1adc4806fa
Security Fixes
File Change
.env.local Placeholder JWT secret (rotate to random value: openssl rand -base64 64)
src/middleware.ts Removed /api/auth/me bypass; API routes return JSON 401 (not 302 redirect)
src/lib/auth.ts sameSite: "lax" → "strict" (create + destroy cookie); SVG name chars are pre-computed (no injection)
src/lib/avatar.ts Added sanitizeName() — strips non-alphanumeric/safe chars, max 50 chars
src/app/api/users/route.ts POST restricted to super_admin; validates role against whitelist ["sales","admin","super_admin","dev"]; validates active defaults to true
src/app/api/users/[id]/route.ts DELETE restricted to super_admin; blocks self-deletion
src/app/api/leads/[id]/route.ts GET: non-admin users filtered by assigned_to; PATCH: ownership check + score validated 0-100 range
src/app/api/leads/route.ts DELETE: ownership + admin check; GET: ownership filter for non-admin users
src/app/api/conversations/[id]/messages/route.ts GET/POST: verify user is a conversation_participant before access
rust-ai/src/main.rs CORS: AllowOrigin::list(["localhost:3006", "127.0.0.1:3006"]) (was Any)
Performance Fixes
File Change
src/app/api/leads/route.ts Added limit (default 50), offset query params; ownership filter in SQL
src/app/api/users/route.ts Added limit (default 50), offset query params
src/app/api/conversations/route.ts Added LIMIT 50
src/app/api/leads/[id]/notes/route.ts Added limit (default 50), offset query params
src/app/api/conversations/[id]/messages/route.ts Added limit (default 100), offset, before query params
src/app/(dashboard)/chats/page.tsx Pruned to 5 cached conversations; useMemo wraps messages/conversation/filteredConversations; otherParticipant moved outside component; added 10MB file size limit; recordingChunksRef cleared on discard
src/app/(dashboard)/leads/[id]/page.tsx Optimistic status update rolls back on fetch failure
database/migrations/003_chat.sql Added composite index idx_messages_conversation_created on (conversation_id, created_at DESC)
Code Quality Fixes
File Change
src/lib/ai.ts Removed dead getInstructions()/updateInstructions() (called nonexistent /ai/instructions)
src/lib/auth.ts bcrypt.hash(password, 12) — kept (acceptable, OWASP-recommended)
src/app/login/page.tsx "Forgot password?" button now shows alert to contact admin (was no-op)
src/components/users/user-form-dialog.tsx Password min 6 → 8 chars
26 silent catch {} blocks across 16 files (see below) Added console.warn("...") context messages
144 lines
6.0 KiB
TypeScript
144 lines
6.0 KiB
TypeScript
"use client"
|
|
|
|
import { useRef } from "react"
|
|
import { PageHeader } from "@/components/shared/page-header"
|
|
import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card"
|
|
import { Avatar, AvatarFallback, AvatarImage } from "@/components/ui/avatar"
|
|
import { Badge } from "@/components/ui/badge"
|
|
import { useUser } from "@/providers/user-provider"
|
|
import { Mail, Calendar, Shield, Activity, Camera } from "lucide-react"
|
|
import { toast } from "sonner"
|
|
|
|
export default function ProfilePage() {
|
|
const { user, updateAvatar } = useUser()
|
|
if (!user) return null
|
|
const fileInputRef = useRef<HTMLInputElement>(null)
|
|
|
|
const handleAvatarChange = async (e: React.ChangeEvent<HTMLInputElement>) => {
|
|
const file = e.target.files?.[0]
|
|
if (!file) return
|
|
const validTypes = ["image/png", "image/jpeg"]
|
|
if (!validTypes.includes(file.type)) {
|
|
toast.error("Only PNG and JPEG files are allowed")
|
|
return
|
|
}
|
|
const reader = new FileReader()
|
|
reader.onload = async () => {
|
|
const dataUrl = reader.result as string
|
|
try {
|
|
const res = await fetch("/api/users/avatar", {
|
|
method: "POST",
|
|
headers: { "Content-Type": "application/json" },
|
|
body: JSON.stringify({ avatar: dataUrl }),
|
|
})
|
|
if (res.ok) {
|
|
const data = await res.json()
|
|
updateAvatar(data.avatar)
