fix(admin): key tunnels by user_id, server-side initial list load, full-scan user search
This commit is contained in:
Gerhard Scheikl
@@ -1,7 +1,7 @@
|
||||
import { NextResponse, type NextRequest } from 'next/server';
|
||||
import { requireAdminApi } from '@/lib/auth/admin-guard';
|
||||
import { getSupabaseAdmin } from '@/lib/supabase/admin';
|
||||
import { parsePageParam, parsePerPageParam } from '@/lib/admin/validators';
|
||||
import { getAuditList } from '@/lib/admin/list';
|
||||
|
||||
export const runtime = 'nodejs';
|
||||
export const dynamic = 'force-dynamic';
|
||||
@@ -13,33 +13,18 @@ export async function GET(req: NextRequest) {
|
||||
const url = new URL(req.url);
|
||||
const page = parsePageParam(url.searchParams.get('page'), 1);
|
||||
const perPage = parsePerPageParam(url.searchParams.get('perPage'), 50, 100);
|
||||
const action = (url.searchParams.get('action') ?? '').trim();
|
||||
const targetType = (url.searchParams.get('target_type') ?? '').trim();
|
||||
const action = url.searchParams.get('action') ?? '';
|
||||
const targetType = url.searchParams.get('target_type') ?? '';
|
||||
|
||||
const admin = getSupabaseAdmin();
|
||||
|
||||
let query = admin
|
||||
.from('admin_audit_log')
|
||||
.select(
|
||||
'id, actor_id, actor_email, action, target_type, target_id, details, created_at',
|
||||
{ count: 'exact' },
|
||||
);
|
||||
if (action) query = query.eq('action', action);
|
||||
if (targetType) query = query.eq('target_type', targetType);
|
||||
|
||||
const from = (page - 1) * perPage;
|
||||
const to = from + perPage - 1;
|
||||
query = query.order('created_at', { ascending: false }).range(from, to);
|
||||
|
||||
const { data, error, count } = await query;
|
||||
if (error) {
|
||||
return NextResponse.json({ error: error.message }, { status: 500 });
|
||||
try {
|
||||
const { entries, total } = await getAuditList({
|
||||
page,
|
||||
perPage,
|
||||
action,
|
||||
targetType,
|
||||
});
|
||||
return NextResponse.json({ entries, total, page, perPage });
|
||||
} catch (e) {
|
||||
return NextResponse.json({ error: (e as Error).message }, { status: 500 });
|
||||
}
|
||||
|
||||
return NextResponse.json({
|
||||
entries: data ?? [],
|
||||
total: count ?? (data?.length ?? 0),
|
||||
page,
|
||||
perPage,
|
||||
});
|
||||
}
|
||||
|
||||
@@ -38,7 +38,7 @@ export async function POST(
|
||||
const { data, error } = await admin
|
||||
.from('tunnels')
|
||||
.update({ is_active: isActive })
|
||||
.eq('id', id)
|
||||
.eq('user_id', id)
|
||||
.select('subdomain')
|
||||
.maybeSingle<{ subdomain: string }>();
|
||||
if (error) {
|
||||
|
||||
@@ -40,7 +40,7 @@ export async function POST(
|
||||
const { data, error } = await admin
|
||||
.from('tunnels')
|
||||
.update({ quota_bytes: parsed.value })
|
||||
.eq('id', id)
|
||||
.eq('user_id', id)
|
||||
.select('subdomain')
|
||||
.maybeSingle<{ subdomain: string }>();
|
||||
if (error) {
|
||||
|
||||
@@ -45,20 +45,20 @@ export async function POST(
|
||||
|
||||
const admin = getSupabaseAdmin();
|
||||
|
||||
// Reject if taken by a different tunnel.
|
||||
// Reject if taken by a different tunnel (keyed by owner user_id).
