fix: security hardening — block self-registration, SSE auth, audit logging fixes

Security fixes: - Block self-registration via magic link (PrismaAdapter createUser throws) - Magic links only sent to existing ACTIVE users (prevents enumeration) - signIn callback rejects non-existent users (defense-in-depth) - Change schema default role from JURY_MEMBER to APPLICANT - Add authentication to live-voting SSE stream endpoint - Fix false FILE_OPENED/FILE_DOWNLOADED audit events on page load (remove purpose from eagerly pre-fetched URL queries) Bug fixes: - Fix impersonation skeleton screen on applicant dashboard - Fix onboarding redirect loop in auth layout Observer dashboard redesign (Steps 1-6): - Clickable round pipeline with selected round highlighting - Round-type-specific dashboard panels (intake, filtering, evaluation, submission, mentoring, live final, deliberation) - Enhanced activity feed with server-side humanization - Previous round comparison section - New backend queries for round-specific analytics Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 20:18:50 +01:00
parent 13f125af28
commit 875c2e8f48
23 changed files with 2126 additions and 410 deletions
--- a/src/app/(admin)/admin/awards/[id]/page.tsx
+++ b/src/app/(admin)/admin/awards/[id]/page.tsx
@@ -1337,7 +1337,7 @@ export default function AwardDetailPage({
                    <TableRow key={j.id}>
                      <TableCell>
                        <div className="flex items-center gap-3">
-                          <UserAvatar user={j.user} size="sm" />
+                          <UserAvatar user={j.user} avatarUrl={j.user.avatarUrl} size="sm" />
                          <div>
                            <p className="font-medium">
                              {j.user.name || 'Unnamed'}
--- a/src/app/(applicant)/applicant/documents/page.tsx
+++ b/src/app/(applicant)/applicant/documents/page.tsx
@@ -46,11 +46,11 @@ const fileTypeLabels: Record<string, string> = {

 function FileActionButtons({ bucket, objectKey, fileName }: { bucket: string; objectKey: string; fileName: string }) {
  const { data: viewData } = trpc.file.getDownloadUrl.useQuery(
-    { bucket, objectKey, forDownload: false, purpose: 'open' as const },
+    { bucket, objectKey, forDownload: false },
    { staleTime: 10 * 60 * 1000 }
  )
  const { data: dlData } = trpc.file.getDownloadUrl.useQuery(
-    { bucket, objectKey, forDownload: true, fileName, purpose: 'download' as const },
+    { bucket, objectKey, forDownload: true, fileName },
    { staleTime: 10 * 60 * 1000 }
  )
  const viewUrl = typeof viewData === 'string' ? viewData : viewData?.url
--- a/src/app/(applicant)/applicant/page.tsx
+++ b/src/app/(applicant)/applicant/page.tsx
@@ -62,7 +62,7 @@ export default function ApplicantDashboardPage() {
    enabled: isAuthenticated,
  })

-  if (sessionStatus === 'loading' || isLoading) {
+  if (sessionStatus === 'loading' || (isAuthenticated && isLoading)) {
    return (
      <div className="space-y-6">
        <div className="space-y-2">
--- a/src/app/(auth)/layout.tsx
+++ b/src/app/(auth)/layout.tsx
@@ -26,18 +26,23 @@ export default async function AuthLayout({
    })

    if (dbUser) {
-
-      const role = session.user.role
-      if (role === 'SUPER_ADMIN' || role === 'PROGRAM_ADMIN') {
-        redirect('/admin')
-      } else if (role === 'JURY_MEMBER') {
-        redirect('/jury')
-      } else if (role === 'OBSERVER') {
-        redirect('/observer')
-      } else if (role === 'MENTOR') {
-        redirect('/mentor')
-      } else if (role === 'APPLICANT') {
-        redirect('/applicant')
+      // If user hasn't completed onboarding, don't redirect away from auth pages.
+      // The /onboarding page lives in this (auth) layout, so they need to stay here.
+      if (!dbUser.onboardingCompletedAt) {
+        // Fall through — let them access /onboarding (and other auth pages)
+      } else {
+        const role = session.user.role
+        if (role === 'SUPER_ADMIN' || role === 'PROGRAM_ADMIN') {
+          redirect('/admin')
+        } else if (role === 'JURY_MEMBER') {
+          redirect('/jury')
+        } else if (role === 'OBSERVER') {
+          redirect('/observer')
+        } else if (role === 'MENTOR') {
+          redirect('/mentor')
+        } else if (role === 'APPLICANT') {
+          redirect('/applicant')
+        }
      }
    }
    // If user doesn't exist in DB, fall through and show auth page
--- a/src/app/api/live-voting/stream/route.ts
+++ b/src/app/api/live-voting/stream/route.ts
@@ -1,9 +1,19 @@
 import { NextRequest } from 'next/server'
 import { prisma } from '@/lib/prisma'
+import { auth } from '@/lib/auth'

 export const dynamic = 'force-dynamic'

 export async function GET(request: NextRequest): Promise<Response> {
+  // Require authentication — prevent unauthenticated access to live vote data
+  const userSession = await auth()
+  if (!userSession?.user) {
+    return new Response(JSON.stringify({ error: 'Unauthorized' }), {
+      status: 401,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+
  const { searchParams } = new URL(request.url)
  const sessionId = searchParams.get('sessionId')