Benjamin_Boenisch/breakpilot-core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

merge: gitea/main — resolve pitch-deck conflicts (accept theirs)
Some checks failed
CI / test-go-consent (push) Successful in 45s
Details
CI / test-python-voice (push) Successful in 37s
Details
CI / test-bqas (push) Successful in 34s
Details
CI / Deploy (push) Failing after 5s
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details

Browse Source 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-04-09 14:43:32 +02:00
parent e3ab428b91 c7ab569b2b
commit ee5241a7bc
67 changed files with 6533 additions and 273 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
pitch-deck/app/api/admin-auth/login/route.ts Normal file
View File

@@ -0,0 +1,62 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { verifyPassword, createAdminSession, setAdminCookie, logAdminAudit } from '@/lib/admin-auth'
import { getClientIp } from '@/lib/auth'
import { checkRateLimit, RATE_LIMITS } from '@/lib/rate-limit'
export async function POST(request: NextRequest) {
const ip = getClientIp(request) || 'unknown'
// Reuse the auth-verify rate limit (10/IP/15min)
const rl = checkRateLimit(`admin-login:${ip}`, RATE_LIMITS.authVerify)
if (!rl.allowed) {
return NextResponse.json({ error: 'Too many attempts. Try again later.' }, { status: 429 })
}
const body = await request.json().catch(() => ({}))
const email = (body.email || '').trim().toLowerCase()
const password = body.password || ''
if (!email || !password) {
return NextResponse.json({ error: 'Email and password required' }, { status: 400 })
}
const { rows } = await pool.query(
`SELECT id, email, name, password_hash, is_active FROM pitch_admins WHERE email = $1`,
[email],
)
if (rows.length === 0) {
await logAdminAudit(null, 'admin_login_failed', { email, reason: 'unknown_email' }, request)
return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 })
}
const admin = rows[0]
if (!admin.is_active) {
await logAdminAudit(admin.id, 'admin_login_failed', { reason: 'inactive' }, request)
return NextResponse.json({ error: 'Account disabled' }, { status: 403 })
}
const ok = await verifyPassword(password, admin.password_hash)
if (!ok) {
await logAdminAudit(admin.id, 'admin_login_failed', { reason: 'wrong_password' }, request)
return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 })
}
const ua = request.headers.get('user-agent')
const { jwt } = await createAdminSession(admin.id, ip, ua)
await setAdminCookie(jwt)
await pool.query(
`UPDATE pitch_admins SET last_login_at = NOW(), updated_at = NOW() WHERE id = $1`,
[admin.id],
)
await logAdminAudit(admin.id, 'admin_login_success', { email }, request)
return NextResponse.json({
success: true,
admin: { id: admin.id, email: admin.email, name: admin.name },
})
}

17
pitch-deck/app/api/admin-auth/logout/route.ts Normal file
View File

@@ -0,0 +1,17 @@
import { NextRequest, NextResponse } from 'next/server'
import {
getAdminPayloadFromCookie,
revokeAdminSession,
clearAdminCookie,
logAdminAudit,
} from '@/lib/admin-auth'
export async function POST(request: NextRequest) {
const payload = await getAdminPayloadFromCookie()
if (payload) {
await revokeAdminSession(payload.sessionId)
await logAdminAudit(payload.sub, 'admin_logout', {}, request)
}
await clearAdminCookie()
return NextResponse.json({ success: true })
}

10
pitch-deck/app/api/admin-auth/me/route.ts Normal file
View File

@@ -0,0 +1,10 @@
import { NextResponse } from 'next/server'
import { getAdminFromCookie } from '@/lib/admin-auth'
export async function GET() {
const admin = await getAdminFromCookie()
if (!admin) {
return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
}
return NextResponse.json({ admin })
}

