From a39e27f6ff775764f04e7f56574d348453789453 Mon Sep 17 00:00:00 2001
From: Matt <matt@letsbe.solutions>
Date: Wed, 4 Mar 2026 13:29:39 +0100
Subject: [PATCH] =?UTF-8?q?fix:=20applicant=20portal=20=E2=80=94=20documen?=
 =?UTF-8?q?t=20uploads,=20round=20filtering,=20auth=20hardening?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix round-specific document uploads (submittedAt no longer blocks uploads),
add view/download buttons for existing files, enforce active-round-only for
uploads/deletes. Harden auth layout and set-password page. Filter applicant
portal rounds by award track membership.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../(applicant)/applicant/documents/page.tsx  | 63 +++++++++++--
 src/app/(applicant)/applicant/page.tsx        | 20 ++++-
 src/app/(applicant)/applicant/team/page.tsx   |  5 +-
 src/app/(auth)/layout.tsx                     |  5 +-
 src/app/(auth)/set-password/page.tsx          | 12 +--
 src/lib/auth.ts                               | 25 +++++-
 src/lib/storage/index.ts                      | 10 ++-
 src/server/routers/applicant.ts               | 89 +++++++++++++++++--
 8 files changed, 192 insertions(+), 37 deletions(-)

diff --git a/src/app/(applicant)/applicant/documents/page.tsx b/src/app/(applicant)/applicant/documents/page.tsx
index 8b53d45..eed3343 100644
--- a/src/app/(applicant)/applicant/documents/page.tsx
+++ b/src/app/(applicant)/applicant/documents/page.tsx
@@ -3,6 +3,7 @@
 import { useSession } from 'next-auth/react'
 import { trpc } from '@/lib/trpc/client'
 import { Badge } from '@/components/ui/badge'
+import { Button } from '@/components/ui/button'
 import {
   Card,
   CardContent,
@@ -20,6 +21,7 @@ import {
   Video,
   File,
   Download,
+  Eye,
 } from 'lucide-react'
 
 const fileTypeIcons: Record<string, typeof FileText> = {
@@ -42,6 +44,34 @@ const fileTypeLabels: Record<string, string> = {
   SUPPORTING_DOC: 'Supporting Document',
 }
 
+function FileActionButtons({ bucket, objectKey, fileName }: { bucket: string; objectKey: string; fileName: string }) {
+  const { data: viewData } = trpc.file.getDownloadUrl.useQuery(
+    { bucket, objectKey, forDownload: false },
+    { staleTime: 10 * 60 * 1000 }
+  )
+  const { data: dlData } = trpc.file.getDownloadUrl.useQuery(
+    { bucket, objectKey, forDownload: true, fileName },
+    { staleTime: 10 * 60 * 1000 }
+  )
+  const viewUrl = typeof viewData === 'string' ? viewData : viewData?.url
+  const dlUrl = typeof dlData === 'string' ? dlData : dlData?.url
+
+  return (
+    <div className="flex items-center gap-1 shrink-0">
+      <Button variant="ghost" size="sm" className="h-7 px-2 text-xs gap-1" asChild disabled={!viewUrl}>
+        <a href={viewUrl || '#'} target="_blank" rel="noopener noreferrer">
+          <Eye className="h-3 w-3" /> View
+        </a>
+      </Button>
+      <Button variant="ghost" size="sm" className="h-7 px-2 text-xs gap-1" asChild disabled={!dlUrl}>
+        <a href={dlUrl || '#'} download={fileName}>
+          <Download className="h-3 w-3" /> Download
+        </a>
+      </Button>
+    </div>
+  )
+}
+
 export default function ApplicantDocumentsPage() {
   const { status: sessionStatus } = useSession()
   const isAuthenticated = sessionStatus === 'authenticated'
@@ -82,7 +112,7 @@ export default function ApplicantDocumentsPage() {
     )
   }
 
-  const { project, openRounds } = data
+  const { project, openRounds, isRejected } = data
   const isDraft = !project.submittedAt
 
   return (
@@ -98,8 +128,20 @@ export default function ApplicantDocumentsPage() {
         </p>
       </div>
 
