LinumIQ/linumiq_net-web_app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(admin): fresh SSR reads, atomic user delete + sanitized errors, cookie-rotation in middleware, no-store on admin APIs

Browse Source
This commit is contained in:
Gerhard Scheikl
2026-05-31 13:15:56 +02:00
parent 61bf6c013c
commit 535b2ef202
23 changed files with 180 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/admin/audit/page.tsx
+1
View File
@@ -2,6 +2,7 @@ import { getAuditList } from '@/lib/admin/list';
import { AuditTable } from './audit-table'; import { AuditTable } from './audit-table';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
export const revalidate = 0;
const PER_PAGE = 50; const PER_PAGE = 50;
app/admin/page.tsx
+1
View File
@@ -4,6 +4,7 @@ import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { formatBytes, formatDate } from '@/lib/format'; import { formatBytes, formatDate } from '@/lib/format';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
export const revalidate = 0;
type OverQuotaRow = { type OverQuotaRow = {
user_id: string; user_id: string;
app/admin/tunnels/page.tsx
+1
View File
@@ -2,6 +2,7 @@ import { getTunnelsList } from '@/lib/admin/list';
import { TunnelsTable } from './tunnels-table'; import { TunnelsTable } from './tunnels-table';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
export const revalidate = 0;
const PER_PAGE = 25; const PER_PAGE = 25;
app/admin/users/[id]/page.tsx
+1
View File
@@ -7,6 +7,7 @@ import { formatBytes, formatDate } from '@/lib/format';
import { UserActions } from './user-actions'; import { UserActions } from './user-actions';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
export const revalidate = 0;
type TunnelRow = { type TunnelRow = {
subdomain: string; subdomain: string;
app/admin/users/page.tsx
+1
View File
@@ -2,6 +2,7 @@ import { getUsersList } from '@/lib/admin/list';
import { UsersTable } from './users-table'; import { UsersTable } from './users-table';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
export const revalidate = 0;
const PER_PAGE = 25; const PER_PAGE = 25;
app/api/admin/audit/route.ts
+5 -3
View File
@@ -1,7 +1,8 @@
import { NextResponse, type NextRequest } from 'next/server'; import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard'; import { requireAdminApi } from '@/lib/auth/admin-guard';
import { parsePageParam, parsePerPageParam } from '@/lib/admin/validators'; import { parsePageParam, parsePerPageParam } from '@/lib/admin/validators';
import { getAuditList } from '@/lib/admin/list'; import { getAuditList } from '@/lib/admin/list';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs'; export const runtime = 'nodejs';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
@@ -23,8 +24,9 @@ export async function GET(req: NextRequest) {
action, action,
targetType, targetType,
}); });
return NextResponse.json({ entries, total, page, perPage }); return jsonNoStore({ entries, total, page, perPage });
} catch (e) { } catch (e) {
return NextResponse.json({ error: (e as Error).message }, { status: 500 }); console.error('admin audit list failed', e);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
} }
} }
app/api/admin/metrics/route.ts
+2 -2
View File
@@ -1,6 +1,6 @@
import { NextResponse } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard'; import { requireAdminApi } from '@/lib/auth/admin-guard';
import { computeMetrics } from '@/lib/admin/metrics'; import { computeMetrics } from '@/lib/admin/metrics';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs'; export const runtime = 'nodejs';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
@@ -10,5 +10,5 @@ export async function GET() {
if (!auth.ok) return auth.response; if (!auth.ok) return auth.response;
const metrics = await computeMetrics(); const metrics = await computeMetrics();
return NextResponse.json(metrics); return jsonNoStore(metrics);
} }
app/api/admin/reserved/route.ts
+15 -11
View File
@@ -1,8 +1,9 @@
import { NextResponse, type NextRequest } from 'next/server'; import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard'; import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin'; import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit'; import { logAdminAction } from '@/lib/auth/audit';
import { RESERVED_SUBDOMAINS } from '@/lib/validation'; import { RESERVED_SUBDOMAINS } from '@/lib/validation';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs'; export const runtime = 'nodejs';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
@@ -19,10 +20,11 @@ export async function GET() {
.select('name, created_at') .select('name, created_at')
.order('name', { ascending: true }); .order('name', { ascending: true });
if (error) { if (error) {
return NextResponse.json({ error: error.message }, { status: 500 }); console.error('admin reserved list failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
} }
return NextResponse.json({ return jsonNoStore({
reserved: data ?? [], reserved: data ?? [],
hardcoded: Array.from(RESERVED_SUBDOMAINS).sort(), hardcoded: Array.from(RESERVED_SUBDOMAINS).sort(),
