddressed AUDIT-2026-05-12 dossiers, taking the
tractable Critical/High items from each:
error-ux-auditor (5 items)
- C2: 17 toast.error(err.message) sites swept to toastError(err, …) so
every user-visible failure carries a copy-paste Reference ID
- C3: apiFetch synthesizes a client-side correlation id when a 5xx
comes back with a non-JSON body (reverse-proxy HTML pages); message
becomes "The server is unreachable. Please try again." with code
UPSTREAM_UNREACHABLE
- C4: checkRateLimit fails OPEN when Redis is unavailable so an outage
no longer 500s login + portal sign-in; logged at warn so monitoring
catches it
- H2: StorageTimeoutError (name='TimeoutError') replaces the plain
Error throw in s3.ts withTimeout — error-classifier hints fire now
- H5: errorResponse() adopted across /api/storage/[token],
/api/public/website-inquiries, and the Documenso webhook body (drops
the "Invalid secret" reconnaissance string)
outbound-webhook-auditor (5 items)
- C1: signature is now HMAC(secret, `${ts}.${body}`) with the
timestamp surfaced as X-Webhook-Timestamp so receivers can reject
replays outside a freshness window
- C3: dead-letter with reason missing_signing_secret when secret is
null (defence-in-depth against DB tampering / future migration
mistakes)
- H2: webhooks queue bumped to maxAttempts=8 with 30 s base
exponential backoff so a 30 s receiver blip during a deploy no
longer dead-letters every in-flight event; per-queue
backoffDelayMs added to QUEUE_CONFIGS
- M1: SSRF denylist gains Oracle Cloud metadata 192.0.0.192
- M2: dispatch-time https:// assertion before fetch, so a bad DB edit
can't slip plaintext through
storage-pathing-auditor (2 items)
- H1: berth-PDF presigned-upload keys now `${portSlug}/berths/…/…`
with portSlug threaded into backend.presignUpload — engages the
filesystem-proxy port-binding `p` token verifier
- H2: presignDownloadUrl auto-derives portSlug from the key's first
segment when callers don't pass it, so all 8 download sites engage
the `p`-token guard without per-site plumbing
search-auditor (1 item)
- H3: removed dead void wantEmail; void wantPhone; pair plus the
unused looksLikeEmail helper — the bucket-reorder it was scaffolded
for was never wired
maintainability-auditor (1 item)
- M2: swept seven abandoned `void <symbol>` markers and their dead
imports across clients/bulk, interests/bulk, admin/email-templates,
admin/website-submissions, alert-rules, and notes.service
Deferred to future work (substantial refactors, schema migrations, or
multi-file UI work):
- error-ux M3-M8 (global-error.tsx, per-route loading.tsx coverage,
ErrorBanner component, /api/ready route, worker DLQ admin surface)
- maintainability C1-C4 (documents/search/notes service splits,
interest-tabs split — multi-hour refactors)
- currency C1-H5 (mixed-currency dashboard aggregation, FX history
table, rounding policy) — wait for second non-USD port
- outbound-webhook C2 (deliveries reaper job), H1 (DNS-rebind TOCTOU
with undici Agent), H3 (circuit-breaker), H5 (presigned-post-policy)
- storage-pathing C2 (orphan reaper), H3-H5 (streaming + content-type
binding)
Tests: 1315/1315 vitest ✅ ; tsc clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
173 lines
6.0 KiB
TypeScript
173 lines
6.0 KiB
TypeScript
'use client';
|
|
|
|
import { useUIStore } from '@/stores/ui-store';
|
|
|
|
export interface ApiFetchOptions extends Omit<RequestInit, 'body'> {
|
|
body?: unknown;
|
|
}
|
|
|
|
/** In-memory cache: slug -> id, populated lazily by `resolvePortIdFromSlug`.
|
|
* Avoids re-fetching `/api/v1/admin/ports` on every request when the Zustand
|
|
* store hasn't hydrated yet (fresh browser context, e2e tests, hard reload). */
|
|
const slugToIdCache = new Map<string, string>();
|
|
/** Dedupe in-flight admin/ports lookups so a stampede of parallel apiFetch
|
|
* calls (typical on dashboard mount) collapses into a single network round-
|
|
* trip instead of N. */
|
|
let inFlightPortsLookup: Promise<Array<{ id: string; slug: string }> | null> | null = null;
|
|
|
|
async function resolvePortIdFromSlug(slug: string): Promise<string | null> {
|
|
const cached = slugToIdCache.get(slug);
|
|
if (cached) return cached;
|
|
if (!inFlightPortsLookup) {
|
|
inFlightPortsLookup = (async () => {
|
|
try {
|
|
const res = await fetch('/api/v1/admin/ports', { credentials: 'include' });
|
|
if (!res.ok) return null;
|
|
const body = (await res.json()) as { data?: Array<{ id: string; slug: string }> };
|
|
return body.data ?? null;
|
|
} catch {
|
|
return null;
|
|
}
|
|
})().finally(() => {
|
|
inFlightPortsLookup = null;
|
|
});
|
|
}
|
|
const ports = await inFlightPortsLookup;
|
|
const port = ports?.find((p) => p.slug === slug);
|
|
if (!port) return null;
|
|
slugToIdCache.set(slug, port.id);
|
|
return port.id;
|
|
}
|
|
|
|
/**
|
|
* Client-side fetch wrapper that attaches the `X-Port-Id` header to
|
|
* every request.