+      {/* Rejected banner */}
+      {isRejected && (
+        <Card className="border-destructive/50 bg-destructive/5">
+          <CardContent className="flex items-center gap-3 py-4">
+            <AlertTriangle className="h-5 w-5 text-destructive shrink-0" />
+            <p className="text-sm text-destructive">
+              Your project was not selected to advance. Documents are view-only.
+            </p>
+          </CardContent>
+        </Card>
+      )}
+
       {/* Per-round upload sections */}
-      {openRounds.length > 0 && (
+      {!isRejected && openRounds.length > 0 && (
         <div className="space-y-6">
           {openRounds.map((round: { id: string; name: string; windowCloseAt?: string | Date | null }) => {
             const now = new Date()
@@ -163,18 +205,18 @@ export default function ApplicantDocumentsPage() {
             <div className="space-y-2">
               {project.files.map((file) => {
                 const Icon = fileTypeIcons[file.fileType] || File
-                const fileRecord = file as typeof file & { isLate?: boolean; roundId?: string | null }
+                const fileRecord = file as typeof file & { isLate?: boolean; roundId?: string | null; bucket?: string; objectKey?: string }
 
                 return (
                   <div
                     key={file.id}
                     className="flex items-center justify-between p-3 rounded-lg border"
                   >
-                    <div className="flex items-center gap-3">
-                      <Icon className="h-5 w-5 text-muted-foreground" />
-                      <div>
+                    <div className="flex items-center gap-3 min-w-0">
+                      <Icon className="h-5 w-5 text-muted-foreground shrink-0" />
+                      <div className="min-w-0">
                         <div className="flex items-center gap-2">
-                          <p className="font-medium text-sm">{file.fileName}</p>
+                          <p className="font-medium text-sm truncate">{file.fileName}</p>
                           {fileRecord.isLate && (
                             <Badge variant="warning" className="text-xs gap-1">
                               <AlertTriangle className="h-3 w-3" />
@@ -189,6 +231,13 @@ export default function ApplicantDocumentsPage() {
                         </p>
                       </div>
                     </div>
+                    {fileRecord.bucket && fileRecord.objectKey && (
+                      <FileActionButtons
+                        bucket={fileRecord.bucket}
+                        objectKey={fileRecord.objectKey}
+                        fileName={file.fileName}
+                      />
+                    )}
                   </div>
                 )
               })}
diff --git a/src/app/(applicant)/applicant/page.tsx b/src/app/(applicant)/applicant/page.tsx
index b6b0509..847193a 100644
--- a/src/app/(applicant)/applicant/page.tsx
+++ b/src/app/(applicant)/applicant/page.tsx
@@ -111,7 +111,7 @@ export default function ApplicantDashboardPage() {
     )
   }
 
-  const { project, timeline, currentStatus, openRounds, hasPassedIntake } = data
+  const { project, timeline, currentStatus, openRounds, hasPassedIntake, isRejected } = data
   const programYear = project.program?.year
   const programName = project.program?.name
   const totalEvaluations = evaluations?.reduce((sum, r) => sum + r.evaluationCount, 0) ?? 0
@@ -221,8 +221,23 @@ export default function ApplicantDashboardPage() {
           </Card>
           </AnimatedCard>
 
+          {/* Rejected banner */}
+          {isRejected && (
+            <AnimatedCard index={1}>
+              <Card className="border-destructive/50 bg-destructive/5">
+                <CardContent className="flex items-center gap-3 py-4">
+                  <AlertCircle className="h-5 w-5 text-destructive shrink-0" />
+                  <p className="text-sm text-destructive">
+                    Your project was not selected to advance. Your project space is now read-only.
+                  </p>
+                </CardContent>
+              </Card>
+            </AnimatedCard>
+          )}
+
           {/* Quick actions */}
-          <AnimatedCard index={1}>
+          {!isRejected && (
+          <AnimatedCard index={2}>
             <div className="grid gap-4 sm:grid-cols-2 lg:grid-cols-3">
               <Link href={"/applicant/documents" as Route} className="group flex items-center gap-3 rounded-xl border border-border/60 p-4 transition-all duration-200 hover:-translate-y-0.5 hover:shadow-md hover:border-blue-500/30 hover:bg-blue-500/5">
                 <div className="rounded-xl bg-blue-500/10 p-2.5 transition-colors group-hover:bg-blue-500/20">
@@ -266,6 +281,7 @@ export default function ApplicantDashboardPage() {
               )}
             </div>
           </AnimatedCard>
+          )}
 