}); });
@@ -36,14 +38,14 @@ export async function POST(req: NextRequest) {
try { try {
body = (await req.json()) as { name?: unknown }; body = (await req.json()) as { name?: unknown };
} catch { } catch {
return NextResponse.json({ error: 'invalid json' }, { status: 400 }); return jsonNoStore({ error: 'invalid json' }, { status: 400 });
} }
if (typeof body.name !== 'string') { if (typeof body.name !== 'string') {
return NextResponse.json({ error: 'name must be a string' }, { status: 400 }); return jsonNoStore({ error: 'name must be a string' }, { status: 400 });
} }
const name = body.name.trim().toLowerCase(); const name = body.name.trim().toLowerCase();
if (!NAME_RE.test(name)) { if (!NAME_RE.test(name)) {
return NextResponse.json( return jsonNoStore(
{ error: 'name must be 163 chars, lowercase az, 09, hyphen' }, { error: 'name must be 163 chars, lowercase az, 09, hyphen' },
{ status: 400 }, { status: 400 },
); );
@@ -54,7 +56,8 @@ export async function POST(req: NextRequest) {
.from('reserved_subdomains') .from('reserved_subdomains')
.upsert({ name }, { onConflict: 'name' }); .upsert({ name }, { onConflict: 'name' });
if (error) { if (error) {
return NextResponse.json({ error: error.message }, { status: 500 }); console.error('admin reserved add failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
} }
await logAdminAction(auth.user, { await logAdminAction(auth.user, {
@@ -63,7 +66,7 @@ export async function POST(req: NextRequest) {
target_id: name, target_id: name,
}); });
return NextResponse.json({ ok: true, name }); return jsonNoStore({ ok: true, name });
} }
export async function DELETE(req: NextRequest) { export async function DELETE(req: NextRequest) {
@@ -73,7 +76,7 @@ export async function DELETE(req: NextRequest) {
const url = new URL(req.url); const url = new URL(req.url);
const name = (url.searchParams.get('name') ?? '').trim().toLowerCase(); const name = (url.searchParams.get('name') ?? '').trim().toLowerCase();
if (!name) { if (!name) {
return NextResponse.json({ error: 'name is required' }, { status: 400 }); return jsonNoStore({ error: 'name is required' }, { status: 400 });
} }
const admin = getSupabaseAdmin(); const admin = getSupabaseAdmin();
@@ -82,7 +85,8 @@ export async function DELETE(req: NextRequest) {
.delete() .delete()
.eq('name', name); .eq('name', name);
if (error) { if (error) {
return NextResponse.json({ error: error.message }, { status: 500 }); console.error('admin reserved remove failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
} }
await logAdminAction(auth.user, { await logAdminAction(auth.user, {
@@ -91,5 +95,5 @@ export async function DELETE(req: NextRequest) {
target_id: name, target_id: name,
}); });
return NextResponse.json({ ok: true }); return jsonNoStore({ ok: true });
} }
app/api/admin/tunnels/[id]/active/route.ts
+9 -7
View File
@@ -1,9 +1,10 @@
import { NextResponse, type NextRequest } from 'next/server'; import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard'; import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin'; import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit'; import { logAdminAction } from '@/lib/auth/audit';
import { isUuid, parseBoolean } from '@/lib/admin/validators'; import { isUuid, parseBoolean } from '@/lib/admin/validators';
import { redisSet } from '@/lib/redis'; import { redisSet } from '@/lib/redis';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs'; export const runtime = 'nodejs';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
@@ -17,18 +18,18 @@ export async function POST(
const { id } = params; const { id } = params;
if (!isUuid(id)) { if (!isUuid(id)) {
return NextResponse.json({ error: 'invalid tunnel id' }, { status: 400 }); return jsonNoStore({ error: 'invalid tunnel id' }, { status: 400 });
} }
let body: { is_active?: unknown }; let body: { is_active?: unknown };
try { try {
body = (await req.json()) as { is_active?: unknown }; body = (await req.json()) as { is_active?: unknown };
} catch { } catch {
return NextResponse.json({ error: 'invalid json' }, { status: 400 }); return jsonNoStore({ error: 'invalid json' }, { status: 400 });
} }
const isActive = parseBoolean(body.is_active); const isActive = parseBoolean(body.is_active);
if (isActive === null) { if (isActive === null) {
return NextResponse.json( return jsonNoStore(
{ error: 'is_active must be a boolean' }, { error: 'is_active must be a boolean' },
{ status: 400 }, { status: 400 },
); );
@@ -42,10 +43,11 @@ export async function POST(
.select('subdomain') .select('subdomain')
.maybeSingle<{ subdomain: string }>(); .maybeSingle<{ subdomain: string }>();
if (error) { if (error) {
return NextResponse.json({ error: error.message }, { status: 500 }); console.error('admin tunnel.active failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
} }
if (!data) { if (!data) {
return NextResponse.json({ error: 'tunnel not found' }, { status: 404 }); return jsonNoStore({ error: 'tunnel not found' }, { status: 404 });
} }
// Best-effort live kill-switch (never throws). // Best-effort live kill-switch (never throws).