81
pitch-deck/app/api/admin/admins/[id]/route.ts Normal file
View File

@@ -0,0 +1,81 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin, logAdminAudit, hashPassword, revokeAllAdminSessions } from '@/lib/admin-auth'
interface RouteContext {
params: Promise<{ id: string }>
}
export async function PATCH(request: NextRequest, ctx: RouteContext) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const actorAdminId = guard.kind === 'admin' ? guard.admin.id : null
const { id } = await ctx.params
const body = await request.json().catch(() => ({}))
const { name, is_active, password } = body
const before = await pool.query(
`SELECT email, name, is_active FROM pitch_admins WHERE id = $1`,
[id],
)
if (before.rows.length === 0) {
return NextResponse.json({ error: 'Admin not found' }, { status: 404 })
}
const updates: string[] = []
const params: unknown[] = []
let p = 1
if (typeof name === 'string' && name.trim()) {
updates.push(`name = $${p++}`)
params.push(name.trim())
}
if (typeof is_active === 'boolean') {
updates.push(`is_active = $${p++}`)
params.push(is_active)
}
if (typeof password === 'string') {
if (password.length < 12) {
return NextResponse.json({ error: 'password must be at least 12 characters' }, { status: 400 })
}
const hash = await hashPassword(password)
updates.push(`password_hash = $${p++}`)
params.push(hash)
}
if (updates.length === 0) {
return NextResponse.json({ error: 'no fields to update' }, { status: 400 })
}
updates.push(`updated_at = NOW()`)
params.push(id)
const { rows } = await pool.query(
`UPDATE pitch_admins SET ${updates.join(', ')}
WHERE id = $${p}
RETURNING id, email, name, is_active, last_login_at, created_at`,
params,
)
// If deactivated or password changed, revoke their sessions
if (is_active === false || typeof password === 'string') {
await revokeAllAdminSessions(id)
}
const action = is_active === false ? 'admin_deactivated' : 'admin_edited'
await logAdminAudit(
actorAdminId,
action,
{
target_admin_id: id,
target_email: before.rows[0].email,
before: before.rows[0],
after: { name: rows[0].name, is_active: rows[0].is_active },
password_changed: typeof password === 'string',
},
request,
)
return NextResponse.json({ admin: rows[0] })
}

52
pitch-deck/app/api/admin/admins/route.ts Normal file
View File

@@ -0,0 +1,52 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin, logAdminAudit, hashPassword } from '@/lib/admin-auth'
export async function GET(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const { rows } = await pool.query(
`SELECT id, email, name, is_active, last_login_at, created_at, updated_at
FROM pitch_admins ORDER BY created_at ASC`,
)
return NextResponse.json({ admins: rows })
}
export async function POST(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const adminId = guard.kind === 'admin' ? guard.admin.id : null
const body = await request.json().catch(() => ({}))
const email = (body.email || '').trim().toLowerCase()
const name = (body.name || '').trim()
const password = body.password || ''
if (!email || !name || !password) {
return NextResponse.json({ error: 'email, name, password required' }, { status: 400 })
}
if (password.length < 12) {
return NextResponse.json({ error: 'password must be at least 12 characters' }, { status: 400 })
}
const hash = await hashPassword(password)
try {
const { rows } = await pool.query(
`INSERT INTO pitch_admins (email, name, password_hash, is_active)
VALUES ($1, $2, $3, true)
RETURNING id, email, name, is_active, created_at`,
[email, name, hash],
)
const newAdmin = rows[0]
await logAdminAudit(adminId, 'admin_created', { email, name, new_admin_id: newAdmin.id }, request)
return NextResponse.json({ admin: newAdmin })
} catch (err) {
const e = err as { code?: string }
if (e.code === '23505') {
return NextResponse.json({ error: 'Email already exists' }, { status: 409 })
}
throw err
}
}