           {/* Document Completeness */}
           {docCompleteness && docCompleteness.length > 0 && (
diff --git a/src/app/(applicant)/applicant/team/page.tsx b/src/app/(applicant)/applicant/team/page.tsx
index 953e163..dd0255f 100644
--- a/src/app/(applicant)/applicant/team/page.tsx
+++ b/src/app/(applicant)/applicant/team/page.tsx
@@ -123,6 +123,7 @@ export default function ApplicantProjectPage() {
   const project = dashboardData?.project
   const projectId = project?.id
   const isIntakeOpen = dashboardData?.isIntakeOpen ?? false
+  const isRejected = dashboardData?.isRejected ?? false
 
   const { data: teamData, isLoading: teamLoading, refetch } = trpc.applicant.getTeamMembers.useQuery(
     { projectId: projectId! },
@@ -398,7 +399,7 @@ export default function ApplicantProjectPage() {
                 Everyone on this list can view and collaborate on this project.
               </CardDescription>
             </div>
-            {isTeamLead && (
+            {isTeamLead && !isRejected && (
               <Dialog open={isInviteOpen} onOpenChange={setIsInviteOpen}>
                 <DialogTrigger asChild>
                   <Button size="sm">
@@ -578,7 +579,7 @@ export default function ApplicantProjectPage() {
                   </div>
                 </div>
 
-                {isTeamLead && member.role !== 'LEAD' && teamData.submittedBy?.id !== member.userId && (
+                {isTeamLead && !isRejected && member.role !== 'LEAD' && teamData.submittedBy?.id !== member.userId && (
                   <AlertDialog>
                     <AlertDialogTrigger asChild>
                       <Button variant="ghost" size="icon" className="text-destructive">
diff --git a/src/app/(auth)/layout.tsx b/src/app/(auth)/layout.tsx
index 18e65a2..11eb169 100644
--- a/src/app/(auth)/layout.tsx
+++ b/src/app/(auth)/layout.tsx
@@ -19,13 +19,14 @@ export default async function AuthLayout({
   // Redirect logged-in users to their dashboard
   // But NOT if they still need to set their password
   if (session?.user && !session.user.mustSetPassword) {
-    // Verify user still exists in DB (handles deleted accounts with stale sessions)
+    // Verify user still exists in DB and check onboarding status
     const dbUser = await prisma.user.findUnique({
       where: { id: session.user.id },
-      select: { id: true },
+      select: { id: true, onboardingCompletedAt: true },
     })
 
     if (dbUser) {
+
       const role = session.user.role
       if (role === 'SUPER_ADMIN' || role === 'PROGRAM_ADMIN') {
         redirect('/admin')
diff --git a/src/app/(auth)/set-password/page.tsx b/src/app/(auth)/set-password/page.tsx
index d78463e..ed0acc9 100644
--- a/src/app/(auth)/set-password/page.tsx
+++ b/src/app/(auth)/set-password/page.tsx
@@ -36,17 +36,9 @@ export default function SetPasswordPage() {
       setIsSuccess(true)
       // Update the session to reflect the password has been set
       await updateSession()
-      // Redirect after a short delay
+      // Redirect after a short delay — all roles go to onboarding first
       setTimeout(() => {
-        if (session?.user?.role === 'JURY_MEMBER') {
-          router.push('/jury')
-        } else if (session?.user?.role === 'SUPER_ADMIN' || session?.user?.role === 'PROGRAM_ADMIN') {
-          router.push('/admin')
-        } else if (session?.user?.role === 'APPLICANT') {
-          router.push('/onboarding')
-        } else {
-          router.push('/')
-        }
+        router.push('/onboarding')
       }, 2000)
     },
     onError: (err) => {
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index 7994600..16262af 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -15,7 +15,19 @@ const LOCKOUT_DURATION_MS = 15 * 60 * 1000 // 15 minutes
 
 export const { handlers, auth, signIn, signOut } = NextAuth({
   ...authConfig,
-  adapter: PrismaAdapter(prisma),
+  adapter: {
+    ...PrismaAdapter(prisma),
+    async useVerificationToken({ identifier, token }: { identifier: string; token: string }) {
+      try {
+        return await prisma.verificationToken.delete({
+          where: { identifier_token: { identifier, token } },
+        })
+      } catch (e) {
+        if ((e as { code?: string }).code === 'P2025') return null
+        throw e
+      }
+    },
+  },
   providers: [
     // Email provider for magic links (used for first login and password reset)
     EmailProvider({
@@ -129,7 +141,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
           },
         })
 
