1adc4806fa
Security Fixes
File Change
.env.local Placeholder JWT secret (rotate to random value: openssl rand -base64 64)
src/middleware.ts Removed /api/auth/me bypass; API routes return JSON 401 (not 302 redirect)
src/lib/auth.ts sameSite: "lax" → "strict" (create + destroy cookie); SVG name chars are pre-computed (no injection)
src/lib/avatar.ts Added sanitizeName() — strips non-alphanumeric/safe chars, max 50 chars
src/app/api/users/route.ts POST restricted to super_admin; validates role against whitelist ["sales","admin","super_admin","dev"]; validates active defaults to true
src/app/api/users/[id]/route.ts DELETE restricted to super_admin; blocks self-deletion
src/app/api/leads/[id]/route.ts GET: non-admin users filtered by assigned_to; PATCH: ownership check + score validated 0-100 range
src/app/api/leads/route.ts DELETE: ownership + admin check; GET: ownership filter for non-admin users
src/app/api/conversations/[id]/messages/route.ts GET/POST: verify user is a conversation_participant before access
rust-ai/src/main.rs CORS: AllowOrigin::list(["localhost:3006", "127.0.0.1:3006"]) (was Any)
Performance Fixes
File Change
src/app/api/leads/route.ts Added limit (default 50), offset query params; ownership filter in SQL
src/app/api/users/route.ts Added limit (default 50), offset query params
src/app/api/conversations/route.ts Added LIMIT 50
src/app/api/leads/[id]/notes/route.ts Added limit (default 50), offset query params
src/app/api/conversations/[id]/messages/route.ts Added limit (default 100), offset, before query params
src/app/(dashboard)/chats/page.tsx Pruned to 5 cached conversations; useMemo wraps messages/conversation/filteredConversations; otherParticipant moved outside component; added 10MB file size limit; recordingChunksRef cleared on discard
src/app/(dashboard)/leads/[id]/page.tsx Optimistic status update rolls back on fetch failure
database/migrations/003_chat.sql Added composite index idx_messages_conversation_created on (conversation_id, created_at DESC)
Code Quality Fixes
File Change
src/lib/ai.ts Removed dead getInstructions()/updateInstructions() (called nonexistent /ai/instructions)
src/lib/auth.ts bcrypt.hash(password, 12) — kept (acceptable, OWASP-recommended)
src/app/login/page.tsx "Forgot password?" button now shows alert to contact admin (was no-op)
src/components/users/user-form-dialog.tsx Password min 6 → 8 chars
26 silent catch {} blocks across 16 files (see below) Added console.warn("...") context messages
106 lines
3.5 KiB
TypeScript
106 lines
3.5 KiB
TypeScript
"use client"
|
|
|
|
import { useState, useEffect, useCallback } from "react"
|
|
import { PageHeader } from "@/components/shared/page-header"
|
|
import { UsersTable } from "@/components/users/users-table"
|
|
import { UserFormDialog } from "@/components/users/user-form-dialog"
|
|
import { Button } from "@/components/ui/button"
|
|
import { Input } from "@/components/ui/input"
|
|
import { useUser } from "@/providers/user-provider"
|
|
import { Plus, Users as UsersIcon, Search } from "lucide-react"
|
|
import type { User } from "@/types"
|
|
|
|
export default function UsersPage() {
|
|
const { user } = useUser()
|
|
const [users, setUsers] = useState<User[]>([])
|
|
const [loading, setLoading] = useState(true)
|
|
const [createOpen, setCreateOpen] = useState(false)
|
|
const [search, setSearch] = useState("")
|
|
|
|
const fetchUsers = useCallback(async () => {
|
|
try {
|
|
const res = await fetch("/api/users")
|
|
if (res.ok) {
|
|
const data = await res.json()
|
|
setUsers(data.users || [])
|
|
}
|
|
} catch {
|
|
console.warn("Failed to fetch users in users page")
|
|
} finally {
|
|
setLoading(false)
|
|
}
|
|
}, [])
|
|
|
|
useEffect(() => {
|
|
fetchUsers()
|
|
}, [fetchUsers])
|
|
|
|
const activeUsers = users.filter((u) => u.active !== false)
|
|
const admins = users.filter((u) => u.role === "admin")
|
|
|
|
const stats = [
|
|
{ label: "Total Users", value: users.length, color: "bg-blue-500/10", textColor: "text-blue-500" },
|
|
{ label: "Active", value: activeUsers.length, color: "bg-green-500/10", textColor: "text-green-500" },
|
|
{ label: "Admins", value: admins.length, color: "bg-purple-500/10", textColor: "text-purple-500" },
|
|
{ label: "Sales", value: users.filter((u) => u.role === "sales").length, color: "bg-orange-500/10", textColor: "text-orange-500" },
|
|
]
|
|
|
|
const filtered = users.filter((u) => {
|
|
if (!search) return true
|
|
const q = search.toLowerCase()
|
|
return u.name?.toLowerCase().includes(q) || u.email?.toLowerCase().includes(q)
|
|
})
|
|
|
|
return (
|
|
<div className="space-y-4">
|
|
<PageHeader
|
|
title="Users"
|
|
description="Manage team members and their roles"
|
|
>
|
|
<Button className="gap-2" onClick={() => setCreateOpen(true)}>
|
|
<Plus className="h-4 w-4" />
|
|
Add User
|
|
</Button>
|
|
</PageHeader>
|
|
|
|
<div className="grid gap-4 sm:grid-cols-2 lg:grid-cols-4 mb-6">
|
|
{stats.map((s) => (
|
|
<div key={s.label} className="rounded-lg border bg-card p-4">
|
|
<div className="flex items-center gap-3">
|
|
<div
|
|
className={`flex h-10 w-10 items-center justify-center rounded-lg ${s.color}`}
|
|
>
|
|
<UsersIcon className={`h-5 w-5 ${s.textColor}`} />
|
|
</div>
|
|
<div>
|
|
<p className="text-2xl font-bold">{s.value}</p>
|
|
<p className="text-xs text-muted-foreground">{s.label}</p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
))}
|
|
</div>
|
|
|
|
<div className="relative">
|
|
<Search className="absolute left-3 top-1/2 h-4 w-4 -translate-y-1/2 text-muted-foreground" />
|
|
<Input
|
|
placeholder="Search by name or email..."
|
|
value={search}
|
|
onChange={(e) => setSearch(e.target.value)}
|
|
className="h-9 pl-9"
|
|
/>
|
|
</div>
|
|
|
|
<div className="rounded-lg border bg-card">
|
|
<UsersTable data={filtered} loading={loading} onUserDeleted={fetchUsers} />
|
|
</div>
|
|
|
|
<UserFormDialog
|
|
open={createOpen}
|
|
onOpenChange={setCreateOpen}
|
|
onUserCreated={fetchUsers}
|
|
/>
|
|
</div>
|
|
)
|
|
}
|