77
pitch-deck/app/api/admin/audit-logs/route.ts Normal file
View File

@@ -0,0 +1,77 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin } from '@/lib/admin-auth'
export async function GET(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const { searchParams } = new URL(request.url)
const investorId = searchParams.get('investor_id')
const targetInvestorId = searchParams.get('target_investor_id')
const adminId = searchParams.get('admin_id')
const actorType = searchParams.get('actor_type') // 'admin' | 'investor'
const action = searchParams.get('action')
const since = searchParams.get('since') // ISO date
const until = searchParams.get('until')
const limit = Math.min(parseInt(searchParams.get('limit') || '100'), 500)
const offset = parseInt(searchParams.get('offset') || '0')
const conditions: string[] = []
const params: unknown[] = []
let p = 1
if (investorId) {
conditions.push(`a.investor_id = $${p++}`)
params.push(investorId)
}
if (targetInvestorId) {
conditions.push(`a.target_investor_id = $${p++}`)
params.push(targetInvestorId)
}
if (adminId) {
conditions.push(`a.admin_id = $${p++}`)
params.push(adminId)
}
if (actorType === 'admin') {
conditions.push(`a.admin_id IS NOT NULL`)
} else if (actorType === 'investor') {
conditions.push(`a.investor_id IS NOT NULL`)
}
if (action) {
conditions.push(`a.action = $${p++}`)
params.push(action)
}
if (since) {
conditions.push(`a.created_at >= $${p++}`)
params.push(since)
}
if (until) {
conditions.push(`a.created_at <= $${p++}`)
params.push(until)
}
const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : ''
const { rows } = await pool.query(
`SELECT a.*,
i.email AS investor_email, i.name AS investor_name,
ti.email AS target_investor_email, ti.name AS target_investor_name,
ad.email AS admin_email, ad.name AS admin_name
FROM pitch_audit_logs a
LEFT JOIN pitch_investors i ON i.id = a.investor_id
LEFT JOIN pitch_investors ti ON ti.id = a.target_investor_id
LEFT JOIN pitch_admins ad ON ad.id = a.admin_id
${where}
ORDER BY a.created_at DESC
LIMIT $${p++} OFFSET $${p++}`,
[...params, limit, offset],
)
const totalRes = await pool.query(
`SELECT COUNT(*)::int AS total FROM pitch_audit_logs a ${where}`,
params,
)
return NextResponse.json({ logs: rows, total: totalRes.rows[0].total })
}

46
pitch-deck/app/api/admin/dashboard/route.ts Normal file
View File

@@ -0,0 +1,46 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin } from '@/lib/admin-auth'
export async function GET(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const [totals, recentLogins, recentActivity] = await Promise.all([
pool.query(`
SELECT
(SELECT COUNT(*)::int FROM pitch_investors) AS total_investors,
(SELECT COUNT(*)::int FROM pitch_investors WHERE status = 'invited') AS pending_invites,
(SELECT COUNT(*)::int FROM pitch_investors WHERE last_login_at >= NOW() - INTERVAL '7 days') AS active_7d,
(SELECT COUNT(*)::int FROM pitch_audit_logs WHERE action = 'slide_viewed') AS slides_viewed_total,
(SELECT COUNT(*)::int FROM pitch_sessions WHERE revoked = false AND expires_at > NOW()) AS active_sessions,
(SELECT COUNT(*)::int FROM pitch_admins WHERE is_active = true) AS active_admins
`),
pool.query(`
SELECT a.created_at, a.ip_address, i.id AS investor_id, i.email, i.name, i.company
FROM pitch_audit_logs a
JOIN pitch_investors i ON i.id = a.investor_id
WHERE a.action = 'login_success'
ORDER BY a.created_at DESC
LIMIT 10
`),
pool.query(`
SELECT a.id, a.action, a.created_at, a.details,
i.email AS investor_email, i.name AS investor_name,
ti.email AS target_investor_email,
ad.email AS admin_email, ad.name AS admin_name
FROM pitch_audit_logs a
LEFT JOIN pitch_investors i ON i.id = a.investor_id
LEFT JOIN pitch_investors ti ON ti.id = a.target_investor_id
LEFT JOIN pitch_admins ad ON ad.id = a.admin_id
ORDER BY a.created_at DESC
LIMIT 15
`),
])
return NextResponse.json({
totals: totals.rows[0],
recent_logins: recentLogins.rows,
recent_activity: recentActivity.rows,
})
}