|
|
toast.success("Avatar updated")
|
|
} else {
|
|
toast.error("Failed to save avatar")
|
|
}
|
|
} catch {
|
|
console.warn("Failed to save avatar")
|
|
toast.error("Failed to save avatar")
|
|
}
|
|
}
|
|
reader.readAsDataURL(file)
|
|
}
|
|
|
|
return (
|
|
<div className="space-y-6">
|
|
<PageHeader title="Profile" description="Your account information" />
|
|
|
|
<div className="grid gap-6 lg:grid-cols-3">
|
|
<Card className="lg:col-span-1">
|
|
<CardContent className="flex flex-col items-center pt-8">
|
|
<div className="relative">
|
|
<Avatar className="h-24 w-24">
|
|
<AvatarImage src={user.avatar} />
|
|
<AvatarFallback className="text-2xl">{user.name.split(" ").map((n) => n[0]).join("")}</AvatarFallback>
|
|
</Avatar>
|
|
<button
|
|
type="button"
|
|
onClick={() => fileInputRef.current?.click()}
|
|
className="absolute inset-0 flex items-center justify-center rounded-full bg-black/40 opacity-0 transition-opacity hover:opacity-100"
|
|
>
|
|
<Camera className="h-6 w-6 text-white" />
|
|
</button>
|
|
<input
|
|
ref={fileInputRef}
|
|
type="file"
|
|
accept=".png,.jpeg,.jpg"
|
|
className="hidden"
|
|
onChange={handleAvatarChange}
|
|
/>
|
|
</div>
|
|
<h2 className="mt-4 text-xl font-semibold">{user.name}</h2>
|
|
<Badge variant="secondary" className="mt-1 capitalize">
|
|
{user.role}
|
|
</Badge>
|
|
<div className="mt-6 flex w-full flex-col gap-3 text-sm">
|
|
<div className="flex items-center gap-3 rounded-lg bg-muted/50 px-4 py-3">
|
|
<Mail className="h-4 w-4 text-muted-foreground" />
|
|
<span className="text-muted-foreground">{user.email}</span>
|
|
</div>
|
|
<div className="flex items-center gap-3 rounded-lg bg-muted/50 px-4 py-3">
|
|
<Calendar className="h-4 w-4 text-muted-foreground" />
|
|
<span className="text-muted-foreground">
|
|
Joined {new Date(user.createdAt).toLocaleDateString("en-US", { month: "long", year: "numeric" })}
|
|
</span>
|
|
</div>
|
|
<div className="flex items-center gap-3 rounded-lg bg-muted/50 px-4 py-3">
|
|
<Shield className="h-4 w-4 text-muted-foreground" />
|
|
<span className="text-muted-foreground capitalize">{user.role} access</span>
|
|
</div>
|
|
<div className="flex items-center gap-3 rounded-lg bg-muted/50 px-4 py-3">
|
|
<Activity className="h-4 w-4 text-muted-foreground" />
|
|
<span className="text-muted-foreground">{user.active ? "Active" : "Inactive"}</span>
|
|
</div>
|
|
</div>
|
|
</CardContent>
|
|
</Card>
|
|
|
|
<div className="lg:col-span-2 space-y-6">
|
|
<Card>
|
|
<CardHeader>
|
|
<CardTitle>Account Details</CardTitle>
|
|
</CardHeader>
|
|
<CardContent className="space-y-4">
|
|
<div className="grid gap-4 sm:grid-cols-2">
|
|
<div className="space-y-1">
|
|
<span className="text-xs text-muted-foreground">Full Name</span>
|
|
<p className="text-sm font-medium">{user.name}</p>
|
|
</div>
|
|
<div className="space-y-1">
|
|
<span className="text-xs text-muted-foreground">Email</span>
|
|
<p className="text-sm font-medium">{user.email}</p>
|
|
</div>
|
|
<div className="space-y-1">
|
|
<span className="text-xs text-muted-foreground">Role</span>
|
|
<p className="text-sm font-medium capitalize">{user.role}</p>
|
|
</div>
|
|
<div className="space-y-1">
|
|
<span className="text-xs text-muted-foreground">Status</span>
|
|
<p className="text-sm font-medium">{user.active ? "Active" : "Inactive"}</p>
|
|
</div>
|
|
<div className="space-y-1">
|
|
<span className="text-xs text-muted-foreground">Member Since</span>
|
|
<p className="text-sm font-medium">
|
|
{new Date(user.createdAt).toLocaleDateString("en-US", { month: "long", day: "numeric", year: "numeric" })}
|
|
</p>
|
|
</div>
|
|
<div className="space-y-1">
|
|
<span className="text-xs text-muted-foreground">User ID</span>
|
|
<p className="text-sm font-medium font-mono">{user.id}</p>
|
|
</div>
|
|
</div>
|
|
</CardContent>
|
|
</Card>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
)
|
|
}
|