|
||||
const { data: existing } = await admin
|
||||
.from('tunnels')
|
||||
.select('id')
|
||||
.select('user_id')
|
||||
.eq('subdomain', subdomain)
|
||||
.maybeSingle<{ id: string }>();
|
||||
if (existing && existing.id !== id) {
|
||||
.maybeSingle<{ user_id: string }>();
|
||||
if (existing && existing.user_id !== id) {
|
||||
return NextResponse.json({ error: 'subdomain taken' }, { status: 409 });
|
||||
}
|
||||
|
||||
const { data, error } = await admin
|
||||
.from('tunnels')
|
||||
.update({ subdomain })
|
||||
.eq('id', id)
|
||||
.eq('user_id', id)
|
||||
.select('subdomain')
|
||||
.maybeSingle<{ subdomain: string }>();
|
||||
if (error) {
|
||||
|
||||
@@ -26,7 +26,7 @@ export async function POST(
|
||||
const { data, error } = await admin
|
||||
.from('tunnels')
|
||||
.update({ token })
|
||||
.eq('id', id)
|
||||
.eq('user_id', id)
|
||||
.select('subdomain, token')
|
||||
.maybeSingle<{ subdomain: string; token: string }>();
|
||||
if (error) {
|
||||
|
||||
@@ -23,7 +23,7 @@ export async function POST(
|
||||
const { data, error } = await admin
|
||||
.from('tunnels')
|
||||
.update({ bytes_used: 0 })
|
||||
.eq('id', id)
|
||||
.eq('user_id', id)
|
||||
.select('subdomain')
|
||||
.maybeSingle<{ subdomain: string }>();
|
||||
if (error) {
|
||||
|
||||
@@ -24,7 +24,7 @@ export async function DELETE(
|
||||
const { data, error } = await admin
|
||||
.from('tunnels')
|
||||
.delete()
|
||||
.eq('id', id)
|
||||
.eq('user_id', id)
|
||||
.select('subdomain')
|
||||
.maybeSingle<{ subdomain: string }>();
|
||||
if (error) {
|
||||
|
||||
@@ -1,22 +1,11 @@
|
||||
import { NextResponse, type NextRequest } from 'next/server';
|
||||
import { requireAdminApi } from '@/lib/auth/admin-guard';
|
||||
import { getSupabaseAdmin } from '@/lib/supabase/admin';
|
||||
import { parsePageParam, parsePerPageParam } from '@/lib/admin/validators';
|
||||
import { getTunnelsList } from '@/lib/admin/list';
|
||||
|
||||
export const runtime = 'nodejs';
|
||||
export const dynamic = 'force-dynamic';
|
||||
|
||||
type TunnelRow = {
|
||||
id: string;
|
||||
user_id: string;
|
||||
subdomain: string;
|
||||
is_active: boolean;
|
||||
bytes_used: number;
|
||||
quota_bytes: number;
|
||||
last_seen_at: string | null;
|
||||
created_at: string;
|
||||
};
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
const auth = await requireAdminApi();
|
||||
if (!auth.ok) return auth.response;
|
||||
@@ -24,75 +13,18 @@ export async function GET(req: NextRequest) {
|
||||
const url = new URL(req.url);
|
||||
const page = parsePageParam(url.searchParams.get('page'), 1);
|
||||
const perPage = parsePerPageParam(url.searchParams.get('perPage'), 25, 100);
|
||||
const search = (url.searchParams.get('search') ?? '').trim().toLowerCase();
|
||||
const search = url.searchParams.get('search') ?? '';
|
||||
const status = url.searchParams.get('status'); // active|inactive|over_quota
|
||||
|
||||
const admin = getSupabaseAdmin();
|
||||
|
||||
const cols =
|
||||
'id, user_id, subdomain, is_active, bytes_used, quota_bytes, last_seen_at, created_at';
|
||||
|
||||
let rows: TunnelRow[];
|
||||
let total: number;
|
||||
const from = (page - 1) * perPage;
|
||||
const to = from + perPage - 1;
|
||||
|
||||
if (status === 'over_quota') {
|
||||
// Column-to-column comparison is not expressible via PostgREST filters,
|
||||
// so fetch matching rows and paginate in memory.
|
||||
let q = admin.from('tunnels').select(cols);
|
||||
if (search) q = q.ilike('subdomain', `%${search}%`);
|
||||
const { data, error } = await q.order('created_at', { ascending: false });
|
||||
if (error) {
|
||||
return NextResponse.json({ error: error.message }, { status: 500 });
|
||||
}
|
||||
const all = ((data ?? []) as TunnelRow[]).filter(
|
||||
(t) => t.quota_bytes > 0 && t.bytes_used >= t.quota_bytes,
|
||||
);
|
||||
total = all.length;
|
||||
rows = all.slice(from, from + perPage);
|
||||
} else {
|
||||
let query = admin.from('tunnels').select(cols, { count: 'exact' });
|
||||
if (search) query = query.ilike('subdomain', `%${search}%`);
|
||||
if (status === 'active') query = query.eq('is_active', true);
|
||||
else if (status === 'inactive') query = query.eq('is_active', false);
|
||||
query = query.order('created_at', { ascending: false }).range(from, to);
|
||||
|
||||
const { data, error, count } = await query;
|
||||
if (error) {
|
||||
return NextResponse.json({ error: error.message }, { status: 500 });
|
||||
}
|
||||
rows = (data ?? []) as TunnelRow[];
|
||||
total = count ?? rows.length;
|
||||
try {
|
||||
const { tunnels, total } = await getTunnelsList({
|
||||
page,
|
||||
perPage,
|
||||
search,
|
||||
status,
|
||||
});
|
||||
return NextResponse.json({ tunnels, total, page, perPage });
|
||||
} catch (e) {
|
||||
return NextResponse.json({ error: (e as Error).message }, { status: 500 });
|
||||
}
|
||||
|
||||
// Resolve owner emails (per-row getUserById; acceptable for current scale).