@@ -58,5 +60,5 @@ export async function POST(
details: { subdomain: data.subdomain, is_active: isActive }, details: { subdomain: data.subdomain, is_active: isActive },
}); });
return NextResponse.json({ ok: true, is_active: isActive }); return jsonNoStore({ ok: true, is_active: isActive });
} }
app/api/admin/tunnels/[id]/quota/route.ts
+9 -7
View File
@@ -1,8 +1,9 @@
import { NextResponse, type NextRequest } from 'next/server'; import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard'; import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin'; import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit'; import { logAdminAction } from '@/lib/auth/audit';
import { isUuid, parsePositiveInt } from '@/lib/admin/validators'; import { isUuid, parsePositiveInt } from '@/lib/admin/validators';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs'; export const runtime = 'nodejs';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
@@ -19,18 +20,18 @@ export async function POST(
const { id } = params; const { id } = params;
if (!isUuid(id)) { if (!isUuid(id)) {
return NextResponse.json({ error: 'invalid tunnel id' }, { status: 400 }); return jsonNoStore({ error: 'invalid tunnel id' }, { status: 400 });
} }
let body: { quota_bytes?: unknown }; let body: { quota_bytes?: unknown };
try { try {
body = (await req.json()) as { quota_bytes?: unknown }; body = (await req.json()) as { quota_bytes?: unknown };
} catch { } catch {
return NextResponse.json({ error: 'invalid json' }, { status: 400 }); return jsonNoStore({ error: 'invalid json' }, { status: 400 });
} }
const parsed = parsePositiveInt(body.quota_bytes, MAX_QUOTA); const parsed = parsePositiveInt(body.quota_bytes, MAX_QUOTA);
if (!parsed.ok) { if (!parsed.ok) {
return NextResponse.json( return jsonNoStore(
{ error: `quota_bytes ${parsed.error}` }, { error: `quota_bytes ${parsed.error}` },
{ status: 400 }, { status: 400 },
); );
@@ -44,10 +45,11 @@ export async function POST(
.select('subdomain') .select('subdomain')
.maybeSingle<{ subdomain: string }>(); .maybeSingle<{ subdomain: string }>();
if (error) { if (error) {
return NextResponse.json({ error: error.message }, { status: 500 }); console.error('admin tunnel.quota failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
} }
if (!data) { if (!data) {
return NextResponse.json({ error: 'tunnel not found' }, { status: 404 }); return jsonNoStore({ error: 'tunnel not found' }, { status: 404 });
} }
await logAdminAction(auth.user, { await logAdminAction(auth.user, {
@@ -57,5 +59,5 @@ export async function POST(
details: { subdomain: data.subdomain, quota_bytes: parsed.value }, details: { subdomain: data.subdomain, quota_bytes: parsed.value },
}); });
return NextResponse.json({ ok: true, quota_bytes: parsed.value }); return jsonNoStore({ ok: true, quota_bytes: parsed.value });
} }
app/api/admin/tunnels/[id]/reassign/route.ts
+12 -10
View File
@@ -1,10 +1,11 @@
import { NextResponse, type NextRequest } from 'next/server'; import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard'; import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin'; import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit'; import { logAdminAction } from '@/lib/auth/audit';
import { isUuid } from '@/lib/admin/validators'; import { isUuid } from '@/lib/admin/validators';
import { validateSubdomain } from '@/lib/validation'; import { validateSubdomain } from '@/lib/validation';
import { isSubdomainReserved } from '@/lib/admin/reserved'; import { isSubdomainReserved } from '@/lib/admin/reserved';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs'; export const runtime = 'nodejs';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
@@ -18,26 +19,26 @@ export async function POST(
const { id } = params; const { id } = params;
if (!isUuid(id)) { if (!isUuid(id)) {
return NextResponse.json({ error: 'invalid tunnel id' }, { status: 400 }); return jsonNoStore({ error: 'invalid tunnel id' }, { status: 400 });
} }
let body: { subdomain?: unknown }; let body: { subdomain?: unknown };
try { try {
body = (await req.json()) as { subdomain?: unknown }; body = (await req.json()) as { subdomain?: unknown };
} catch { } catch {
return NextResponse.json({ error: 'invalid json' }, { status: 400 }); return jsonNoStore({ error: 'invalid json' }, { status: 400 });
} }
// Same validation as the user-facing claim flow (format + hardcoded reserved). // Same validation as the user-facing claim flow (format + hardcoded reserved).
