feat(pitch-deck): admin UI for investor + financial-model management
Some checks failed
CI / Deploy (pull_request) Has been skipped
CI / go-lint (pull_request) Failing after 2s
CI / python-lint (pull_request) Failing after 11s
CI / nodejs-lint (pull_request) Failing after 2s
CI / test-go-consent (pull_request) Failing after 2s
CI / test-python-voice (pull_request) Failing after 9s
CI / test-bqas (pull_request) Failing after 8s
Some checks failed
CI / Deploy (pull_request) Has been skipped
CI / go-lint (pull_request) Failing after 2s
CI / python-lint (pull_request) Failing after 11s
CI / nodejs-lint (pull_request) Failing after 2s
CI / test-go-consent (pull_request) Failing after 2s
CI / test-python-voice (pull_request) Failing after 9s
CI / test-bqas (pull_request) Failing after 8s
Adds /pitch-admin dashboard with real admin accounts (bcrypt) and full
audit attribution for every state-changing action.
Backend:
- pitch_admins + pitch_admin_sessions tables (migration 002)
- pitch_audit_logs.admin_id + target_investor_id columns
- lib/admin-auth.ts: bcryptjs hashing, single-session enforcement,
jose JWT with 'pitch-admin' audience claim, requireAdmin guard
- logAudit extended to accept admin_id and target_investor_id
- middleware.ts: gates /pitch-admin/* and /api/admin/* on the admin
cookie (with bearer-secret fallback for CLI compatibility)
- 14 API routes under /api/admin-auth and /api/admin (login, logout,
me, dashboard, investors[id] CRUD + resend, admins CRUD,
fm scenarios + assumptions PATCH)
- Existing /api/admin/{invite,investors,revoke,audit-logs} migrated
to requireAdmin and now log with admin_id + target_investor_id
- scripts/create-admin.ts CLI bootstrap (npm run admin:create)
Frontend:
- /pitch-admin/login + /pitch-admin/(authed) route group
- AdminShell with sidebar nav + StatCard + AuditLogTable components
- Dashboard with KPIs, recent logins, recent activity
- Investors list with search/filter + resend/revoke inline actions
- Investor detail with inline edit + per-investor audit timeline
- Audit log viewer with actor/action/date filters + pagination
- Financial model scenario list + per-scenario assumption editor
(categorized, inline edit, before/after diff in audit)
- Admins management (add, deactivate, reset password)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Sharang Parnerkar
@@ -1,42 +1,77 @@
|
||||
import { NextRequest, NextResponse } from 'next/server'
|
||||
import pool from '@/lib/db'
|
||||
import { validateAdminSecret } from '@/lib/auth'
|
||||
import { requireAdmin } from '@/lib/admin-auth'
|
||||
|
||||
export async function GET(request: NextRequest) {
|
||||
if (!validateAdminSecret(request)) {
|
||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
const guard = await requireAdmin(request)
|
||||
if (guard.kind === 'response') return guard.response
|
||||
|
||||
const { searchParams } = new URL(request.url)
|
||||
const investorId = searchParams.get('investor_id')
|
||||
const targetInvestorId = searchParams.get('target_investor_id')
|
||||
const adminId = searchParams.get('admin_id')
|
||||
const actorType = searchParams.get('actor_type') // 'admin' | 'investor'
|
||||
const action = searchParams.get('action')
|
||||
const since = searchParams.get('since') // ISO date
|
||||
const until = searchParams.get('until')
|
||||
const limit = Math.min(parseInt(searchParams.get('limit') || '100'), 500)
|
||||
const offset = parseInt(searchParams.get('offset') || '0')
|
||||
|
||||
const conditions: string[] = []
|
||||
const params: unknown[] = []
|
||||
let paramIdx = 1
|
||||
let p = 1
|
||||
|
||||
if (investorId) {
|
||||
conditions.push(`a.investor_id = $${paramIdx++}`)
|
||||
conditions.push(`a.investor_id = $${p++}`)
|
||||
params.push(investorId)
|
||||
}
|
||||
if (targetInvestorId) {
|
||||
conditions.push(`a.target_investor_id = $${p++}`)
|
||||
params.push(targetInvestorId)
|
||||
}
|
||||
if (adminId) {
|
||||
conditions.push(`a.admin_id = $${p++}`)
|
||||
params.push(adminId)
|
||||
}
|
||||
if (actorType === 'admin') {
|
||||
conditions.push(`a.admin_id IS NOT NULL`)
|
||||
} else if (actorType === 'investor') {
|
||||
conditions.push(`a.investor_id IS NOT NULL`)
|
||||
}
|
||||
if (action) {
|
||||
conditions.push(`a.action = $${paramIdx++}`)
|
||||
conditions.push(`a.action = $${p++}`)
|
||||
params.push(action)
|
||||
}
|
||||
if (since) {
|
||||
conditions.push(`a.created_at >= $${p++}`)
|
||||
params.push(since)
|
||||
}
|
||||
if (until) {
|
||||
conditions.push(`a.created_at <= $${p++}`)
|
||||
params.push(until)
|
||||
}
|
||||
|
||||
const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : ''
|
||||
|
||||
const { rows } = await pool.query(
|
||||
`SELECT a.*, i.email as investor_email, i.name as investor_name
|
||||
`SELECT a.*,
|
||||
i.email AS investor_email, i.name AS investor_name,
|
||||
ti.email AS target_investor_email, ti.name AS target_investor_name,
|
||||
ad.email AS admin_email, ad.name AS admin_name
|
||||
FROM pitch_audit_logs a
|
||||
LEFT JOIN pitch_investors i ON i.id = a.investor_id
|
||||
LEFT JOIN pitch_investors ti ON ti.id = a.target_investor_id
|
||||
LEFT JOIN pitch_admins ad ON ad.id = a.admin_id
|
||||
${where}
|
||||
ORDER BY a.created_at DESC
|
||||
LIMIT $${paramIdx++} OFFSET $${paramIdx++}`,
|
||||
[...params, limit, offset]
|
||||
LIMIT $${p++} OFFSET $${p++}`,
|
||||
[...params, limit, offset],
|
||||
)
|
||||
|
||||
return NextResponse.json({ logs: rows })
|
||||
const totalRes = await pool.query(
|
||||
`SELECT COUNT(*)::int AS total FROM pitch_audit_logs a ${where}`,
|
||||
params,
|
||||
)
|
||||
|
||||
return NextResponse.json({ logs: rows, total: totalRes.rows[0].total })
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user