fix(admin): eliminate GoTrue empty-body 500s under bulk load (retry-all + undici keep-alive + sequential bulk), CSV formula-injection guard
This commit is contained in:
Gerhard Scheikl
@@ -1,6 +1,7 @@
|
||||
import { type NextRequest } from 'next/server';
|
||||
import { requireAdminApi } from '@/lib/auth/admin-guard';
|
||||
import { getSupabaseAdmin } from '@/lib/supabase/admin';
|
||||
import { withAdminRetry } from '@/lib/admin/retry';
|
||||
import { logAdminAction } from '@/lib/auth/audit';
|
||||
import { isUuid, parseBoolean } from '@/lib/admin/validators';
|
||||
import { jsonNoStore } from '@/lib/admin/response';
|
||||
@@ -44,9 +45,14 @@ export async function POST(
|
||||
}
|
||||
|
||||
const admin = getSupabaseAdmin();
|
||||
const { error } = await admin.auth.admin.updateUserById(id, {
|
||||
ban_duration: banned ? BAN_DURATION : 'none',
|
||||
} as { ban_duration: string });
|
||||
// Retry transient empty-body / poisoned-keep-alive failures so a burst-load
|
||||
// ban/unban doesn't 500. `updateUserById` is idempotent for our use
|
||||
// (ban_duration set to the same value), so a retry is safe.
|
||||
const { error } = await withAdminRetry(() =>
|
||||
admin.auth.admin.updateUserById(id, {
|
||||
ban_duration: banned ? BAN_DURATION : 'none',
|
||||
} as { ban_duration: string }),
|
||||
);
|
||||
if (error) {
|
||||
console.error('admin user.ban failed', error);
|
||||
return jsonNoStore({ error: 'internal error' }, { status: 500 });
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
import { type NextRequest } from 'next/server';
|
||||
import { requireAdminApi } from '@/lib/auth/admin-guard';
|
||||
import { getSupabaseAdmin } from '@/lib/supabase/admin';
|
||||
import { withAdminRetry } from '@/lib/admin/retry';
|
||||
import { logAdminAction } from '@/lib/auth/audit';
|
||||
import { isUuid } from '@/lib/admin/validators';
|
||||
import { jsonNoStore } from '@/lib/admin/response';
|
||||
@@ -42,17 +43,24 @@ export async function POST(
|
||||
|
||||
const admin = getSupabaseAdmin();
|
||||
|
||||
// Merge with existing app_metadata so we don't clobber other keys.
|
||||
const { data: existing, error: getErr } =
|
||||
await admin.auth.admin.getUserById(id);
|
||||
// Merge with existing app_metadata so we don't clobber other keys. Retry the
|
||||
// read on transient empty-body responses so a burst-load flake isn't
|
||||
// misreported as a 404; a genuine not-found still falls through below.
|
||||
const { data: existing, error: getErr } = await withAdminRetry(() =>
|
||||
admin.auth.admin.getUserById(id),
|
||||
);
|
||||
if (getErr || !existing.user) {
|
||||
return jsonNoStore({ error: 'user not found' }, { status: 404 });
|
||||
}
|
||||
const merged = { ...(existing.user.app_metadata ?? {}), role };
|
||||
|
||||
const { error } = await admin.auth.admin.updateUserById(id, {
|
||||
app_metadata: merged,
|
||||
});
|
||||
// `updateUserById` is idempotent here (same app_metadata), so retrying a
|
||||
// transient empty-body write is safe.
|
||||
const { error } = await withAdminRetry(() =>
|
||||
admin.auth.admin.updateUserById(id, {
|
||||
app_metadata: merged,
|
||||
}),
|
||||
);
|
||||
if (error) {
|
||||
console.error('admin user.role failed', error);
|
||||
return jsonNoStore({ error: 'internal error' }, { status: 500 });
|
||||
|
||||
@@ -119,11 +119,24 @@ export async function DELETE(
|
||||
|
||||
// Delete the AUTH USER first. Only if that succeeds do we remove the tunnel
|
||||
// row, so a mid-failure never leaves an orphaned auth user with a dangling
|
||||
// tunnel (or half-deletes the tunnel of an already-gone user).
|
||||
const { error: delErr } = await admin.auth.admin.deleteUser(id);
|
||||
// tunnel (or half-deletes the tunnel of an already-gone user). Retry the
|
||||
// delete on transient empty-body / poisoned-keep-alive responses.
|
||||
const { error: delErr } = await withAdminRetry(() =>
|
||||
admin.auth.admin.deleteUser(id),
|
||||
);
|
||||
if (delErr) {
|
||||
console.error('admin user.delete: deleteUser failed', delErr);
|
||||
return jsonNoStore({ error: 'internal error' }, { status: 500 });
|
||||
// The delete may have actually succeeded with a truncated/empty response
|
||||
// body (the transient failure mode). Re-check existence before reporting a
|
||||
// 500: if the user is now gone, the deletion is effectively complete.
|
||||
const { data: recheck, error: recheckErr } = await withAdminRetry(() =>
|
||||
admin.auth.admin.getUserById(id),
|
||||
);
|
||||
if (recheckErr || !recheck?.user) {
|
||||
// User is gone -> delete succeeded despite the truncated body.
|
||||
} else {
|
||||
console.error('admin user.delete: deleteUser failed', delErr);
|
||||
return jsonNoStore({ error: 'internal error' }, { status: 500 });
|
||||
}
|
||||
}
|
||||
|
||||
// The auth user is gone, so no orphaned-user state is possible. Removing the
|
||||
|
||||
Reference in New Issue
Block a user