93
pitch-deck/app/api/admin/fm/assumptions/[id]/route.ts Normal file
View File

@@ -0,0 +1,93 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin, logAdminAudit } from '@/lib/admin-auth'
interface RouteContext {
params: Promise<{ id: string }>
}
export async function PATCH(request: NextRequest, ctx: RouteContext) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const adminId = guard.kind === 'admin' ? guard.admin.id : null
const { id } = await ctx.params
const body = await request.json().catch(() => ({}))
const { value, min_value, max_value, step_size, label_de, label_en } = body
const before = await pool.query(
`SELECT scenario_id, key, label_de, label_en, value, min_value, max_value, step_size
FROM pitch_fm_assumptions WHERE id = $1`,
[id],
)
if (before.rows.length === 0) {
return NextResponse.json({ error: 'Assumption not found' }, { status: 404 })
}
const updates: string[] = []
const params: unknown[] = []
let p = 1
if (value !== undefined) {
updates.push(`value = $${p++}`)
params.push(JSON.stringify(value))
}
if (min_value !== undefined) {
updates.push(`min_value = $${p++}`)
params.push(min_value)
}
if (max_value !== undefined) {
updates.push(`max_value = $${p++}`)
params.push(max_value)
}
if (step_size !== undefined) {
updates.push(`step_size = $${p++}`)
params.push(step_size)
}
if (typeof label_de === 'string') {
updates.push(`label_de = $${p++}`)
params.push(label_de)
}
if (typeof label_en === 'string') {
updates.push(`label_en = $${p++}`)
params.push(label_en)
}
if (updates.length === 0) {
return NextResponse.json({ error: 'no fields to update' }, { status: 400 })
}
params.push(id)
const { rows } = await pool.query(
`UPDATE pitch_fm_assumptions SET ${updates.join(', ')} WHERE id = $${p} RETURNING *`,
params,
)
// Invalidate cached results for this scenario so the next compute uses the new value
await pool.query(`DELETE FROM pitch_fm_results WHERE scenario_id = $1`, [before.rows[0].scenario_id])
await logAdminAudit(
adminId,
'assumption_edited',
{
assumption_id: id,
scenario_id: before.rows[0].scenario_id,
key: before.rows[0].key,
before: {
value: typeof before.rows[0].value === 'string' ? JSON.parse(before.rows[0].value) : before.rows[0].value,
min_value: before.rows[0].min_value,
max_value: before.rows[0].max_value,
step_size: before.rows[0].step_size,
},
after: {
value: typeof rows[0].value === 'string' ? JSON.parse(rows[0].value) : rows[0].value,
min_value: rows[0].min_value,
max_value: rows[0].max_value,
step_size: rows[0].step_size,
},
},
request,
)
return NextResponse.json({ assumption: rows[0] })
}

52
pitch-deck/app/api/admin/fm/scenarios/[id]/route.ts Normal file
View File

@@ -0,0 +1,52 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin, logAdminAudit } from '@/lib/admin-auth'
interface RouteContext {
params: Promise<{ id: string }>
}
export async function PATCH(request: NextRequest, ctx: RouteContext) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const adminId = guard.kind === 'admin' ? guard.admin.id : null
const { id } = await ctx.params
const body = await request.json().catch(() => ({}))
const { name, description, color } = body
if (name === undefined && description === undefined && color === undefined) {
return NextResponse.json({ error: 'name, description, or color required' }, { status: 400 })
}
const before = await pool.query(
`SELECT name, description, color FROM pitch_fm_scenarios WHERE id = $1`,
[id],
)
if (before.rows.length === 0) {
return NextResponse.json({ error: 'Scenario not found' }, { status: 404 })
}
const { rows } = await pool.query(
`UPDATE pitch_fm_scenarios SET
name = COALESCE($1, name),
description = COALESCE($2, description),
color = COALESCE($3, color)
WHERE id = $4
RETURNING *`,
[name ?? null, description ?? null, color ?? null, id],
)
await logAdminAudit(
adminId,
'scenario_edited',
{
scenario_id: id,
before: before.rows[0],
after: { name: rows[0].name, description: rows[0].description, color: rows[0].color },
},
request,
)
return NextResponse.json({ scenario: rows[0] })
}

27
pitch-deck/app/api/admin/fm/scenarios/route.ts Normal file
View File

@@ -0,0 +1,27 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin } from '@/lib/admin-auth'
export async function GET(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const scenarios = await pool.query(
`SELECT * FROM pitch_fm_scenarios ORDER BY is_default DESC, name`,
)
const assumptions = await pool.query(
`SELECT * FROM pitch_fm_assumptions ORDER BY scenario_id, sort_order`,
)
const result = scenarios.rows.map(s => ({
...s,
assumptions: assumptions.rows
.filter(a => a.scenario_id === s.id)
.map(a => ({
...a,
value: typeof a.value === 'string' ? JSON.parse(a.value) : a.value,
})),
}))
return NextResponse.json({ scenarios: result })
}