const v = validateSubdomain(body.subdomain); const v = validateSubdomain(body.subdomain);
if (!v.ok) { if (!v.ok) {
return NextResponse.json({ error: v.error }, { status: 400 }); return jsonNoStore({ error: v.error }, { status: 400 });
} }
const subdomain = v.value; const subdomain = v.value;
// Also reject anything reserved in the DB table. // Also reject anything reserved in the DB table.
if (await isSubdomainReserved(subdomain)) { if (await isSubdomainReserved(subdomain)) {
return NextResponse.json( return jsonNoStore(
{ error: `'${subdomain}' is reserved` }, { error: `'${subdomain}' is reserved` },
{ status: 400 }, { status: 400 },
); );
@@ -52,7 +53,7 @@ export async function POST(
.eq('subdomain', subdomain) .eq('subdomain', subdomain)
.maybeSingle<{ user_id: string }>(); .maybeSingle<{ user_id: string }>();
if (existing && existing.user_id !== id) { if (existing && existing.user_id !== id) {
return NextResponse.json({ error: 'subdomain taken' }, { status: 409 }); return jsonNoStore({ error: 'subdomain taken' }, { status: 409 });
} }
const { data, error } = await admin const { data, error } = await admin
@@ -64,12 +65,13 @@ export async function POST(
if (error) { if (error) {
const code = (error as { code?: string }).code; const code = (error as { code?: string }).code;
if (code === '23505') { if (code === '23505') {
return NextResponse.json({ error: 'subdomain taken' }, { status: 409 }); return jsonNoStore({ error: 'subdomain taken' }, { status: 409 });
} }
return NextResponse.json({ error: error.message }, { status: 500 }); console.error('admin tunnel.reassign failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
} }
if (!data) { if (!data) {
return NextResponse.json({ error: 'tunnel not found' }, { status: 404 }); return jsonNoStore({ error: 'tunnel not found' }, { status: 404 });
} }
await logAdminAction(auth.user, { await logAdminAction(auth.user, {
@@ -79,5 +81,5 @@ export async function POST(
details: { subdomain }, details: { subdomain },
}); });
return NextResponse.json({ ok: true, subdomain }); return jsonNoStore({ ok: true, subdomain });
} }
app/api/admin/tunnels/[id]/regenerate-token/route.ts
+7 -5
View File
@@ -1,9 +1,10 @@
import { NextResponse, type NextRequest } from 'next/server'; import { type NextRequest } from 'next/server';
import { randomBytes } from 'node:crypto'; import { randomBytes } from 'node:crypto';
import { requireAdminApi } from '@/lib/auth/admin-guard'; import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin'; import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit'; import { logAdminAction } from '@/lib/auth/audit';
import { isUuid } from '@/lib/admin/validators'; import { isUuid } from '@/lib/admin/validators';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs'; export const runtime = 'nodejs';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
@@ -17,7 +18,7 @@ export async function POST(
const { id } = params; const { id } = params;
if (!isUuid(id)) { if (!isUuid(id)) {
return NextResponse.json({ error: 'invalid tunnel id' }, { status: 400 }); return jsonNoStore({ error: 'invalid tunnel id' }, { status: 400 });
} }
const token = randomBytes(32).toString('hex'); const token = randomBytes(32).toString('hex');
@@ -30,10 +31,11 @@ export async function POST(
.select('subdomain, token') .select('subdomain, token')
.maybeSingle<{ subdomain: string; token: string }>(); .maybeSingle<{ subdomain: string; token: string }>();
if (error) { if (error) {
return NextResponse.json({ error: error.message }, { status: 500 }); console.error('admin tunnel.regenerate_token failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
} }
if (!data) { if (!data) {
return NextResponse.json({ error: 'tunnel not found' }, { status: 404 }); return jsonNoStore({ error: 'tunnel not found' }, { status: 404 });
} }
await logAdminAction(auth.user, { await logAdminAction(auth.user, {
@@ -43,5 +45,5 @@ export async function POST(
details: { subdomain: data.subdomain }, details: { subdomain: data.subdomain },
}); });
return NextResponse.json({ ok: true, token: data.token }); return jsonNoStore({ ok: true, token: data.token });
} }
app/api/admin/tunnels/[id]/reset-usage/route.ts
+7 -5
View File
@@ -1,8 +1,9 @@
import { NextResponse, type NextRequest } from 'next/server'; import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard'; import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin'; import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit'; import { logAdminAction } from '@/lib/auth/audit';
import { isUuid } from '@/lib/admin/validators'; import { isUuid } from '@/lib/admin/validators';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs'; export const runtime = 'nodejs';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
@@ -16,7 +17,7 @@ export async function POST(
const { id } = params; const { id } = params;
if (!isUuid(id)) { if (!isUuid(id)) {
