fix: security hardening — block self-registration, SSE auth, audit logging fixes

Security fixes: - Block self-registration via magic link (PrismaAdapter createUser throws) - Magic links only sent to existing ACTIVE users (prevents enumeration) - signIn callback rejects non-existent users (defense-in-depth) - Change schema default role from JURY_MEMBER to APPLICANT - Add authentication to live-voting SSE stream endpoint - Fix false FILE_OPENED/FILE_DOWNLOADED audit events on page load (remove purpose from eagerly pre-fetched URL queries) Bug fixes: - Fix impersonation skeleton screen on applicant dashboard - Fix onboarding redirect loop in auth layout Observer dashboard redesign (Steps 1-6): - Clickable round pipeline with selected round highlighting - Round-type-specific dashboard panels (intake, filtering, evaluation, submission, mentoring, live final, deliberation) - Enhanced activity feed with server-side humanization - Previous round comparison section - New backend queries for round-specific analytics Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 20:18:50 +01:00
parent 13f125af28
commit 875c2e8f48
23 changed files with 2126 additions and 410 deletions
--- a/src/app/(auth)/layout.tsx
+++ b/src/app/(auth)/layout.tsx
@@ -26,18 +26,23 @@ export default async function AuthLayout({
    })

    if (dbUser) {
-
-      const role = session.user.role
-      if (role === 'SUPER_ADMIN' || role === 'PROGRAM_ADMIN') {
-        redirect('/admin')
-      } else if (role === 'JURY_MEMBER') {
-        redirect('/jury')
-      } else if (role === 'OBSERVER') {
-        redirect('/observer')
-      } else if (role === 'MENTOR') {
-        redirect('/mentor')
-      } else if (role === 'APPLICANT') {
-        redirect('/applicant')
+      // If user hasn't completed onboarding, don't redirect away from auth pages.
+      // The /onboarding page lives in this (auth) layout, so they need to stay here.
+      if (!dbUser.onboardingCompletedAt) {
+        // Fall through — let them access /onboarding (and other auth pages)
+      } else {
+        const role = session.user.role
+        if (role === 'SUPER_ADMIN' || role === 'PROGRAM_ADMIN') {
+          redirect('/admin')
+        } else if (role === 'JURY_MEMBER') {
+          redirect('/jury')
+        } else if (role === 'OBSERVER') {
+          redirect('/observer')
+        } else if (role === 'MENTOR') {
+          redirect('/mentor')
+        } else if (role === 'APPLICANT') {
+          redirect('/applicant')
+        }
      }
    }
    // If user doesn't exist in DB, fall through and show auth page