fix(admin): fresh SSR reads, atomic user delete + sanitized errors, cookie-rotation in middleware, no-store on admin APIs

2026-05-31 13:15:56 +02:00
parent 61bf6c013c
commit 535b2ef202
23 changed files with 180 additions and 95 deletions
@@ -1,8 +1,9 @@
-import { NextResponse, type NextRequest } from 'next/server';
+import { type NextRequest } from 'next/server';
 import { requireAdminApi } from '@/lib/auth/admin-guard';
 import { getSupabaseAdmin } from '@/lib/supabase/admin';
 import { logAdminAction } from '@/lib/auth/audit';
 import { isUuid } from '@/lib/admin/validators';
+import { jsonNoStore } from '@/lib/admin/response';

 export const runtime = 'nodejs';
 export const dynamic = 'force-dynamic';
@@ -16,10 +17,10 @@ export async function POST(

  const { id } = params;
  if (!isUuid(id)) {
-    return NextResponse.json({ error: 'invalid user id' }, { status: 400 });
+    return jsonNoStore({ error: 'invalid user id' }, { status: 400 });
  }
  if (id === auth.user.id) {
-    return NextResponse.json(
+    return jsonNoStore(
      { error: 'you cannot change your own role' },
      { status: 400 },
    );
@@ -29,10 +30,10 @@ export async function POST(
  try {
    body = (await req.json()) as { role?: unknown };
  } catch {
-    return NextResponse.json({ error: 'invalid json' }, { status: 400 });
+    return jsonNoStore({ error: 'invalid json' }, { status: 400 });
  }
  if (body.role !== 'admin' && body.role !== 'user') {
-    return NextResponse.json(
+    return jsonNoStore(
      { error: "role must be 'admin' or 'user'" },
      { status: 400 },
    );
@@ -45,7 +46,7 @@ export async function POST(
  const { data: existing, error: getErr } =
    await admin.auth.admin.getUserById(id);
  if (getErr || !existing.user) {
-    return NextResponse.json({ error: 'user not found' }, { status: 404 });
+    return jsonNoStore({ error: 'user not found' }, { status: 404 });
  }
  const merged = { ...(existing.user.app_metadata ?? {}), role };

@@ -53,7 +54,8 @@ export async function POST(
    app_metadata: merged,
  });
  if (error) {
-    return NextResponse.json({ error: error.message }, { status: 500 });
+    console.error('admin user.role failed', error);
+    return jsonNoStore({ error: 'internal error' }, { status: 500 });
  }

  await logAdminAction(auth.user, {
@@ -63,5 +65,5 @@ export async function POST(
    details: { role },
  });

-  return NextResponse.json({ ok: true, role });
+  return jsonNoStore({ ok: true, role });
 }