return NextResponse.json({ error: 'invalid tunnel id' }, { status: 400 }); return jsonNoStore({ error: 'invalid tunnel id' }, { status: 400 });
} }
const admin = getSupabaseAdmin(); const admin = getSupabaseAdmin();
@@ -27,10 +28,11 @@ export async function POST(
.select('subdomain') .select('subdomain')
.maybeSingle<{ subdomain: string }>(); .maybeSingle<{ subdomain: string }>();
if (error) { if (error) {
return NextResponse.json({ error: error.message }, { status: 500 }); console.error('admin tunnel.reset_usage failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
} }
if (!data) { if (!data) {
return NextResponse.json({ error: 'tunnel not found' }, { status: 404 }); return jsonNoStore({ error: 'tunnel not found' }, { status: 404 });
} }
await logAdminAction(auth.user, { await logAdminAction(auth.user, {
@@ -40,5 +42,5 @@ export async function POST(
details: { subdomain: data.subdomain }, details: { subdomain: data.subdomain },
}); });
return NextResponse.json({ ok: true }); return jsonNoStore({ ok: true });
} }
app/api/admin/tunnels/[id]/route.ts
+7 -5
View File
@@ -1,9 +1,10 @@
import { NextResponse, type NextRequest } from 'next/server'; import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard'; import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin'; import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit'; import { logAdminAction } from '@/lib/auth/audit';
import { isUuid } from '@/lib/admin/validators'; import { isUuid } from '@/lib/admin/validators';
import { redisSet } from '@/lib/redis'; import { redisSet } from '@/lib/redis';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs'; export const runtime = 'nodejs';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
@@ -17,7 +18,7 @@ export async function DELETE(
const { id } = params; const { id } = params;
if (!isUuid(id)) { if (!isUuid(id)) {
return NextResponse.json({ error: 'invalid tunnel id' }, { status: 400 }); return jsonNoStore({ error: 'invalid tunnel id' }, { status: 400 });
} }
const admin = getSupabaseAdmin(); const admin = getSupabaseAdmin();
@@ -28,10 +29,11 @@ export async function DELETE(
.select('subdomain') .select('subdomain')
.maybeSingle<{ subdomain: string }>(); .maybeSingle<{ subdomain: string }>();
if (error) { if (error) {
return NextResponse.json({ error: error.message }, { status: 500 }); console.error('admin tunnel.delete failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
} }
if (!data) { if (!data) {
return NextResponse.json({ error: 'tunnel not found' }, { status: 404 }); return jsonNoStore({ error: 'tunnel not found' }, { status: 404 });
} }
// Best-effort live kill-switch. // Best-effort live kill-switch.
@@ -44,5 +46,5 @@ export async function DELETE(
details: { subdomain: data.subdomain }, details: { subdomain: data.subdomain },
}); });
return NextResponse.json({ ok: true }); return jsonNoStore({ ok: true });
} }
app/api/admin/tunnels/route.ts
+5 -3
View File
@@ -1,7 +1,8 @@
import { NextResponse, type NextRequest } from 'next/server'; import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard'; import { requireAdminApi } from '@/lib/auth/admin-guard';
import { parsePageParam, parsePerPageParam } from '@/lib/admin/validators'; import { parsePageParam, parsePerPageParam } from '@/lib/admin/validators';
import { getTunnelsList } from '@/lib/admin/list'; import { getTunnelsList } from '@/lib/admin/list';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs'; export const runtime = 'nodejs';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
@@ -23,8 +24,9 @@ export async function GET(req: NextRequest) {
search, search,
status, status,
}); });
return NextResponse.json({ tunnels, total, page, perPage }); return jsonNoStore({ tunnels, total, page, perPage });
} catch (e) { } catch (e) {
return NextResponse.json({ error: (e as Error).message }, { status: 500 }); console.error('admin tunnels list failed', e);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
} }
} }
app/api/admin/users/[id]/ban/route.ts
+9 -7
View File
@@ -1,8 +1,9 @@
import { NextResponse, type NextRequest } from 'next/server'; import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard'; import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin'; import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit'; import { logAdminAction } from '@/lib/auth/audit';
import { isUuid, parseBoolean } from '@/lib/admin/validators'; import { isUuid, parseBoolean } from '@/lib/admin/validators';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs'; export const runtime = 'nodejs';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
@@ -19,10 +20,10 @@ export async function POST(
const { id } = params; const { id } = params;
if (!isUuid(id)) { if (!isUuid(id)) {
return NextResponse.json({ error: 'invalid user id' }, { status: 400 }); return jsonNoStore({ error: 'invalid user id' }, { status: 400 });
} }
