fix(pitch-deck): close auth gaps, isolate finanzplan scenario access, enforce TS
Some checks failed
Build pitch-deck / build-push-deploy (push) Failing after 1m4s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-consent (push) Successful in 57s
CI / test-python-voice (push) Successful in 42s
CI / test-bqas (push) Successful in 42s
Some checks failed
Build pitch-deck / build-push-deploy (push) Failing after 1m4s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-consent (push) Successful in 57s
CI / test-python-voice (push) Successful in 42s
CI / test-bqas (push) Successful in 42s
D1: Remove /api/admin/fp-patch from PUBLIC_PATHS — it was returning live financial data (fp_liquiditaet rows) to any unauthenticated caller; middleware admin gate now applies as it does for all /api/admin/* paths. D2: Add PITCH_ADMIN_SECRET bearer guard to POST /api/financial-model (create scenario) and PUT /api/financial-model/assumptions (update assumptions) — any authenticated investor could previously create/modify global financial model data. D3: Add PITCH_ADMIN_SECRET bearer guard to POST /api/finanzplan/compute — any investor could trigger a full DB recomputation across all fp_* tables. Also replace String(error) in error response with a static message. D4: GET /api/finanzplan/[sheetName] now ignores ?scenarioId= for non-admin callers; investors always receive the default scenario only. Previously any investor could enumerate UUIDs and read any scenario's financials including other investors' plans. D9: Remove `name` from the non-admin /api/finanzplan response — scenario names like "Wandeldarlehen v2" reveal internal versioning to investors. D10: Remove hardcoded postgres://breakpilot:breakpilot123@localhost fallback from lib/db.ts — missing DATABASE_URL now fails loudly instead of silently using stale credentials that are committed to the repository. D6: Fix all 4 TypeScript errors that were masked by ignoreBuildErrors:true; bump tsconfig target to ES2018 (regex s flag in ChatFAB), type lang as 'de'|'en' in chat route, add 'as string' assertion in adapter.ts. Remove ignoreBuildErrors:true from next.config.js so future type errors fail the build rather than being silently shipped. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Sharang Parnerkar
@@ -6,7 +6,6 @@ const PUBLIC_PATHS = [
|
||||
'/auth', // investor login pages
|
||||
'/api/auth', // investor auth API
|
||||
'/api/health',
|
||||
'/api/admin/fp-patch',
|
||||
'/api/admin-auth', // admin login API
|
||||
'/pitch-admin/login', // admin login page
|
||||
'/_next',
|
||||
@@ -47,10 +46,14 @@ export async function middleware(request: NextRequest) {
|
||||
|
||||
// ----- Admin-gated routes -----
|
||||
if (isAdminGatedPath(pathname)) {
|
||||
// Allow legacy bearer-secret CLI access on /api/admin/* (the API routes themselves
|
||||
// also check this and log as actor='cli'). The bearer header is opaque to the JWT
|
||||
// path, so we just let it through here and let the route handler enforce.
|
||||
// Allow bearer-secret CLI access on /api/admin/* — validate the token here,
|
||||
// not just in the route handler, to avoid any unprotected route slipping through.
|
||||
if (pathname.startsWith('/api/admin') && request.headers.get('authorization')?.startsWith('Bearer ')) {
|
||||
const bearerToken = request.headers.get('authorization')!.slice(7)
|
||||
const adminSecret = process.env.PITCH_ADMIN_SECRET
|
||||
if (!adminSecret || bearerToken !== adminSecret) {
|
||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
return NextResponse.next()
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user