|
||||
const emails = await Promise.all(
|
||||
rows.map(async (t) => {
|
||||
try {
|
||||
const { data: u } = await admin.auth.admin.getUserById(t.user_id);
|
||||
return u.user?.email ?? null;
|
||||
} catch {
|
||||
return null;
|
||||
}
|
||||
}),
|
||||
);
|
||||
|
||||
const tunnels = rows.map((t, i) => ({
|
||||
id: t.id,
|
||||
user_id: t.user_id,
|
||||
owner_email: emails[i],
|
||||
subdomain: t.subdomain,
|
||||
is_active: t.is_active,
|
||||
bytes_used: t.bytes_used,
|
||||
quota_bytes: t.quota_bytes,
|
||||
usage_pct:
|
||||
t.quota_bytes > 0
|
||||
? Math.min(100, (t.bytes_used / t.quota_bytes) * 100)
|
||||
: 0,
|
||||
last_seen_at: t.last_seen_at,
|
||||
created_at: t.created_at,
|
||||
}));
|
||||
|
||||
return NextResponse.json({ tunnels, total, page, perPage });
|
||||
}
|
||||
|
||||
@@ -1,19 +1,11 @@
|
||||
import { NextResponse, type NextRequest } from 'next/server';
|
||||
import { requireAdminApi } from '@/lib/auth/admin-guard';
|
||||
import { getSupabaseAdmin } from '@/lib/supabase/admin';
|
||||
import { parsePageParam, parsePerPageParam } from '@/lib/admin/validators';
|
||||
import { getUsersList } from '@/lib/admin/list';
|
||||
|
||||
export const runtime = 'nodejs';
|
||||
export const dynamic = 'force-dynamic';
|
||||
|
||||
type TunnelRow = {
|
||||
user_id: string;
|
||||
subdomain: string;
|
||||
is_active: boolean;
|
||||
bytes_used: number;
|
||||
quota_bytes: number;
|
||||
};
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
const auth = await requireAdminApi();
|
||||
if (!auth.ok) return auth.response;
|
||||
@@ -21,58 +13,12 @@ export async function GET(req: NextRequest) {
|
||||
const url = new URL(req.url);
|
||||
const page = parsePageParam(url.searchParams.get('page'), 1);
|
||||
const perPage = parsePerPageParam(url.searchParams.get('perPage'), 25, 100);
|
||||
const search = (url.searchParams.get('search') ?? '').trim().toLowerCase();
|
||||
const search = url.searchParams.get('search') ?? '';
|
||||
|
||||
const admin = getSupabaseAdmin();
|
||||
|
||||
const { data, error } = await admin.auth.admin.listUsers({ page, perPage });
|
||||
if (error) {
|
||||
return NextResponse.json({ error: error.message }, { status: 500 });
|
||||
try {
|
||||
const { users, total } = await getUsersList({ page, perPage, search });
|
||||
return NextResponse.json({ users, total, page, perPage });
|
||||
} catch (e) {
|
||||
return NextResponse.json({ error: (e as Error).message }, { status: 500 });
|
||||
}
|
||||
|
||||
let users = data.users;
|
||||
const total = (data as unknown as { total?: number }).total ?? users.length;
|
||||
|
||||
if (search) {
|
||||
users = users.filter((u) =>
|
||||
(u.email ?? '').toLowerCase().includes(search),
|
||||
);
|
||||
}
|
||||
|
||||
// Join tunnel rows for this page's users in a single query.
|
||||
const ids = users.map((u) => u.id);
|
||||
const tunnelMap = new Map<string, TunnelRow>();
|
||||
if (ids.length > 0) {
|
||||
const { data: tunnels } = await admin
|
||||
.from('tunnels')
|
||||
.select('user_id, subdomain, is_active, bytes_used, quota_bytes')
|
||||
.in('user_id', ids);
|
||||
for (const t of (tunnels ?? []) as TunnelRow[]) {
|
||||
tunnelMap.set(t.user_id, t);
|
||||
}
|
||||
}
|
||||
|
||||
const result = users.map((u) => {
|
||||
const t = tunnelMap.get(u.id) ?? null;
|
||||
return {
|
||||
id: u.id,
|
||||
email: u.email ?? null,
|
||||
role: (u.app_metadata?.role as string | undefined) ?? 'user',
|
||||
banned_until: (u as unknown as { banned_until?: string | null })
|
||||
.banned_until ?? null,
|
||||
email_confirmed_at: u.email_confirmed_at ?? null,
|
||||
created_at: u.created_at,
|
||||
last_sign_in_at: u.last_sign_in_at ?? null,
|
||||
tunnel: t
|
||||
? {
|
||||
subdomain: t.subdomain,
|
||||
is_active: t.is_active,
|
||||
bytes_used: t.bytes_used,
|
||||
quota_bytes: t.quota_bytes,
|
||||
}
|
||||
: null,
|
||||
};
|
||||
});
|
||||
|
||||
return NextResponse.json({ users: result, total, page, perPage });
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user