if (id === auth.user.id) { if (id === auth.user.id) {
return NextResponse.json( return jsonNoStore(
{ error: 'you cannot ban your own account' }, { error: 'you cannot ban your own account' },
{ status: 400 }, { status: 400 },
); );
@@ -32,11 +33,11 @@ export async function POST(
try { try {
body = (await req.json()) as { banned?: unknown }; body = (await req.json()) as { banned?: unknown };
} catch { } catch {
return NextResponse.json({ error: 'invalid json' }, { status: 400 }); return jsonNoStore({ error: 'invalid json' }, { status: 400 });
} }
const banned = parseBoolean(body.banned); const banned = parseBoolean(body.banned);
if (banned === null) { if (banned === null) {
return NextResponse.json( return jsonNoStore(
{ error: 'banned must be a boolean' }, { error: 'banned must be a boolean' },
{ status: 400 }, { status: 400 },
); );
@@ -47,7 +48,8 @@ export async function POST(
ban_duration: banned ? BAN_DURATION : 'none', ban_duration: banned ? BAN_DURATION : 'none',
} as { ban_duration: string }); } as { ban_duration: string });
if (error) { if (error) {
return NextResponse.json({ error: error.message }, { status: 500 }); console.error('admin user.ban failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
} }
await logAdminAction(auth.user, { await logAdminAction(auth.user, {
@@ -57,5 +59,5 @@ export async function POST(
details: { banned }, details: { banned },
}); });
return NextResponse.json({ ok: true, banned }); return jsonNoStore({ ok: true, banned });
} }
app/api/admin/users/[id]/role/route.ts
+10 -8
View File
@@ -1,8 +1,9 @@
import { NextResponse, type NextRequest } from 'next/server'; import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard'; import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin'; import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit'; import { logAdminAction } from '@/lib/auth/audit';
import { isUuid } from '@/lib/admin/validators'; import { isUuid } from '@/lib/admin/validators';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs'; export const runtime = 'nodejs';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
@@ -16,10 +17,10 @@ export async function POST(
const { id } = params; const { id } = params;
if (!isUuid(id)) { if (!isUuid(id)) {
return NextResponse.json({ error: 'invalid user id' }, { status: 400 }); return jsonNoStore({ error: 'invalid user id' }, { status: 400 });
} }
if (id === auth.user.id) { if (id === auth.user.id) {
return NextResponse.json( return jsonNoStore(
{ error: 'you cannot change your own role' }, { error: 'you cannot change your own role' },
{ status: 400 }, { status: 400 },
); );
@@ -29,10 +30,10 @@ export async function POST(
try { try {
body = (await req.json()) as { role?: unknown }; body = (await req.json()) as { role?: unknown };
} catch { } catch {
return NextResponse.json({ error: 'invalid json' }, { status: 400 }); return jsonNoStore({ error: 'invalid json' }, { status: 400 });
} }
if (body.role !== 'admin' && body.role !== 'user') { if (body.role !== 'admin' && body.role !== 'user') {
return NextResponse.json( return jsonNoStore(
{ error: "role must be 'admin' or 'user'" }, { error: "role must be 'admin' or 'user'" },
{ status: 400 }, { status: 400 },
); );
@@ -45,7 +46,7 @@ export async function POST(
const { data: existing, error: getErr } = const { data: existing, error: getErr } =
await admin.auth.admin.getUserById(id); await admin.auth.admin.getUserById(id);
if (getErr || !existing.user) { if (getErr || !existing.user) {
return NextResponse.json({ error: 'user not found' }, { status: 404 }); return jsonNoStore({ error: 'user not found' }, { status: 404 });
} }
const merged = { ...(existing.user.app_metadata ?? {}), role }; const merged = { ...(existing.user.app_metadata ?? {}), role };
@@ -53,7 +54,8 @@ export async function POST(
app_metadata: merged, app_metadata: merged,
}); });
if (error) { if (error) {
return NextResponse.json({ error: error.message }, { status: 500 }); console.error('admin user.role failed', error);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
} }
await logAdminAction(auth.user, { await logAdminAction(auth.user, {
@@ -63,5 +65,5 @@ export async function POST(
details: { role }, details: { role },
}); });
return NextResponse.json({ ok: true, role }); return jsonNoStore({ ok: true, role });
} }
app/api/admin/users/[id]/route.ts
+33 -12
View File
@@ -1,8 +1,9 @@
import { NextResponse, type NextRequest } from 'next/server'; import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard'; import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin'; import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit'; import { logAdminAction } from '@/lib/auth/audit';
import { isUuid } from '@/lib/admin/validators'; import { isUuid } from '@/lib/admin/validators';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs'; export const runtime = 'nodejs';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
