Benjamin_Boenisch/breakpilot-core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(pitch-deck): passwordless investor auth, audit logs, snapshots & PWA (#2)
All checks were successful
CI / test-go-consent (push) Successful in 27s
Details
CI / test-python-voice (push) Successful in 25s
Details
CI / test-bqas (push) Successful in 27s
Details
CI / Deploy (push) Successful in 6s
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details

Browse Source 
Adds investor-facing access controls, persistence, and PWA support to the pitch deck:

- Passwordless magic-link auth (jose JWT + nodemailer SMTP)
- Per-investor audit logging (logins, slide views, assumption changes, chat)
- Financial model snapshot persistence (auto-save/restore per investor)
- PWA support (manifest, service worker, offline caching, branded icons)
- Safeguards: email watermark overlay, security headers, content protection,
  rate limiting, IP/new-IP detection, single active session per investor
- Admin API: invite, list investors, revoke, query audit logs
- pitch-deck service added to docker-compose.coolify.yml

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit was merged in pull request #2.
This commit is contained in:
Sharang Parnerkar
2026-04-07 08:48:38 +00:00
parent 3a2567b44d
commit 645973141c
35 changed files with 4232 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
pitch-deck/middleware.ts Normal file
View File

@@ -0,0 +1,80 @@
import { NextRequest, NextResponse } from 'next/server'
import { jwtVerify } from 'jose'
const PUBLIC_PATHS = [
'/auth',
'/api/auth',
'/api/health',
'/api/admin',
'/_next',
'/manifest.json',
'/sw.js',
'/icons',
'/favicon.ico',
]
function isPublicPath(pathname: string): boolean {
return PUBLIC_PATHS.some(p => pathname === p || pathname.startsWith(p + '/'))
}
export async function middleware(request: NextRequest) {
const { pathname } = request.nextUrl
// Allow public paths
if (isPublicPath(pathname)) {
return NextResponse.next()
}
// Check for session cookie
const token = request.cookies.get('pitch_session')?.value
if (!token) {
return NextResponse.redirect(new URL('/auth', request.url))
}
// Verify JWT
const secret = process.env.PITCH_JWT_SECRET
if (!secret) {
return NextResponse.redirect(new URL('/auth', request.url))
}
try {
const { payload } = await jwtVerify(token, new TextEncoder().encode(secret))
// Add investor info to headers for downstream use
const response = NextResponse.next()
response.headers.set('x-investor-id', payload.sub as string)
response.headers.set('x-investor-email', payload.email as string)
response.headers.set('x-session-id', payload.sessionId as string)
// Auto-refresh JWT if within last 15 minutes of expiry
const exp = payload.exp as number
const now = Math.floor(Date.now() / 1000)
const timeLeft = exp - now
if (timeLeft < 900 && timeLeft > 0) {
// Import dynamically to avoid Edge runtime issues with pg
// The actual refresh happens server-side in the API routes
response.headers.set('x-token-refresh-needed', 'true')
}
return response
} catch {
// Invalid or expired JWT
const response = NextResponse.redirect(new URL('/auth', request.url))
response.cookies.delete('pitch_session')
return response
}
}
export const config = {
matcher: [
/*
* Match all request paths except:
* - _next/static (static files)
* - _next/image (image optimization files)
* - favicon.ico (favicon file)
*/
'/((?!_next/static|_next/image).*)',
],
}