60
pitch-deck/app/api/admin/investors/[id]/resend/route.ts Normal file
View File

@@ -0,0 +1,60 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { generateToken } from '@/lib/auth'
import { requireAdmin, logAdminAudit } from '@/lib/admin-auth'
import { sendMagicLinkEmail } from '@/lib/email'
import { checkRateLimit, RATE_LIMITS } from '@/lib/rate-limit'
interface RouteContext {
params: Promise<{ id: string }>
}
export async function POST(request: NextRequest, ctx: RouteContext) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const adminId = guard.kind === 'admin' ? guard.admin.id : null
const { id } = await ctx.params
const { rows } = await pool.query(
`SELECT id, email, name, status FROM pitch_investors WHERE id = $1`,
[id],
)
if (rows.length === 0) {
return NextResponse.json({ error: 'Investor not found' }, { status: 404 })
}
const investor = rows[0]
if (investor.status === 'revoked') {
return NextResponse.json({ error: 'Investor is revoked. Reactivate first by re-inviting.' }, { status: 400 })
}
// Rate limit by email
const rl = checkRateLimit(`magic-link:${investor.email}`, RATE_LIMITS.magicLink)
if (!rl.allowed) {
return NextResponse.json({ error: 'Too many resends for this email. Try again later.' }, { status: 429 })
}
const token = generateToken()
const ttlHours = parseInt(process.env.MAGIC_LINK_TTL_HOURS || '72')
const expiresAt = new Date(Date.now() + ttlHours * 60 * 60 * 1000)
await pool.query(
`INSERT INTO pitch_magic_links (investor_id, token, expires_at) VALUES ($1, $2, $3)`,
[investor.id, token, expiresAt],
)
const baseUrl = process.env.PITCH_BASE_URL || 'https://pitch.breakpilot.ai'
const magicLinkUrl = `${baseUrl}/auth/verify?token=${token}`
await sendMagicLinkEmail(investor.email, investor.name, magicLinkUrl)
await logAdminAudit(
adminId,
'magic_link_resent',
{ email: investor.email, expires_at: expiresAt.toISOString() },
request,
investor.id,
)
return NextResponse.json({ success: true, expires_at: expiresAt.toISOString() })
}

99
pitch-deck/app/api/admin/investors/[id]/route.ts Normal file
View File

@@ -0,0 +1,99 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin, logAdminAudit } from '@/lib/admin-auth'
interface RouteContext {
params: Promise<{ id: string }>
}
export async function GET(request: NextRequest, ctx: RouteContext) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const { id } = await ctx.params
const [investor, sessions, snapshots, audit] = await Promise.all([
pool.query(
`SELECT id, email, name, company, status, last_login_at, login_count, created_at, updated_at
FROM pitch_investors WHERE id = $1`,
[id],
),
pool.query(
`SELECT id, ip_address, user_agent, expires_at, revoked, created_at
FROM pitch_sessions WHERE investor_id = $1
ORDER BY created_at DESC LIMIT 50`,
[id],
),
pool.query(
`SELECT id, scenario_id, label, is_latest, created_at
FROM pitch_investor_snapshots WHERE investor_id = $1
ORDER BY created_at DESC LIMIT 50`,
[id],
),
pool.query(
`SELECT a.id, a.action, a.created_at, a.details, a.ip_address, a.slide_id,
ad.email AS admin_email, ad.name AS admin_name
FROM pitch_audit_logs a
LEFT JOIN pitch_admins ad ON ad.id = a.admin_id
WHERE a.investor_id = $1 OR a.target_investor_id = $1
ORDER BY a.created_at DESC LIMIT 100`,
[id],
),
])
if (investor.rows.length === 0) {
return NextResponse.json({ error: 'Investor not found' }, { status: 404 })
}
return NextResponse.json({
investor: investor.rows[0],
sessions: sessions.rows,
snapshots: snapshots.rows,
audit: audit.rows,
})
}
export async function PATCH(request: NextRequest, ctx: RouteContext) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const adminId = guard.kind === 'admin' ? guard.admin.id : null
const { id } = await ctx.params
const body = await request.json().catch(() => ({}))
const { name, company } = body
if (name === undefined && company === undefined) {
return NextResponse.json({ error: 'name or company required' }, { status: 400 })
}
const before = await pool.query(
`SELECT name, company FROM pitch_investors WHERE id = $1`,
[id],
)
if (before.rows.length === 0) {
return NextResponse.json({ error: 'Investor not found' }, { status: 404 })
}
const { rows } = await pool.query(
`UPDATE pitch_investors SET
name = COALESCE($1, name),
company = COALESCE($2, company),
updated_at = NOW()
WHERE id = $3
RETURNING id, email, name, company, status`,
[name ?? null, company ?? null, id],
)
await logAdminAudit(
adminId,
'investor_edited',
{
before: before.rows[0],
after: { name: rows[0].name, company: rows[0].company },
},
request,
id,
)
return NextResponse.json({ investor: rows[0] })
}

