Comprehensive platform review: security fixes, query optimization, UI improvements, and code cleanup

Security (Critical/High): - Fix path traversal bypass in local storage provider (path.resolve + prefix check) - Fix timing-unsafe HMAC comparison (crypto.timingSafeEqual) - Add auth + ownership checks to email API routes (verify-credentials, change-password) - Remove hardcoded secret key fallback in local storage provider - Add production credential check for MinIO (fail loudly if not set) - Remove DB error details from health check response - Add stricter rate limiting on application submissions (5/hour) - Add rate limiting on email availability check (anti-enumeration) - Change getAIAssignmentJobStatus to adminProcedure - Block dangerous file extensions on upload - Reduce project list max perPage from 5000 to 200 Query Optimization: - Optimize analytics getProjectRankings with select instead of full includes - Fix N+1 in mentor.getSuggestions (batch findMany instead of loop) - Use _count for files instead of fetching full file records in project list - Switch to bulk notifications in assignment and user bulk operations - Batch filtering upserts (25 per transaction instead of all at once) UI/UX: - Replace Inter font with Montserrat in public layout (brand consistency) - Use Logo component in public layout instead of placeholder - Create branded 404 and error pages - Make admin rounds table responsive with mobile card layout - Fix notification bell paths to be role-aware - Replace hardcoded slate colors with semantic tokens in admin sidebar - Force light mode (dark mode untested) - Adjust CardTitle default size - Improve muted-foreground contrast for accessibility (A11Y) - Move profile form state initialization to useEffect Code Quality: - Extract shared toProjectWithRelations to anonymization.ts (removed 3 duplicates) - Remove dead code: getObjectInfo, isValidImageSize, unused batch tag functions, debug logs - Remove unused twilio dependency - Remove redundant email index from schema - Add actual storage object deletion when file records are deleted - Wrap evaluation submit + assignment update in - Add comprehensive platform review document Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-05 20:31:08 +01:00
parent a1f32597a0
commit 8d0979e649
35 changed files with 2463 additions and 730 deletions
--- a/src/server/routers/user.ts
+++ b/src/server/routers/user.ts
@@ -243,22 +243,15 @@ export const userRouter = router({
  get: adminProcedure
    .input(z.object({ id: z.string() }))
    .query(async ({ ctx, input }) => {
-      console.log('[user.get] Fetching user:', input.id)
-      try {
-        const user = await ctx.prisma.user.findUniqueOrThrow({
-          where: { id: input.id },
-          include: {
-            _count: {
-              select: { assignments: true, mentorAssignments: true },
-            },
+      const user = await ctx.prisma.user.findUniqueOrThrow({
+        where: { id: input.id },
+        include: {
+          _count: {
+            select: { assignments: true, mentorAssignments: true },
          },
-        })
-        console.log('[user.get] Found user:', user.email)
-        return user
-      } catch (error) {
-        console.error('[user.get] Error fetching user:', input.id, error)
-        throw error
-      }
+        },
+      })
+      return user
    }),

  /**