LinumIQ/linumiq_net-web_app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(admin): fresh SSR reads, atomic user delete + sanitized errors, cookie-rotation in middleware, no-store on admin APIs

Browse Source
This commit is contained in:
Gerhard Scheikl
2026-05-31 13:15:56 +02:00
parent 61bf6c013c
commit 535b2ef202
23 changed files with 180 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/api/admin/reserved/route.ts
+15 -11
View File
@@ -1,8 +1,9 @@
import { NextResponse, type NextRequest } from 'next/server';
import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit';
import { RESERVED_SUBDOMAINS } from '@/lib/validation';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs';
export const dynamic = 'force-dynamic';
@@ -19,10 +20,11 @@ export async function GET() {
.select('name, created_at')
.order('name', { ascending: true });
if (error) {
return NextResponse.json({ error: error.message }, { status: 500 });
console.error('admin reserved list failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
}
return NextResponse.json({
return jsonNoStore({
reserved: data ?? [],
hardcoded: Array.from(RESERVED_SUBDOMAINS).sort(),
});
@@ -36,14 +38,14 @@ export async function POST(req: NextRequest) {
try {
body = (await req.json()) as { name?: unknown };
} catch {
return NextResponse.json({ error: 'invalid json' }, { status: 400 });
return jsonNoStore({ error: 'invalid json' }, { status: 400 });
}
if (typeof body.name !== 'string') {
return NextResponse.json({ error: 'name must be a string' }, { status: 400 });
return jsonNoStore({ error: 'name must be a string' }, { status: 400 });
}
const name = body.name.trim().toLowerCase();
if (!NAME_RE.test(name)) {
return NextResponse.json(
return jsonNoStore(
{ error: 'name must be 163 chars, lowercase az, 09, hyphen' },
{ status: 400 },
);
@@ -54,7 +56,8 @@ export async function POST(req: NextRequest) {
.from('reserved_subdomains')
.upsert({ name }, { onConflict: 'name' });
if (error) {
return NextResponse.json({ error: error.message }, { status: 500 });
console.error('admin reserved add failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
}
await logAdminAction(auth.user, {
@@ -63,7 +66,7 @@ export async function POST(req: NextRequest) {
target_id: name,
});
return NextResponse.json({ ok: true, name });
return jsonNoStore({ ok: true, name });
}
export async function DELETE(req: NextRequest) {
@@ -73,7 +76,7 @@ export async function DELETE(req: NextRequest) {
const url = new URL(req.url);
const name = (url.searchParams.get('name') ?? '').trim().toLowerCase();
if (!name) {
return NextResponse.json({ error: 'name is required' }, { status: 400 });
return jsonNoStore({ error: 'name is required' }, { status: 400 });
}
const admin = getSupabaseAdmin();
@@ -82,7 +85,8 @@ export async function DELETE(req: NextRequest) {
.delete()
.eq('name', name);
if (error) {
return NextResponse.json({ error: error.message }, { status: 500 });
console.error('admin reserved remove failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
}
await logAdminAction(auth.user, {
@@ -91,5 +95,5 @@ export async function DELETE(req: NextRequest) {
target_id: name,
});
return NextResponse.json({ ok: true });
return jsonNoStore({ ok: true });
}