244071d63b
Implement a complete investor access system for the pitch deck: - Passwordless magic link auth (jose JWT + nodemailer SMTP) - Per-investor audit logging (slide views, assumption changes, chat) - Financial model snapshot persistence (auto-save/restore per investor) - PWA support (manifest, service worker, offline caching, icons) - Security safeguards (watermark overlay, rate limiting, anti-scraping headers, content protection, single-session enforcement) - Admin API for invite/revoke/audit-log management - Integrated into docker-compose.coolify.yml for production deployment Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
27 lines
954 B
TypeScript
27 lines
954 B
TypeScript
import { NextRequest, NextResponse } from 'next/server'
|
|
import { getSessionFromCookie, logAudit } from '@/lib/auth'
|
|
|
|
export async function POST(request: NextRequest) {
|
|
const session = await getSessionFromCookie()
|
|
if (!session) {
|
|
return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
|
|
}
|
|
|
|
const body = await request.json()
|
|
const { action, details, slide_id } = body
|
|
|
|
if (!action || typeof action !== 'string') {
|
|
return NextResponse.json({ error: 'action required' }, { status: 400 })
|
|
}
|
|
|
|
// Only allow known client-side actions
|
|
const allowedActions = ['slide_viewed', 'assumption_changed', 'chat_message_sent', 'snapshot_saved', 'snapshot_restored']
|
|
if (!allowedActions.includes(action)) {
|
|
return NextResponse.json({ error: 'Invalid action' }, { status: 400 })
|
|
}
|
|
|
|
await logAudit(session.sub, action, details || {}, request, slide_id, session.sessionId)
|
|
|
|
return NextResponse.json({ success: true })
|
|
}
|