@@ -27,7 +28,7 @@ export async function GET(
const { id } = params; const { id } = params;
if (!isUuid(id)) { if (!isUuid(id)) {
return NextResponse.json({ error: 'invalid user id' }, { status: 400 }); return jsonNoStore({ error: 'invalid user id' }, { status: 400 });
} }
const admin = getSupabaseAdmin(); const admin = getSupabaseAdmin();
@@ -35,7 +36,7 @@ export async function GET(
const { data: userRes, error: userErr } = const { data: userRes, error: userErr } =
await admin.auth.admin.getUserById(id); await admin.auth.admin.getUserById(id);
if (userErr || !userRes.user) { if (userErr || !userRes.user) {
return NextResponse.json({ error: 'user not found' }, { status: 404 }); return jsonNoStore({ error: 'user not found' }, { status: 404 });
} }
const u = userRes.user; const u = userRes.user;
@@ -54,7 +55,7 @@ export async function GET(
.order('created_at', { ascending: false }) .order('created_at', { ascending: false })
.limit(25); .limit(25);
return NextResponse.json({ return jsonNoStore({
user: { user: {
id: u.id, id: u.id,
email: u.email ?? null, email: u.email ?? null,
@@ -88,10 +89,10 @@ export async function DELETE(
const { id } = params; const { id } = params;
if (!isUuid(id)) { if (!isUuid(id)) {
return NextResponse.json({ error: 'invalid user id' }, { status: 400 }); return jsonNoStore({ error: 'invalid user id' }, { status: 400 });
} }
if (id === auth.user.id) { if (id === auth.user.id) {
return NextResponse.json( return jsonNoStore(
{ error: 'you cannot delete your own account' }, { error: 'you cannot delete your own account' },
{ status: 400 }, { status: 400 },
); );
@@ -99,12 +100,32 @@ export async function DELETE(
const admin = getSupabaseAdmin(); const admin = getSupabaseAdmin();
// Remove the tunnel row first (FK to auth.users). // Delete the AUTH USER first. Only if that succeeds do we remove the tunnel
await admin.from('tunnels').delete().eq('user_id', id); // row, so a mid-failure never leaves an orphaned auth user with a dangling
// tunnel (or half-deletes the tunnel of an already-gone user).
const { error: delErr } = await admin.auth.admin.deleteUser(id);
if (delErr) {
const httpStatus = (delErr as { status?: number }).status;
const message = (delErr.message ?? '').toLowerCase();
if (httpStatus === 404 || message.includes('not found')) {
return jsonNoStore({ error: 'user not found' }, { status: 404 });
}
console.error('admin user.delete: deleteUser failed', delErr);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
}
const { error } = await admin.auth.admin.deleteUser(id); // The auth user is gone, so no orphaned-user state is possible. Removing the
if (error) { // tunnel row is best-effort cleanup: if it fails we log server-side but still
return NextResponse.json({ error: error.message }, { status: 500 }); // report the (already-completed) user deletion as successful.
const { error: tunnelErr } = await admin
.from('tunnels')
.delete()
.eq('user_id', id);
if (tunnelErr) {
console.error(
`admin user.delete: tunnel cleanup failed for ${id}`,
tunnelErr,
);
} }
await logAdminAction(auth.user, { await logAdminAction(auth.user, {
@@ -113,5 +134,5 @@ export async function DELETE(
target_id: id, target_id: id,
}); });
return NextResponse.json({ ok: true }); return jsonNoStore({ ok: true });
} }
app/api/admin/users/route.ts
+5 -3
View File
@@ -1,7 +1,8 @@
import { NextResponse, type NextRequest } from 'next/server'; import { type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard'; import { requireAdminApi } from '@/lib/auth/admin-guard';
import { parsePageParam, parsePerPageParam } from '@/lib/admin/validators'; import { parsePageParam, parsePerPageParam } from '@/lib/admin/validators';
import { getUsersList } from '@/lib/admin/list'; import { getUsersList } from '@/lib/admin/list';
import { jsonNoStore } from '@/lib/admin/response';
export const runtime = 'nodejs'; export const runtime = 'nodejs';
export const dynamic = 'force-dynamic'; export const dynamic = 'force-dynamic';
@@ -17,8 +18,9 @@ export async function GET(req: NextRequest) {
try { try {
const { users, total } = await getUsersList({ page, perPage, search }); const { users, total } = await getUsersList({ page, perPage, search });
return NextResponse.json({ users, total, page, perPage }); return jsonNoStore({ users, total, page, perPage });
} catch (e) { } catch (e) {
return NextResponse.json({ error: (e as Error).message }, { status: 500 }); console.error('admin users list failed', e);
return jsonNoStore({ error: 'internal error' }, { status: 500 });
} }
} }
lib/admin/response.ts
+13
View File
@@ -0,0 +1,13 @@
import { NextResponse } from 'next/server';
/**
* Wrapper around NextResponse.json that marks the response uncacheable. All
* admin API responses must never be stored by browsers, proxies, or Next's
* own caches, since they reflect privileged, frequently-changing state.