18
pitch-deck/app/api/admin/investors/route.ts Normal file
View File

@@ -0,0 +1,18 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin } from '@/lib/admin-auth'
export async function GET(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const { rows } = await pool.query(
`SELECT i.id, i.email, i.name, i.company, i.status, i.last_login_at, i.login_count, i.created_at,
(SELECT COUNT(*) FROM pitch_audit_logs a WHERE a.investor_id = i.id AND a.action = 'slide_viewed') as slides_viewed,
(SELECT MAX(a.created_at) FROM pitch_audit_logs a WHERE a.investor_id = i.id) as last_activity
FROM pitch_investors i
ORDER BY i.created_at DESC`,
)
return NextResponse.json({ investors: rows })
}

73
pitch-deck/app/api/admin/invite/route.ts Normal file
View File

@@ -0,0 +1,73 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { generateToken } from '@/lib/auth'
import { requireAdmin, logAdminAudit } from '@/lib/admin-auth'
import { sendMagicLinkEmail } from '@/lib/email'
import { checkRateLimit, RATE_LIMITS } from '@/lib/rate-limit'
export async function POST(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const adminId = guard.kind === 'admin' ? guard.admin.id : null
const body = await request.json().catch(() => ({}))
const { email, name, company } = body
if (!email || typeof email !== 'string') {
return NextResponse.json({ error: 'Email required' }, { status: 400 })
}
// Rate limit by email (3/hour)
const rl = checkRateLimit(`magic-link:${email.toLowerCase()}`, RATE_LIMITS.magicLink)
if (!rl.allowed) {
return NextResponse.json({ error: 'Too many invites for this email. Try again later.' }, { status: 429 })
}
const normalizedEmail = email.toLowerCase().trim()
// Upsert investor
const { rows } = await pool.query(
`INSERT INTO pitch_investors (email, name, company)
VALUES ($1, $2, $3)
ON CONFLICT (email) DO UPDATE SET
name = COALESCE(EXCLUDED.name, pitch_investors.name),
company = COALESCE(EXCLUDED.company, pitch_investors.company),
status = CASE WHEN pitch_investors.status = 'revoked' THEN 'invited' ELSE pitch_investors.status END,
updated_at = NOW()
RETURNING id, status`,
[normalizedEmail, name || null, company || null],
)
const investor = rows[0]
// Generate magic link
const token = generateToken()
const ttlHours = parseInt(process.env.MAGIC_LINK_TTL_HOURS || '72')
const expiresAt = new Date(Date.now() + ttlHours * 60 * 60 * 1000)
await pool.query(
`INSERT INTO pitch_magic_links (investor_id, token, expires_at)
VALUES ($1, $2, $3)`,
[investor.id, token, expiresAt],
)
const baseUrl = process.env.PITCH_BASE_URL || 'https://pitch.breakpilot.ai'
const magicLinkUrl = `${baseUrl}/auth/verify?token=${token}`
await sendMagicLinkEmail(normalizedEmail, name || null, magicLinkUrl)
await logAdminAudit(
adminId,
'investor_invited',
{ email: normalizedEmail, name: name || null, company: company || null, expires_at: expiresAt.toISOString() },
request,
investor.id,
)
return NextResponse.json({
success: true,
investor_id: investor.id,
email: normalizedEmail,
expires_at: expiresAt.toISOString(),
})
}