|
|
*
|
|
* multi-port-auditor C1: the URL slug is authoritative — Zustand
|
|
* is a cache that lags by one render after `PortProvider`'s reconcile
|
|
* effect commits. The previous Zustand-first lookup caused first-load
|
|
* queries on a freshly-navigated port to fire with the PRIOR port's
|
|
* id and render cross-port data inside the new shell. Now we resolve
|
|
* the slug from `window.location.pathname` first and fall back to
|
|
* Zustand only when the URL doesn't carry a port slug (e.g. /dashboard
|
|
* / non-portSlug routes).
|
|
*/
|
|
export async function apiFetch<T = unknown>(url: string, opts: ApiFetchOptions = {}): Promise<T> {
|
|
let portId: string | null = null;
|
|
|
|
if (typeof window !== 'undefined') {
|
|
const slug = window.location.pathname.split('/').filter(Boolean)[0];
|
|
if (slug && slug !== 'login' && slug !== 'portal' && slug !== 'api' && slug !== 'dashboard') {
|
|
portId = await resolvePortIdFromSlug(slug);
|
|
}
|
|
}
|
|
|
|
// Fall back to the Zustand cache when the URL didn't yield a port —
|
|
// e.g. global routes (/dashboard) where the rep hasn't picked a port
|
|
// yet but a previous session set one.
|
|
if (!portId) {
|
|
portId = useUIStore.getState().currentPortId;
|
|
}
|
|
|
|
const headers = new Headers(opts.headers);
|
|
if (portId) {
|
|
headers.set('X-Port-Id', portId);
|
|
}
|
|
if (opts.body !== undefined && !headers.has('Content-Type')) {
|
|
headers.set('Content-Type', 'application/json');
|
|
}
|
|
|
|
const res = await fetch(url, {
|
|
...opts,
|
|
headers,
|
|
credentials: 'include',
|
|
body: opts.body !== undefined ? JSON.stringify(opts.body) : undefined,
|
|
});
|
|
|
|
if (!res.ok) {
|
|
// error-ux-auditor C3: reverse-proxy 502/504 pages deliver HTML, not
|
|
// JSON. The previous code silently degraded to
|
|
// `{error: res.statusText}` which surfaced "Bad Gateway" with no
|
|
// requestId and no copy-pasteable correlation handle. Detect the
|
|
// proxy-error shape (5xx + JSON parse fail) and synthesize a
|
|
// client-side correlation id so the toast still has *something* the
|
|
// user can quote to support.
|
|
const error = (await res.json().catch(() => null)) as {
|
|
error?: string;
|
|
message?: string;
|
|
code?: string;
|
|
details?: unknown;
|
|
requestId?: string;
|
|
retryAfter?: number;
|
|
} | null;
|
|
const upstreamRequestId = res.headers.get('x-request-id');
|
|
if (error === null) {
|
|
const isProxyFailure = res.status >= 500;
|
|
// Short, copy-pasteable client-side handle so support can grep
|
|
// the front-end logs even when the proxy never reached our app.
|
|
const synthId =
|
|
upstreamRequestId ??
|
|
`client-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 8)}`;
|
|
throw new ApiError({
|
|
message: isProxyFailure
|
|
? 'The server is unreachable. Please try again.'
|
|
: res.statusText || 'Request failed',
|
|
status: res.status,
|
|
code: isProxyFailure ? 'UPSTREAM_UNREACHABLE' : null,
|
|
details: null,
|
|
requestId: synthId,
|
|
retryAfter: null,
|
|
});
|
|
}
|
|
const requestId = error.requestId ?? upstreamRequestId ?? null;
|
|
throw new ApiError({
|
|
message: error.error ?? error.message ?? 'Request failed',
|
|
status: res.status,
|
|
code: error.code ?? null,
|
|
details: error.details ?? null,
|
|
requestId,
|
|
retryAfter: typeof error.retryAfter === 'number' ? error.retryAfter : null,
|
|
});
|
|
}
|
|
|
|
if (res.status === 204) return undefined as T;
|
|
return res.json() as Promise<T>;
|
|
}
|
|
|
|
/**
|
|
* Structured client-side error thrown by `apiFetch`. Carries the stable
|
|
* fields a toast / error boundary needs to render a useful message:
|
|
*
|
|
* - `message`: plain-text, ready to show to the user
|
|
* - `code`: stable error code from `src/lib/error-codes.ts`
|
|
* - `requestId`: paste this to support to find the row in
|
|
* `/admin/errors/<requestId>`
|
|
*
|
|
* Mutations should use the `toastError(err)` helper rather than reading
|
|
* these fields directly — that keeps the toast format consistent.
|
|
*/
|
|
export class ApiError extends Error {
|
|
status: number;
|
|
code: string | null;
|
|
details: unknown;
|
|
requestId: string | null;
|
|
retryAfter: number | null;
|
|
|
|
constructor(args: {
|
|
message: string;
|
|
status: number;
|
|
code: string | null;
|
|
details: unknown;
|
|
requestId: string | null;
|
|
retryAfter: number | null;
|
|
}) {
|
|
super(args.message);
|
|
this.name = 'ApiError';
|
|
this.status = args.status;
|
|
this.code = args.code;
|
|
this.details = args.details;
|
|
this.requestId = args.requestId;
|
|
this.retryAfter = args.retryAfter;
|
|
}
|
|
}
|