*/
export function jsonNoStore(body: unknown, init?: ResponseInit): NextResponse {
const res = NextResponse.json(body, init);
res.headers.set('Cache-Control', 'no-store');
res.headers.set('Pragma', 'no-cache');
return res;
}
lib/auth/admin-guard.ts
+4 -3
View File
@@ -1,7 +1,8 @@
import { redirect } from 'next/navigation'; import { redirect } from 'next/navigation';
import { NextResponse } from 'next/server'; import type { NextResponse } from 'next/server';
import type { User } from '@supabase/supabase-js'; import type { User } from '@supabase/supabase-js';
import { createSupabaseServerClient } from '@/lib/supabase/server'; import { createSupabaseServerClient } from '@/lib/supabase/server';
import { jsonNoStore } from '@/lib/admin/response';
export function isAdmin(user: User | null | undefined): boolean { export function isAdmin(user: User | null | undefined): boolean {
return user?.app_metadata?.role === 'admin'; return user?.app_metadata?.role === 'admin';
@@ -35,13 +36,13 @@ export async function requireAdminApi(): Promise<
if (!user) { if (!user) {
return { return {
ok: false, ok: false,
response: NextResponse.json({ error: 'unauthorized' }, { status: 401 }), response: jsonNoStore({ error: 'unauthorized' }, { status: 401 }),
}; };
} }
if (!isAdmin(user)) { if (!isAdmin(user)) {
return { return {
ok: false, ok: false,
response: NextResponse.json({ error: 'forbidden' }, { status: 403 }), response: jsonNoStore({ error: 'forbidden' }, { status: 403 }),
}; };
} }
return { ok: true, user }; return { ok: true, user };
lib/supabase/admin.ts
+7
View File
@@ -11,6 +11,13 @@ export function getSupabaseAdmin(): SupabaseClient {
} }
_admin = createClient(url, key, { _admin = createClient(url, key, {
auth: { autoRefreshToken: false, persistSession: false }, auth: { autoRefreshToken: false, persistSession: false },
global: {
// Force every request the admin client makes (GoTrue listUsers and
// PostgREST reads alike) to bypass Next's fetch Data Cache, so the admin
// surface always reflects current state regardless of page config.
fetch: (input: RequestInfo | URL, init?: RequestInit) =>
fetch(input, { ...init, cache: 'no-store' }),
},
}); });
return _admin; return _admin;
} }
middleware.ts
+16 -4
View File
@@ -31,23 +31,35 @@ export async function middleware(request: NextRequest) {
// per-route requireAdmin()/requireAdminApi() checks. // per-route requireAdmin()/requireAdminApi() checks.
const path = request.nextUrl.pathname; const path = request.nextUrl.pathname;
if (path.startsWith('/admin') || path.startsWith('/api/admin')) { if (path.startsWith('/admin') || path.startsWith('/api/admin')) {
// Carry any cookies Supabase rotated onto the working `response` over to a
// deny/redirect response, so a refreshed session/refresh token is always
// persisted — otherwise a fresh NextResponse would drop them and a
// concurrent request could spuriously 401.
const withCookies = (res: NextResponse): NextResponse => {
response.cookies.getAll().forEach((cookie) => res.cookies.set(cookie));
return res;
};
if (!user) { if (!user) {
if (path.startsWith('/api/admin')) { if (path.startsWith('/api/admin')) {
return NextResponse.json({ error: 'unauthorized' }, { status: 401 }); return withCookies(
NextResponse.json({ error: 'unauthorized' }, { status: 401 }),
);
} }
const url = request.nextUrl.clone(); const url = request.nextUrl.clone();
url.pathname = '/login'; url.pathname = '/login';
url.search = ''; url.search = '';
return NextResponse.redirect(url); return withCookies(NextResponse.redirect(url));
} }
if (user.app_metadata?.role !== 'admin') { if (user.app_metadata?.role !== 'admin') {
if (path.startsWith('/api/admin')) { if (path.startsWith('/api/admin')) {
return NextResponse.json({ error: 'forbidden' }, { status: 403 }); return withCookies(
NextResponse.json({ error: 'forbidden' }, { status: 403 }),
);
} }
const url = request.nextUrl.clone(); const url = request.nextUrl.clone();
url.pathname = '/dashboard'; url.pathname = '/dashboard';
url.search = ''; url.search = '';
return NextResponse.redirect(url); return withCookies(NextResponse.redirect(url));
} }
} }