32
pitch-deck/app/api/admin/revoke/route.ts Normal file
View File

@@ -0,0 +1,32 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { revokeAllSessions } from '@/lib/auth'
import { requireAdmin, logAdminAudit } from '@/lib/admin-auth'
export async function POST(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const adminId = guard.kind === 'admin' ? guard.admin.id : null
const body = await request.json().catch(() => ({}))
const { investor_id } = body
if (!investor_id) {
return NextResponse.json({ error: 'investor_id required' }, { status: 400 })
}
const { rows } = await pool.query(
`UPDATE pitch_investors SET status = 'revoked', updated_at = NOW()
WHERE id = $1 RETURNING email`,
[investor_id],
)
if (rows.length === 0) {
return NextResponse.json({ error: 'Investor not found' }, { status: 404 })
}
await revokeAllSessions(investor_id)
await logAdminAudit(adminId, 'investor_revoked', { email: rows[0].email }, request, investor_id)
return NextResponse.json({ success: true })
}

26
pitch-deck/app/api/audit/route.ts Normal file
View File

@@ -0,0 +1,26 @@
import { NextRequest, NextResponse } from 'next/server'
import { getSessionFromCookie, logAudit } from '@/lib/auth'
export async function POST(request: NextRequest) {
const session = await getSessionFromCookie()
if (!session) {
return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
}
const body = await request.json()
const { action, details, slide_id } = body
if (!action || typeof action !== 'string') {
return NextResponse.json({ error: 'action required' }, { status: 400 })
}
// Only allow known client-side actions
const allowedActions = ['slide_viewed', 'assumption_changed', 'chat_message_sent', 'snapshot_saved', 'snapshot_restored']
if (!allowedActions.includes(action)) {
return NextResponse.json({ error: 'Invalid action' }, { status: 400 })
}
await logAudit(session.sub, action, details || {}, request, slide_id, session.sessionId)
return NextResponse.json({ success: true })
}

14
pitch-deck/app/api/auth/logout/route.ts Normal file
View File

@@ -0,0 +1,14 @@
import { NextRequest, NextResponse } from 'next/server'
import { getSessionFromCookie, revokeSession, clearSessionCookie, logAudit } from '@/lib/auth'
export async function POST(request: NextRequest) {
const session = await getSessionFromCookie()
if (session) {
await revokeSession(session.sessionId)
await logAudit(session.sub, 'logout', {}, request, undefined, session.sessionId)
}
await clearSessionCookie()
return NextResponse.json({ success: true })
}

27
pitch-deck/app/api/auth/me/route.ts Normal file
View File

@@ -0,0 +1,27 @@
import { NextResponse } from 'next/server'
import pool from '@/lib/db'
import { getSessionFromCookie, validateSession } from '@/lib/auth'
export async function GET() {
const session = await getSessionFromCookie()
if (!session) {
return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
}
const valid = await validateSession(session.sessionId, session.sub)
if (!valid) {
return NextResponse.json({ error: 'Session expired' }, { status: 401 })
}
const { rows } = await pool.query(
`SELECT id, email, name, company, status, last_login_at, login_count, created_at
FROM pitch_investors WHERE id = $1`,
[session.sub]
)
if (rows.length === 0 || rows[0].status === 'revoked') {
return NextResponse.json({ error: 'Access revoked' }, { status: 403 })
}
return NextResponse.json({ investor: rows[0] })
}