-        if (!user || user.status === 'SUSPENDED' || !user.passwordHash) {
+        if (!user || user.status === 'SUSPENDED') {
           // Track failed attempt (don't reveal whether user exists)
           const current = failedAttempts.get(email) || { count: 0, lockedUntil: 0 }
           current.count++
@@ -139,19 +151,24 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
           }
           failedAttempts.set(email, current)
 
-          // Log failed login
+          // Log failed login — real security event
           await prisma.auditLog.create({
             data: {
               userId: null,
               action: 'LOGIN_FAILED',
               entityType: 'User',
-              detailsJson: { email, reason: !user ? 'user_not_found' : user.status === 'SUSPENDED' ? 'suspended' : 'no_password' },
+              detailsJson: { email, reason: !user ? 'user_not_found' : 'suspended' },
             },
           }).catch(() => {})
 
           return null
         }
 
+        if (!user.passwordHash) {
+          // Magic-link user tried credentials form — expected, not a security event
+          return null
+        }
+
         // Verify password
         const isValid = await verifyPassword(password, user.passwordHash)
         if (!isValid) {
diff --git a/src/lib/storage/index.ts b/src/lib/storage/index.ts
index a24084c..3f3b5e0 100644
--- a/src/lib/storage/index.ts
+++ b/src/lib/storage/index.ts
@@ -126,6 +126,14 @@ export function getContentType(fileName: string): string {
  * Validate image file type
  */
 export function isValidImageType(contentType: string): boolean {
-  const validTypes = ['image/jpeg', 'image/png', 'image/gif', 'image/webp']
+  const validTypes = [
+    'image/jpeg',
+    'image/jpg', // non-standard but common browser alias for image/jpeg
+    'image/png',
+    'image/gif',
+    'image/webp',
+    'image/svg+xml',
+    'application/octet-stream', // some browsers send this as a fallback
+  ]
   return validTypes.includes(contentType)
 }
diff --git a/src/server/routers/applicant.ts b/src/server/routers/applicant.ts
index c16ad56..2caa57b 100644
--- a/src/server/routers/applicant.ts
+++ b/src/server/routers/applicant.ts
@@ -20,6 +20,16 @@ function generateInviteToken(): string {
   return crypto.randomBytes(32).toString('hex')
 }
 
+/** Check if a project has been rejected in any round (based on ProjectRoundState, not Project.status) */
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+async function isProjectRejected(prisma: any, projectId: string): Promise<boolean> {
+  const rejected = await prisma.projectRoundState.findFirst({
+    where: { projectId, state: 'REJECTED' },
+    select: { id: true },
+  })
+  return !!rejected
+}
+
 export const applicantRouter = router({
   /**
    * Get submission info for an applicant (by round slug)
@@ -276,6 +286,11 @@ export const applicantRouter = router({
         })
       }
 
+      // Block rejected projects from uploading
+      if (await isProjectRejected(ctx.prisma, input.projectId)) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Uploads are no longer permitted.' })
+      }
+
       // If uploading against a requirement, validate mime type and size
       if (input.requirementId) {
         const requirement = await ctx.prisma.fileRequirement.findUnique({
@@ -303,21 +318,29 @@ export const applicantRouter = router({
 
       let isLate = false
 
-      // Can't upload if already submitted
-      if (project.submittedAt && !isLate) {
+      // Can't upload if already submitted — but only for initial application edits.
+      // Round-specific uploads (business plan, video for later rounds) are allowed
+      // as long as the round is active.
+      if (project.submittedAt && !input.roundId) {
         throw new TRPCError({
           code: 'BAD_REQUEST',
           message: 'Cannot modify a submitted project',
         })
       }
 
-      // Fetch round name for storage path (if uploading against a round)
+      // Fetch round info and verify it's active
       let roundName: string | undefined
       if (input.roundId) {
         const round = await ctx.prisma.round.findUnique({
           where: { id: input.roundId },
-          select: { name: true },
+          select: { name: true, status: true },
         })
+        if (round && round.status !== 'ROUND_ACTIVE') {
+          throw new TRPCError({
+            code: 'BAD_REQUEST',
+            message: 'This round is closed. Documents can no longer be uploaded.',
+          })
+        }
         roundName = round?.name
       }
 
@@ -385,6 +408,11 @@ export const applicantRouter = router({
         })
       }
 
+      // Block rejected projects
+      if (await isProjectRejected(ctx.prisma, input.projectId)) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. File changes are no longer permitted.' })
+      }
+
       const { projectId, roundId, isLate, requirementId, ...fileData } = input
 
