LinumIQ/linumiq_net-web_app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(admin): fresh SSR reads, atomic user delete + sanitized errors, cookie-rotation in middleware, no-store on admin APIs

Browse Source
This commit is contained in:
Gerhard Scheikl
2026-05-31 13:15:56 +02:00
parent 61bf6c013c
commit 535b2ef202
23 changed files with 180 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/api/admin/users/[id]/ban/route.ts
+9 -7
View File
@@ -1,8 +1,9 @@
import { NextResponse, type NextRequest } from 'next/server';
import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit';
import { isUuid, parseBoolean } from '@/lib/admin/validators';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs';
export const dynamic = 'force-dynamic';
@@ -19,10 +20,10 @@ export async function POST(
const { id } = params;
if (!isUuid(id)) {
return NextResponse.json({ error: 'invalid user id' }, { status: 400 });
return jsonNoStore({ error: 'invalid user id' }, { status: 400 });
}
if (id === auth.user.id) {
return NextResponse.json(
return jsonNoStore(
{ error: 'you cannot ban your own account' },
{ status: 400 },
);
@@ -32,11 +33,11 @@ export async function POST(
try {
body = (await req.json()) as { banned?: unknown };
} catch {
return NextResponse.json({ error: 'invalid json' }, { status: 400 });
return jsonNoStore({ error: 'invalid json' }, { status: 400 });
}
const banned = parseBoolean(body.banned);
if (banned === null) {
return NextResponse.json(
return jsonNoStore(
{ error: 'banned must be a boolean' },
{ status: 400 },
);
@@ -47,7 +48,8 @@ export async function POST(
ban_duration: banned ? BAN_DURATION : 'none',
} as { ban_duration: string });
if (error) {
return NextResponse.json({ error: error.message }, { status: 500 });
console.error('admin user.ban failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
}
await logAdminAction(auth.user, {
@@ -57,5 +59,5 @@ export async function POST(
details: { banned },
});
return NextResponse.json({ ok: true, banned });
return jsonNoStore({ ok: true, banned });
}