Comprehensive platform review: security fixes, query optimization, UI improvements, and code cleanup

Security (Critical/High): - Fix path traversal bypass in local storage provider (path.resolve + prefix check) - Fix timing-unsafe HMAC comparison (crypto.timingSafeEqual) - Add auth + ownership checks to email API routes (verify-credentials, change-password) - Remove hardcoded secret key fallback in local storage provider - Add production credential check for MinIO (fail loudly if not set) - Remove DB error details from health check response - Add stricter rate limiting on application submissions (5/hour) - Add rate limiting on email availability check (anti-enumeration) - Change getAIAssignmentJobStatus to adminProcedure - Block dangerous file extensions on upload - Reduce project list max perPage from 5000 to 200 Query Optimization: - Optimize analytics getProjectRankings with select instead of full includes - Fix N+1 in mentor.getSuggestions (batch findMany instead of loop) - Use _count for files instead of fetching full file records in project list - Switch to bulk notifications in assignment and user bulk operations - Batch filtering upserts (25 per transaction instead of all at once) UI/UX: - Replace Inter font with Montserrat in public layout (brand consistency) - Use Logo component in public layout instead of placeholder - Create branded 404 and error pages - Make admin rounds table responsive with mobile card layout - Fix notification bell paths to be role-aware - Replace hardcoded slate colors with semantic tokens in admin sidebar - Force light mode (dark mode untested) - Adjust CardTitle default size - Improve muted-foreground contrast for accessibility (A11Y) - Move profile form state initialization to useEffect Code Quality: - Extract shared toProjectWithRelations to anonymization.ts (removed 3 duplicates) - Remove dead code: getObjectInfo, isValidImageSize, unused batch tag functions, debug logs - Remove unused twilio dependency - Remove redundant email index from schema - Add actual storage object deletion when file records are deleted - Wrap evaluation submit + assignment update in - Add comprehensive platform review document Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-05 20:31:08 +01:00
parent a1f32597a0
commit 8d0979e649
35 changed files with 2463 additions and 730 deletions
--- a/src/app/(settings)/settings/profile/page.tsx
+++ b/src/app/(settings)/settings/profile/page.tsx
@@ -1,6 +1,6 @@
 'use client'

-import { useState } from 'react'
+import { useState, useEffect } from 'react'
 import { useRouter } from 'next/navigation'
 import { signOut } from 'next-auth/react'
 import { trpc } from '@/lib/trpc/client'
@@ -73,15 +73,17 @@ export default function ProfileSettingsPage() {
  const [deleteDialogOpen, setDeleteDialogOpen] = useState(false)

  // Populate form when user data loads
-  if (user && !profileLoaded) {
-    setName(user.name || '')
-    const meta = (user.metadataJson as Record<string, unknown>) || {}
-    setBio((meta.bio as string) || '')
-    setPhoneNumber(user.phoneNumber || '')
-    setNotificationPreference(user.notificationPreference || 'EMAIL')
-    setExpertiseTags(user.expertiseTags || [])
-    setProfileLoaded(true)
-  }
+  useEffect(() => {
+    if (user && !profileLoaded) {
+      setName(user.name || '')
+      const meta = (user.metadataJson as Record<string, unknown>) || {}
+      setBio((meta.bio as string) || '')
+      setPhoneNumber(user.phoneNumber || '')
+      setNotificationPreference(user.notificationPreference || 'EMAIL')
+      setExpertiseTags(user.expertiseTags || [])
+      setProfileLoaded(true)
+    }
+  }, [user, profileLoaded])

  const handleSaveProfile = async () => {
    try {