LinumIQ/linumiq_net-web_app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(admin): fresh SSR reads, atomic user delete + sanitized errors, cookie-rotation in middleware, no-store on admin APIs

Browse Source
This commit is contained in:
Gerhard Scheikl
2026-05-31 13:15:56 +02:00
parent 61bf6c013c
commit 535b2ef202
23 changed files with 180 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/api/admin/users/[id]/ban/route.ts
+9 -7
View File
@@ -1,8 +1,9 @@
import { NextResponse, type NextRequest } from 'next/server';
import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit';
import { isUuid, parseBoolean } from '@/lib/admin/validators';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs';
export const dynamic = 'force-dynamic';
@@ -19,10 +20,10 @@ export async function POST(
const { id } = params;
if (!isUuid(id)) {
return NextResponse.json({ error: 'invalid user id' }, { status: 400 });
return jsonNoStore({ error: 'invalid user id' }, { status: 400 });
}
if (id === auth.user.id) {
return NextResponse.json(
return jsonNoStore(
{ error: 'you cannot ban your own account' },
{ status: 400 },
);
@@ -32,11 +33,11 @@ export async function POST(
try {
body = (await req.json()) as { banned?: unknown };
} catch {
return NextResponse.json({ error: 'invalid json' }, { status: 400 });
return jsonNoStore({ error: 'invalid json' }, { status: 400 });
}
const banned = parseBoolean(body.banned);
if (banned === null) {
return NextResponse.json(
return jsonNoStore(
{ error: 'banned must be a boolean' },
{ status: 400 },
);
@@ -47,7 +48,8 @@ export async function POST(
ban_duration: banned ? BAN_DURATION : 'none',
} as { ban_duration: string });
if (error) {
return NextResponse.json({ error: error.message }, { status: 500 });
console.error('admin user.ban failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
}
await logAdminAction(auth.user, {
@@ -57,5 +59,5 @@ export async function POST(
details: { banned },
});
return NextResponse.json({ ok: true, banned });
return jsonNoStore({ ok: true, banned });
}
app/api/admin/users/[id]/role/route.ts
+10 -8
View File
@@ -1,8 +1,9 @@
import { NextResponse, type NextRequest } from 'next/server';
import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit';
import { isUuid } from '@/lib/admin/validators';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs';
export const dynamic = 'force-dynamic';
@@ -16,10 +17,10 @@ export async function POST(
const { id } = params;
if (!isUuid(id)) {
return NextResponse.json({ error: 'invalid user id' }, { status: 400 });
return jsonNoStore({ error: 'invalid user id' }, { status: 400 });
}
if (id === auth.user.id) {
return NextResponse.json(
return jsonNoStore(
{ error: 'you cannot change your own role' },
{ status: 400 },
);
@@ -29,10 +30,10 @@ export async function POST(
try {
body = (await req.json()) as { role?: unknown };
} catch {
return NextResponse.json({ error: 'invalid json' }, { status: 400 });
return jsonNoStore({ error: 'invalid json' }, { status: 400 });
}
if (body.role !== 'admin' && body.role !== 'user') {
return NextResponse.json(
return jsonNoStore(
{ error: "role must be 'admin' or 'user'" },
{ status: 400 },
);
@@ -45,7 +46,7 @@ export async function POST(
const { data: existing, error: getErr } =
await admin.auth.admin.getUserById(id);
if (getErr || !existing.user) {
return NextResponse.json({ error: 'user not found' }, { status: 404 });
return jsonNoStore({ error: 'user not found' }, { status: 404 });
}
const merged = { ...(existing.user.app_metadata ?? {}), role };
@@ -53,7 +54,8 @@ export async function POST(
app_metadata: merged,
});
if (error) {
return NextResponse.json({ error: error.message }, { status: 500 });
console.error('admin user.role failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
}
await logAdminAction(auth.user, {
@@ -63,5 +65,5 @@ export async function POST(
details: { role },
});
return NextResponse.json({ ok: true, role });
return jsonNoStore({ ok: true, role });
}
app/api/admin/users/[id]/route.ts
+33 -12
View File
@@ -1,8 +1,9 @@
import { NextResponse, type NextRequest } from 'next/server';
import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit';
import { isUuid } from '@/lib/admin/validators';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs';
export const dynamic = 'force-dynamic';
@@ -27,7 +28,7 @@ export async function GET(
const { id } = params;
if (!isUuid(id)) {
return NextResponse.json({ error: 'invalid user id' }, { status: 400 });
return jsonNoStore({ error: 'invalid user id' }, { status: 400 });
}
const admin = getSupabaseAdmin();
@@ -35,7 +36,7 @@ export async function GET(
const { data: userRes, error: userErr } =
await admin.auth.admin.getUserById(id);
if (userErr || !userRes.user) {
return NextResponse.json({ error: 'user not found' }, { status: 404 });
return jsonNoStore({ error: 'user not found' }, { status: 404 });
}
const u = userRes.user;
@@ -54,7 +55,7 @@ export async function GET(
.order('created_at', { ascending: false })
.limit(25);
return NextResponse.json({
return jsonNoStore({
user: {
id: u.id,
email: u.email ?? null,
@@ -88,10 +89,10 @@ export async function DELETE(
const { id } = params;
if (!isUuid(id)) {
return NextResponse.json({ error: 'invalid user id' }, { status: 400 });
return jsonNoStore({ error: 'invalid user id' }, { status: 400 });
}
if (id === auth.user.id) {
return NextResponse.json(
return jsonNoStore(
{ error: 'you cannot delete your own account' },
{ status: 400 },
);
@@ -99,12 +100,32 @@ export async function DELETE(
const admin = getSupabaseAdmin();
// Remove the tunnel row first (FK to auth.users).
await admin.from('tunnels').delete().eq('user_id', id);
// Delete the AUTH USER first. Only if that succeeds do we remove the tunnel
// row, so a mid-failure never leaves an orphaned auth user with a dangling
// tunnel (or half-deletes the tunnel of an already-gone user).
const { error: delErr } = await admin.auth.admin.deleteUser(id);
if (delErr) {
const httpStatus = (delErr as { status?: number }).status;
const message = (delErr.message ?? '').toLowerCase();
if (httpStatus === 404 || message.includes('not found')) {
return jsonNoStore({ error: 'user not found' }, { status: 404 });
}
console.error('admin user.delete: deleteUser failed', delErr);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
}
const { error } = await admin.auth.admin.deleteUser(id);
if (error) {
return NextResponse.json({ error: error.message }, { status: 500 });
// The auth user is gone, so no orphaned-user state is possible. Removing the
// tunnel row is best-effort cleanup: if it fails we log server-side but still
// report the (already-completed) user deletion as successful.
const { error: tunnelErr } = await admin
.from('tunnels')
.delete()
.eq('user_id', id);
if (tunnelErr) {
console.error(
`admin user.delete: tunnel cleanup failed for ${id}`,
tunnelErr,
);
}
await logAdminAction(auth.user, {
@@ -113,5 +134,5 @@ export async function DELETE(
target_id: id,
});
return NextResponse.json({ ok: true });
return jsonNoStore({ ok: true });
}