       // Delete existing file: by requirementId if provided, otherwise by fileType
@@ -459,14 +487,33 @@ export const applicantRouter = router({
         })
       }
 
-      // Can't delete if project is submitted
-      if (file.project.submittedAt) {
+      // Block rejected projects
+      if (await isProjectRejected(ctx.prisma, file.project.id)) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. File changes are no longer permitted.' })
+      }
+
+      // Can't delete initial application files after submission
+      if (file.project.submittedAt && !file.roundId) {
         throw new TRPCError({
           code: 'BAD_REQUEST',
           message: 'Cannot modify a submitted project',
         })
       }
 
+      // Round-specific files can only be deleted while the round is active
+      if (file.roundId) {
+        const round = await ctx.prisma.round.findUnique({
+          where: { id: file.roundId },
+          select: { status: true },
+        })
+        if (round && round.status !== 'ROUND_ACTIVE') {
+          throw new TRPCError({
+            code: 'BAD_REQUEST',
+            message: 'This round is closed. Documents can no longer be modified.',
+          })
+        }
+      }
+
       await ctx.prisma.projectFile.delete({
         where: { id: input.fileId },
       })
@@ -809,6 +856,11 @@ export const applicantRouter = router({
         })
       }
 
+      // Block rejected projects
+      if (await isProjectRejected(ctx.prisma, input.projectId)) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Team changes are no longer permitted.' })
+      }
+
       // Check if already a team member
       const existingMember = await ctx.prisma.teamMember.findFirst({
         where: {
@@ -1020,6 +1072,11 @@ export const applicantRouter = router({
         })
       }
 
+      // Block rejected projects
+      if (await isProjectRejected(ctx.prisma, input.projectId)) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Team changes are no longer permitted.' })
+      }
+
       // Can't remove the original submitter
       if (project.submittedByUserId === input.userId) {
         throw new TRPCError({
@@ -1234,7 +1291,7 @@ export const applicantRouter = router({
       }
     }
 
-    const isRejected = currentStatus === 'REJECTED'
+    const isRejected = await isProjectRejected(ctx.prisma, project.id)
     const hasWonAward = project.wonAwards.length > 0
 
     // Build timeline
@@ -1382,9 +1439,10 @@ export const applicantRouter = router({
         isTeamLead,
         userRole: userMembership?.role || (project.submittedByUserId === ctx.user.id ? 'LEAD' : null),
       },
-      openRounds,
+      openRounds: isRejected ? [] : openRounds,
       timeline,
       currentStatus,
+      isRejected,
       hasPassedIntake: !!passedIntake,
       isIntakeOpen: !!activeIntakeRound,
       logoUrl,
@@ -1442,9 +1500,12 @@ export const applicantRouter = router({
             select: { configJson: true },
           })
         : []
+      const navProjectRejected = await isProjectRejected(ctx.prisma, project.id)
       hasEvaluationRounds = closedEvalRounds.some((r) => {
         const parsed = EvaluationConfigSchema.safeParse(r.configJson)
-        return parsed.success && parsed.data.applicantVisibility.enabled
+        if (!parsed.success || !parsed.data.applicantVisibility.enabled) return false
+        if (parsed.data.applicantVisibility.hideFromRejected && navProjectRejected) return false
+        return true
       })
     }
 
@@ -1746,11 +1807,16 @@ export const applicantRouter = router({
       }>
     }> = []
 
+    const projectIsRejected = await isProjectRejected(ctx.prisma, project.id)
+
     for (let i = 0; i < evalRounds.length; i++) {
       const round = evalRounds[i]
       const parsed = EvaluationConfigSchema.safeParse(round.configJson)
       if (!parsed.success || !parsed.data.applicantVisibility.enabled) continue
 
+      // Skip this round if hideFromRejected is on and the project has been rejected
+      if (parsed.data.applicantVisibility.hideFromRejected && projectIsRejected) continue
+
       const vis = parsed.data.applicantVisibility
 
       // Get evaluations via assignments — NEVER select userId or user relation
@@ -1991,6 +2057,11 @@ export const applicantRouter = router({
         throw new TRPCError({ code: 'FORBIDDEN', message: 'You are not a member of this project' })
       }
 
+      // Block rejected projects
+      if (await isProjectRejected(ctx.prisma, input.projectId)) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Logo changes are no longer permitted.' })
+      }
+
       return getImageUploadUrl(
         input.projectId,
         input.fileName,