85
pitch-deck/app/api/auth/verify/route.ts Normal file
View File

@@ -0,0 +1,85 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { createSession, setSessionCookie, getClientIp, logAudit, hashToken } from '@/lib/auth'
import { checkRateLimit, RATE_LIMITS } from '@/lib/rate-limit'
export async function POST(request: NextRequest) {
const ip = getClientIp(request) || 'unknown'
// Rate limit by IP
const rl = checkRateLimit(`auth-verify:${ip}`, RATE_LIMITS.authVerify)
if (!rl.allowed) {
return NextResponse.json({ error: 'Too many attempts. Try again later.' }, { status: 429 })
}
const body = await request.json()
const { token } = body
if (!token || typeof token !== 'string') {
return NextResponse.json({ error: 'Token required' }, { status: 400 })
}
// Find the magic link
const { rows } = await pool.query(
`SELECT ml.id, ml.investor_id, ml.expires_at, ml.used_at, i.email, i.status as investor_status
FROM pitch_magic_links ml
JOIN pitch_investors i ON i.id = ml.investor_id
WHERE ml.token = $1`,
[token]
)
if (rows.length === 0) {
await logAudit(null, 'login_failed', { reason: 'invalid_token' }, request)
return NextResponse.json({ error: 'Invalid link' }, { status: 401 })
}
const link = rows[0]
if (link.used_at) {
await logAudit(link.investor_id, 'login_failed', { reason: 'token_already_used' }, request)
return NextResponse.json({ error: 'This link has already been used. Please request a new one.' }, { status: 401 })
}
if (new Date(link.expires_at) < new Date()) {
await logAudit(link.investor_id, 'login_failed', { reason: 'token_expired' }, request)
return NextResponse.json({ error: 'This link has expired. Please request a new one.' }, { status: 401 })
}
if (link.investor_status === 'revoked') {
await logAudit(link.investor_id, 'login_failed', { reason: 'investor_revoked' }, request)
return NextResponse.json({ error: 'Access has been revoked.' }, { status: 403 })
}
const ua = request.headers.get('user-agent')
// Mark token as used
await pool.query(
`UPDATE pitch_magic_links SET used_at = NOW(), ip_address = $1, user_agent = $2 WHERE id = $3`,
[ip, ua, link.id]
)
// Activate investor if first login
await pool.query(
`UPDATE pitch_investors SET status = 'active', last_login_at = NOW(), login_count = login_count + 1, updated_at = NOW()
WHERE id = $1`,
[link.investor_id]
)
// Create session and set cookie
const { sessionId, jwt } = await createSession(link.investor_id, ip, ua)
await setSessionCookie(jwt)
// Check for new IP
const { rows: prevSessions } = await pool.query(
`SELECT DISTINCT ip_address FROM pitch_sessions WHERE investor_id = $1 AND id != $2 AND ip_address IS NOT NULL`,
[link.investor_id, sessionId]
)
const knownIps = prevSessions.map((r: { ip_address: string }) => r.ip_address)
if (knownIps.length > 0 && !knownIps.includes(ip)) {
await logAudit(link.investor_id, 'new_ip_detected', { ip, known_ips: knownIps }, request, undefined, sessionId)
}
await logAudit(link.investor_id, 'login_success', { email: link.email }, request, undefined, sessionId)
return NextResponse.json({ success: true, redirect: '/' })
}

5
pitch-deck/app/api/health/route.ts Normal file
View File

@@ -0,0 +1,5 @@
import { NextResponse } from 'next/server'
export async function GET() {
return NextResponse.json({ status: 'ok', timestamp: new Date().toISOString() })
}

72
pitch-deck/app/api/snapshots/route.ts Normal file
View File

@@ -0,0 +1,72 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { getSessionFromCookie } from '@/lib/auth'
export async function GET() {
const session = await getSessionFromCookie()
if (!session) {
return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
}
const { rows } = await pool.query(
`SELECT id, scenario_id, assumptions, label, is_latest, created_at
FROM pitch_investor_snapshots
WHERE investor_id = $1 AND is_latest = true
ORDER BY created_at DESC`,
[session.sub]
)
return NextResponse.json({ snapshots: rows })
}
export async function POST(request: NextRequest) {
const session = await getSessionFromCookie()
if (!session) {
return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
}
const body = await request.json()
const { scenario_id, assumptions, label } = body
if (!scenario_id || !assumptions) {
return NextResponse.json({ error: 'scenario_id and assumptions required' }, { status: 400 })
}
// Mark previous latest as not latest
await pool.query(
`UPDATE pitch_investor_snapshots SET is_latest = false
WHERE investor_id = $1 AND scenario_id = $2 AND is_latest = true`,
[session.sub, scenario_id]
)
// Insert new snapshot
const { rows } = await pool.query(
`INSERT INTO pitch_investor_snapshots (investor_id, scenario_id, assumptions, label, is_latest)
VALUES ($1, $2, $3, $4, true)
RETURNING id, created_at`,
[session.sub, scenario_id, JSON.stringify(assumptions), label || null]
)
return NextResponse.json({ snapshot: rows[0] })
}
export async function DELETE(request: NextRequest) {
const session = await getSessionFromCookie()
if (!session) {
return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
}
const { searchParams } = new URL(request.url)
const id = searchParams.get('id')
if (!id) {
return NextResponse.json({ error: 'Snapshot id required' }, { status: 400 })
}
await pool.query(
`DELETE FROM pitch_investor_snapshots WHERE id = $1 AND investor_id = $2`,
[id, session.sub]
)
return NextResponse.json({ success: true })
}